Something I came across in my environment. I had recently got licensing for Splunk to offload my ASA logs, and after building a nice dashboard, I gained some visibility into some misconfigured VPN NATs. I used IPs out of our public space for commonly interfaced-with systems in order to avoid conflict with VPN partners, and I noticed tons of random internet requests hitting my NAT rule (albeit, asymmetrically, so they resulted in SYN-timeouts).
I saw the ARP entry on the upstream internet routers for the ASA interface for this IP, so I discovered that all my NATs had proxy-arp configured by default.
If you're doing NATs for an IPSec VPN, whether private or public space, you'll want to disable proxy arp. Proxy arp is only required for NATs that are intended to be directly exposed to the internet.
The risk here is that if I would have fat fingered a condition for my NAT, (ex: typing a destination address of 92.168.55.0/24 rather than 192.168.55.0/24), I would have exposed that host directly to the internet for that public /24.
No comments:
Post a Comment