RE: NAT question

From: Jonathan V Hays (jhays@jtan.com)
Date: Fri Mar 14 2003 - 14:58:44 GMT-3

• Next message: Garnet Ulrich: "RE: redistribution problem with route-map"
• Previous message: Jerry: "Re: Block one user from logging into the router."
• Maybe in reply to: alee@cccis.com: "NAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> We are using NAT pool nating our internal network to
> 198.204.15.125 on the ISP router to the internet. I am
> seeing lots of inbound traffic from the internet to
> 198.204.15.125 on the firewall. As far as what I understand
> about NAT, when internet traffic hits ISP router, shouldn't
> the destination IP will be translated from 198.204.15.125 to
> our internal IP addresses? Why is the firewall seeing
> 198.204.15.125 IP address as the destination in the firewall
> log? I also tried to use access-list to block inbound
> destination IP as 198.204.15.125 on both ISP routers without
> luck. Of course, our firewall drops those packets but it
> causes quite lots of overhead on the firewall. If anyone
> know why it happens, and how to block it, I would appreciate
> it. Thanks.
>
> ISP router(HSRP) ------ firewall ----- internal network
>
> Arthur Lee

---
Arthur,
 It sounds like you want a quick tutorial in the operation of NAT and
your firewall. 
Your description is somewhat unclear but I infer that it is the
*firewall* that is performing NAT between the internal network and the
ISP global address of 198.204.15.125 - correct? Also, you need to
distinguish between traffic *originating* from the Internet (from the
ISP side of the firewall) and return packets from the Internet which are
destined for an internal host (that originated the session from the
internal network).
 A new connection request originating from the Internet will *not* be
passed through NAT to the inside network, unless there is a static NAT
configured for 198.204.15.125 and an inside address. You talk about a
"NAT pool" but only mention one address which might lead one to believe
you are doing NAT overload, also known as PAT (Port Addresss
Translation) - is that the case? Normally only traffic originating on
the internal network will create a NAT/PAT table entry and open a hole
through your firewall (although you can configure PAT to let traffic
originate externally). When the return traffic is routed back to
198.204.15.125 the firewall will verify that this is return traffic for
a session originated from the inside. Then NAT will do a table lookup to
translate back to the internal network address. 
Any traffic originating from the outside must still be routed to that
address (and thus the firewall will log the traffic) but if the traffic
is not allowed and the firewall is doing its job traffic will be
blocked. If 198.204.14.125 is an address routable on the Internet there
is nothing to stop crackers from performing a ping to this address or a
port scan (such traffic is the norm) - you just have to live with it. 

• Next message: Garnet Ulrich: "RE: redistribution problem with route-map"
• Previous message: Jerry: "Re: Block one user from logging into the router."
• Maybe in reply to: alee@cccis.com: "NAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:39 GMT-3