February 27th, 2004, 08:39 AM
Access-list & Nat
I have a border router which nat our extr internet ips to our internal network.
I have a access-list which allows access via the net to our internal fw ip which is
natted eg ip nat inside source static intr x.x.x.x outs global x.x.x.x
My question is should I use a access-list to allow access to specific ports to he internal and the ip nat inside command for better security
eg ip nat inside source static tcp x.x.x.x 80 x.x.x.x 80
acceess-list 101 permit tcp any x.x.x.x 80
or IF I just use
access-lists 101 permit ip any internal ip
ip nat inside source static tcp x.x.x.x 80 x.x.x.x 80
Either provides the same result and if I check my logs only the natted translated ports to the ip I allow is allowed so to have a access-list to a spefic port plus ip nat inside source static tcp command it is not needed ?
Any security risks here ?
February 27th, 2004, 06:01 PM
re: NAT and acls
First, what hardware do you have? i'm betting cisco, but i'm just curious.
Second, why is the border router doing the NAT instead of the firewall and what type of NAT is being done (e.g., static NATs, global NATs, or PAT)?
Aside from those questions, here is my opinion and how I run a similar setup at the corporation where i work:
1. border router. this is the bastion host, meaning it is locked down and configured for one purpose only: routing. I do some preliminary filtering here, but no NAT. I filter to allow only IP and ESP+AH traffic.
2. at the firewall, i control what traffic has been let through vis-a-vis specific host/port acls. I do various NATing here as well. Static NATs for internal-external host mapping, global NAT for outbound connections in the dmz zones, and PAT for internal outbound traffic (mostly web connections). I also terminate VPNs here.
The relationship and security layering is naturally more in-depth in that, but I believe my example answers your questions. meaning, imho i believe it is better strategy to let the firewall hardware do the granular controls and allow the border router/bastion host to provide only specific traffic types for the firewall to operate on.
I wouldn't say that your design is bad, not at all. You already have a router-firewall relationship that works...i'd focus on fine-tuning the responsibilities that each device has in your security defense-in-depth posture. I wouldn't say you have a security risk, but i wouldn't say your design is optimized either.
The only other thing i would mention is:
a. you're using a soft firewall by using the router's firewall feature set. Whilst robust and very operational, you're missing out on the hardware firewall's innate optimization.
b. by using a granular access-list on the router, if you try to move to VPN and other technologies you may not be able to scale well. Terminating the VPN on the router can easily be done, but if it is the network core you'll have to open unnecessary holes in the firewall behind the router to allow ESP+AH to pass through.
Ego is the great Logic killer
February 28th, 2004, 01:22 AM
You definitely want the access-list on the outside to be as granular as possible. If you are running an IOS with the firewall feature set, the access-list provides several features not present in the NAT configuration i.e. content based access control or CBAC. The firewall feature set also does some limited IP fragmentation tracking and it is stateful so orphaned fin and ack packets will not get through the access-list. Also, the access-list is helpful for logging inbound connections regardless of feature set. Hope that helps.