Keywords: PIX Virus Slowdown
Configuration
PIX 5xx configured as NAT firewall between private network and internet
Tested on PIX 515, 515E, 506, 506E, and 501
PIX OS 6.3
Issue
When a PC inside the network (higher security level) becomes infected with a network-aware virus, it can cause the PIX firewall to create bogus NAT translations, which cause the PIX to slow down and eventually crash.
Cause
Many network viruses and DDoS zombies send out packets with random source addresses. Since the infected PC is INSIDE the network, the PIX creates a translation for the source address, and tries to forward the packet on the outside interface (or DMZ interface, etc…).
As the bogus translations build up, they consume memory and CPU to the point where the PIX will slow down, appear to lock up (just pull the network cable and wait for the timeout!), or crash.
As few as 1-2 infected PCs on the inside can cause this condition.
Resolution
The default NAT entry on a PIX is 0/0:
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
By changing this to a more specific subnet, this causes the PIX to drop packets whose source address is not in the range of the subnet, thus causing the PIX to do a “sanity check” on each source packet.
Example: Assuming you have a branch office whose subnet is 192.168.102 / 0, the NAT command would be:
NAT (inside) 1 192.168.102.0 255.255.255.0 0 0
The best way to implement this is to add the new NAT entry (which may cause a warning message stating that it is ineffective) and then remove the “world” NAT entry with a NO command:
NO NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
In PDM, this can be done by modifying the translation rules (you must add a new one, and then remove the default).