[c-nsp] IDS and NAT/PATing
Per Carlson
ml at carlson.homeunix.net
Thu Sep 16 08:26:15 EDT 2004
Hi.
I do have a router that does NATing and IDS on the same interface, while
doing some PATing:
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface BVI1
ip address dhcp <- gets an official address from the BB provider
ip nat outside
ip audit IDS in
!
ip nat inside source static tcp 192.168.1.2 25 interface BVI1 25
It appears that the IDS code is executed *after* that NAT/PATing is done:
Sep 14 21:28:41 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:29:28 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:34:48 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:36:31 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:52:18 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918
Address Seen - from 204.42.254.5 to 192.168.1.2
Another strange thing is that some mail *does* get trough the IDS.
That does not make sense to me. Wouldn't it be more logical to do the
IDSing *before* the NAT/PATing? Has someone seen this behavior before
(and resolved it)?
In the meantime, I have disabled the IDS signature 1107.
The router is a 836 running 12.2(13)ZH2 (with the somewhat obscure
feature set 'k9o3sy6').
(A interesting note: 204.42.254.5 is the MX of puck.nether.net....)
-- Per
More information about the cisco-nsp
mailing list