I am completing a lab and have been told I should ALWAYS block Egress traffic from private address ranges.
The ASA performs NAT translation of private IPs to the public IP address assigned to the 'outside' interface so this is therefore taken care of isn't it?
In which scenario could the source IP contain a private address? I assume only if no NAT translation takes place?
Could I somehow get past the ASA NAT translation by using IP spoofing? Surely, if the ASA is performing NAT translation to a public IP this not really of any benefit unless we wish to hide the internal IP address of a malicious user so returning traffic believes it originated from a different machine?
Best Answer
Even though your ISP should be doing this, you would typically block your private address range on ingress. You would allow your private range to pass thru on the inside interface and then NAT on the way out assuming you are egress filtering (which you should be doing).
For example you have the following network using 192.168.1.0/24
Internet ---- ASA ----- Internal Network
On the inside interface you would allow 192.168.1.0/24 inbound on the inside interface. Then on the outside interface NAT to your public address. This will allow your internal host to talk to the outside. Blocking private address range on the ingress help will prevent spoofing of your internal host.