Why NAT?

up2thetimeup2thetime Posts: 154Member
Hey Guys,

Just a quick question on why a firewall needs to NAT. I understand how NAT works, and how to configure it on the PIX... but I am not understanding why NAT is essential when going from one firewall interface to another. I understand that it will hide the source IP, but is that the only reason? To hide IP address?

Consider this scenario:

The Inside subnet uses private address space 192.168.1.0 /24, and the DMZ interface uses 172.16.1.0 /24. Why does the firewall need to nat for inside users connecting to a server in the DMZ? At first I thought NAT came into play for the sole purpose of state tracking, however, in this scenario the firewall can still track state based on the RFC1918 addresses.

To me it seems like NAT is only for the purpose of hiding IP addresses when going from one interface to another. If that is the reason, it doesn't make sense why it would be required when going from an Inside interface to the DMZ since both are managed internally (and shouldn't have overlapping addresses and shouldn't need to have IPs hidden).

Thank you.

Comments

  • networker050184networker050184 Posts: 11,962Mod Mod
    It doesn't need to NAT in this scenario. Maybe someone has this set up for other reasons?
    An expert is a man who has made all the mistakes which can be made.
  • up2thetimeup2thetime Posts: 154Member
    Thats what I was thinking...

    But I was reading some Cisco docs, and it says that packets cannot go through a PIX without a translation.

    In addition, the example it shows has NAT set up between the Inside and DMZ.

    Still haven't been able to find a doc that says why a translation needs to exist...
  • networker050184networker050184 Posts: 11,962Mod Mod
    Have a link to the doc?
    An expert is a man who has made all the mistakes which can be made.
  • up2thetimeup2thetime Posts: 154Member
    Sure.

    Page 152 (first bullet).

    [URL="http://books.google.ca/books?id=f7OJ74ZQXBYC&pg=PA152&lpg=PA152&dq=no+packets+can+traverse+pix+without+translation&source=bl&ots=W1Up5D6jfG&sig=xcGGE8KW8keOEVMHU-Ap46mJcqU&hl=en&sa=X&ei=nIhbT77pBYPg0QH31-S9Dw&ved=0CDYQ6AEwAw#v=onepage&q=no packets can traverse pix without translation&f=false"]Network security principles and practices - Saadat Malik - Google Books[/URL]

    Page 179 has the scenario I was talking about (translating from Inside to DMZ).

    Cisco Doc 12496
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

    "There are two policies that are required to allow outbound access. The first one is a translation method. This can be a static translation using the static command, or a dynamic translation using a nat/global rule. The other requirement for outbound access is if there is an access control list (ACL) present, then it must allow the source host access to the destination host using the specific protocol and port. By default, there are no access restrictions on outbound connections through the PIX. This means that if there is no ACL configured for the source interface, then by default, the outbound connection are allowed if there is a translation method configured."

    and also...

    "While the configurations earlier in this document use the nat and global commands to allow hosts on the inside network to access hosts on a DMZ interface by translating the source addresses of the inside hosts, sometimes such a translation is not desired. But when a host on one PIX Firewall interface initiates a connection to a host on another interface, the PIX must have a way to translate that host's IP address across itself. Even if it is not necessary for the IP address to be translated, a translation must still occur. Therefore, in order to allow hosts on the inside access to hosts on the DMZ, a translation that does not actually translate must be configured."
  • networker050184networker050184 Posts: 11,962Mod Mod
    Maybe its a software version thing? I found this.

    PIX/ASA 7.x and FWSM: NAT and PAT Statements - Cisco Systems
    An expert is a man who has made all the mistakes which can be made.
  • up2thetimeup2thetime Posts: 154Member
    Thanks networker!

    Looks like its just part of how it works.

    Also helpful: Cisco PIX Firewall - Practical Guide
  • ColbyGColbyG Posts: 1,264Member
    Nat-Control used to be enabled by default. It no longer is. An address didn't need to be translated, but it did need a NAT rule (no NAT or Identity NAT).
  • networker050184networker050184 Posts: 11,962Mod Mod
    That's what I gathered from looking into it. I've never had to deal with anything older than 8.0. I have seen people that put NAT rules (even if not translated) for everything. Probably something hanging around from the older code days.
    An expert is a man who has made all the mistakes which can be made.
  • thadizzythadizzy Posts: 72Member ■■□□□□□□□□
    up2thetime wrote: »
    Hey Guys,

    Just a quick question on why a firewall needs to NAT. I understand how NAT works, and how to configure it on the PIX... but I am not understanding why NAT is essential when going from one firewall interface to another. I understand that it will hide the source IP, but is that the only reason? To hide IP address?

    Consider this scenario:

    The Inside subnet uses private address space 192.168.1.0 /24, and the DMZ interface uses 172.16.1.0 /24. Why does the firewall need to nat for inside users connecting to a server in the DMZ? At first I thought NAT came into play for the sole purpose of state tracking, however, in this scenario the firewall can still track state based on the RFC1918 addresses.

    To me it seems like NAT is only for the purpose of hiding IP addresses when going from one interface to another. If that is the reason, it doesn't make sense why it would be required when going from an Inside interface to the DMZ since both are managed internally (and shouldn't have overlapping addresses and shouldn't need to have IPs hidden).

    Thank you.

    It is a simple way to only allow initiating traffic from network 192.168.1.0/24 to DMZ and not the other way around.
  • ayoriayori Posts: 48Member ■■□□□□□□□□
    ColbyG mentioned, nat-control used to be on by default but not anymore on ASAs. Nat-control requires nat (use nonat if you don't want the IPs to change) for a traffic to traverse from one zone to another. At my job, we still use nat even though it's not required in case for whatever reason in the future nat-control is enabled. You can already imagine if nat-control is ever enabled and you didn't have the nat statements along with your ACLs..
  • Forsaken_GAForsaken_GA Posts: 4,024Member
    up2thetime wrote: »
    Just a quick question on why a firewall needs to NAT. I understand how NAT works, and how to configure it on the PIX... but I am not understanding why NAT is essential when going from one firewall interface to another. I understand that it will hide the source IP, but is that the only reason? To hide IP address?

    Speaking on a conceptual level, NAT has two practical purposes:

    #1 - IP Conservation. If you have more hosts than you have public IP's, then you need to NAT. This was the primary reason NAT was developed. The proper remedy for this situation is to migrate to ipv6.

    #2 - Overlapping IP space. If two companies merge or one acquires the other, or you need to interconnect with another network for any reason, but you're using the same address space, NAT can solve the problem and allow the networks to communicate. The proper remedy for this situation is to renumber one of the networks if it's a permanent arrangement.

    And that's it. From a security standpoint, the only 'advantage' NAT provides is obscuring the origin of traffic, and a smart threat actor who can access your data stream can probably still ascertain with a reasonable degree of accuracy how many hosts you have behind the NAT, as well as identify individual flows from hosts behind the NAT.
  • networker050184networker050184 Posts: 11,962Mod Mod
    thadizzy wrote: »
    It is a simple way to only allow initiating traffic from network 192.168.1.0/24 to DMZ and not the other way around.

    Wouldn't that be what firewall rules are for? I'm definitely not an expert on this, but it seems to me that using NAT for something like this would be a less than proficient way of doing it rather than setting up your ACLs the right way.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.