[c-nsp] IDS and NAT/PATing

Per Carlson ml at carlson.homeunix.net
Thu Sep 16 08:26:15 EDT 2004


Hi.

I do have a router that does NATing and IDS on the same interface, while 
  doing some PATing:

interface Ethernet0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
!
interface BVI1
  ip address dhcp   <- gets an official address from the BB provider
  ip nat outside
  ip audit IDS in
!
ip nat inside source static tcp 192.168.1.2 25 interface BVI1 25

It appears that the IDS code is executed *after* that NAT/PATing is done:

Sep 14 21:28:41 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:29:28 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:34:48 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:36:31 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 
Address Seen - from 204.42.254.5 to 192.168.1.2
Sep 14 21:52:18 CEST: %IDS-4-IP_RFC_1918_SIG: Sig:1107:IP RFC 1918 
Address Seen - from 204.42.254.5 to 192.168.1.2

Another strange thing is that some mail *does* get trough the IDS.

That does not make sense to me. Wouldn't it be more logical to do the 
IDSing *before* the NAT/PATing? Has someone seen this behavior before 
(and resolved it)?

In the meantime, I have disabled the IDS signature 1107.

The router is a 836 running 12.2(13)ZH2 (with the somewhat obscure 
feature set 'k9o3sy6').

(A interesting note: 204.42.254.5 is the MX of puck.nether.net....)

-- Per




More information about the cisco-nsp mailing list