Re: Firewall / NAT question/
Quote:
Originally posted here by thatch
forgive me if this question seems pretty basic but could anyone tell explain this to me.
i'm performing a practice assesment and i have located an IP of a web based mail server (OWA). this server is sitting behind a hardware firewall (say PIX or Checkpoint)that is NATing the IP Address to an internal non-routable address. Now, if i use a tool such as Nmap to scan that external IP are my scan results influenced by the Firewall. Do firewalls when NATing take all traffic from the external IP and pass it to the internal nertwork and expect the server to have the remaing services closed down or do they only take traffic destined for a port and drop everything else. if it's the later, when i scan am i only scaning the 1 port that is allowing traffic to be forward to it?
Is there a way of determining if the firewall is blocking the traffic to the other ports or if the Server has been locked down and is blocking them?
Any help would be appreciated.
Regards
Thatch
your scan is not only influenced by the fire wall...your scanning the firewall. if a webserver is natted threw it will show as coming from the F/W ip.
the fire wall shows only services that are mapped to it as open but it also gives the same IP as the fire wall. lets say the internal addresss of your webserver is 10.192.62.70 its going to show as the external address of the firewall..thats the purpuse of a f/w...to not show the underlying network. so for instance if your f/w's externel addy is 62.69.110.54 thats going to be the addresses of the server on the internet and the internel address does not affect anything. all traffic to 62.69.110.54 port 80 is mapped to 10.192.62.70. so that would make the external address of your webserver 62.69.110.54.
there are ways around this to map an internal network from the firewall but thats not what your asking and the web server can be hacked from the outside using the external address of the firewall by any bad code written into ithe server pages or the server os itself..like un-sanitised sql querries or missing patches and if its on your network and not in a DMZ just say goodbye to the security of your whole network.
"Is there a way of determining if the firewall is blocking the traffic to the other ports or if the Server has been locked down and is blocking them?".. if you see "denied" or even it thry are just droped thats whats supposed to happen with a fire wall. there are just so many variables and i honestly dont know what answer your looking for.
hope this gives you a clearer picture