From: Brian Hescock (bhescock@xxxxxxxxx)
Date: Sat Nov 03 2001 - 11:50:44 GMT-3
Albert,
NAT isn't designed to prevent "security breaches". You can certainly
hide what the real network is and prevent translation given a source ip /
network and destination ip / network using an extended access-list but it
shouldn't be relied on for "security" purposes. I would suggest using an
access-list on the interface as well to block access just in case someone
changes the nat config in the future and isn't aware of the implications.
Better to be safe than sorry.
Brian
Albert Lu wrote:
> Hello Group,
>
> I've just tried out on my test lab two different networks used privately,
> sharing one global IP Address using NAT. Here are the relevant configs using
> loopbacks rather than LAN interfaces. Basically, the two private networks
> are 10.1.1.0/24 and 100.100.100/24 sharing the global 212.1.22.3/32 address.
>
> The config seems to work fine, and the translations look fine as well.
> However, is there any chance of any security breaches between the two
> networks as they are not suppose to know about each other? It's suppose to
> work as though the 2 networks are on their own separate router, having their
> own global ip address to share only for their own network.
>
> Do I require extended ACLs or route-maps to make finer specification of the
> NAT translations?
>
> Thanks
>
> Albert
>
> interface Loopback1
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> !
> interface Loopback2
> ip address 100.100.100.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> !
> interface Serial1
> ip address 212.1.22.3 255.255.255.240
> no ip directed-broadcast
> ip nat outside
> !
> ip nat inside source list 10 interface Serial1 overload
> ip nat inside source list 11 interface Serial1 overload
>
> access-list 10 permit 10.1.1.0 0.0.0.255
> access-list 11 permit 100.100.100.0 0.0.0.255
>
> R3#sh ip nat t
> Pro Inside global Inside local Outside local Outside global
> icmp 212.1.22.3:9949 10.1.1.1:9949 20.1.1.1:9949 20.1.1.1:9949
> icmp 212.1.22.3:9950 10.1.1.1:9950 20.1.1.1:9950 20.1.1.1:9950
> icmp 212.1.22.3:9951 10.1.1.1:9951 20.1.1.1:9951 20.1.1.1:9951
> icmp 212.1.22.3:9952 10.1.1.1:9952 20.1.1.1:9952 20.1.1.1:9952
> icmp 212.1.22.3:9953 10.1.1.1:9953 20.1.1.1:9953 20.1.1.1:9953
> icmp 212.1.22.3:828 100.100.100.1:828 20.1.1.1:828 20.1.1.1:828
> icmp 212.1.22.3:829 100.100.100.1:829 20.1.1.1:829 20.1.1.1:829
> icmp 212.1.22.3:830 100.100.100.1:830 20.1.1.1:830 20.1.1.1:830
> icmp 212.1.22.3:831 100.100.100.1:831 20.1.1.1:831 20.1.1.1:831
> icmp 212.1.22.3:832 100.100.100.1:832 20.1.1.1:832 20.1.1.1:832
> R3#
>
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:03 GMT-3