Why NAT?

Hey Guys,

Just a quick question on why a firewall needs to NAT. I understand how NAT works, and how to configure it on the PIX... but I am not understanding why NAT is essential when going from one firewall interface to another. I understand that it will hide the source IP, but is that the only reason? To hide IP address?

Consider this scenario:

The Inside subnet uses private address space 192.168.1.0 /24, and the DMZ interface uses 172.16.1.0 /24. Why does the firewall need to nat for inside users connecting to a server in the DMZ? At first I thought NAT came into play for the sole purpose of state tracking, however, in this scenario the firewall can still track state based on the RFC1918 addresses.

To me it seems like NAT is only for the purpose of hiding IP addresses when going from one interface to another. If that is the reason, it doesn't make sense why it would be required when going from an Inside interface to the DMZ since both are managed internally (and shouldn't have overlapping addresses and shouldn't need to have IPs hidden).

Thank you.

Find more posts tagged with

Comments

networker050184

It doesn't need to NAT in this scenario. Maybe someone has this set up for other reasons?

up2thetime

Thats what I was thinking...

But I was reading some Cisco docs, and it says that packets cannot go through a PIX without a translation.

In addition, the example it shows has NAT set up between the Inside and DMZ.

Still haven't been able to find a doc that says why a translation needs to exist...

networker050184

Have a link to the doc?

up2thetime

Sure.

Page 152 (first bullet).

Network security principles and practices - Saadat Malik - Google Books

Page 179 has the scenario I was talking about (translating from Inside to DMZ).

Cisco Doc 12496
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

"There are two policies that are required to allow outbound access. The first one is a translation method. This can be a static translation using the static command, or a dynamic translation using a nat/global rule. The other requirement for outbound access is if there is an access control list (ACL) present, then it must allow the source host access to the destination host using the specific protocol and port. By default, there are no access restrictions on outbound connections through the PIX. This means that if there is no ACL configured for the source interface, then by default, the outbound connection are allowed if there is a translation method configured."

and also...

"While the configurations earlier in this document use the nat and global commands to allow hosts on the inside network to access hosts on a DMZ interface by translating the source addresses of the inside hosts, sometimes such a translation is not desired. But when a host on one PIX Firewall interface initiates a connection to a host on another interface, the PIX must have a way to translate that host's IP address across itself. Even if it is not necessary for the IP address to be translated, a translation must still occur. Therefore, in order to allow hosts on the inside access to hosts on the DMZ, a translation that does not actually translate must be configured."

networker050184

Maybe its a software version thing? I found this.

PIX/ASA 7.x and FWSM: NAT and PAT Statements - Cisco Systems

up2thetime

Thanks networker!

Looks like its just part of how it works.

Also helpful: Cisco PIX Firewall - Practical Guide

ColbyG

Nat-Control used to be enabled by default. It no longer is. An address didn't need to be translated, but it did need a NAT rule (no NAT or Identity NAT).

networker050184

That's what I gathered from looking into it. I've never had to deal with anything older than 8.0. I have seen people that put NAT rules (even if not translated) for everything. Probably something hanging around from the older code days.

thadizzy

up2thetime wrote: »

Hey Guys,

Just a quick question on why a firewall needs to NAT. I understand how NAT works, and how to configure it on the PIX... but I am not understanding why NAT is essential when going from one firewall interface to another. I understand that it will hide the source IP, but is that the only reason? To hide IP address?

Consider this scenario:

The Inside subnet uses private address space 192.168.1.0 /24, and the DMZ interface uses 172.16.1.0 /24. Why does the firewall need to nat for inside users connecting to a server in the DMZ? At first I thought NAT came into play for the sole purpose of state tracking, however, in this scenario the firewall can still track state based on the RFC1918 addresses.

To me it seems like NAT is only for the purpose of hiding IP addresses when going from one interface to another. If that is the reason, it doesn't make sense why it would be required when going from an Inside interface to the DMZ since both are managed internally (and shouldn't have overlapping addresses and shouldn't need to have IPs hidden).

Thank you.

It is a simple way to only allow initiating traffic from network 192.168.1.0/24 to DMZ and not the other way around.

ayori

ColbyG mentioned, nat-control used to be on by default but not anymore on ASAs. Nat-control requires nat (use nonat if you don't want the IPs to change) for a traffic to traverse from one zone to another. At my job, we still use nat even though it's not required in case for whatever reason in the future nat-control is enabled. You can already imagine if nat-control is ever enabled and you didn't have the nat statements along with your ACLs..

Forsaken_GA

up2thetime wrote: »

Just a quick question on why a firewall needs to NAT. I understand how NAT works, and how to configure it on the PIX... but I am not understanding why NAT is essential when going from one firewall interface to another. I understand that it will hide the source IP, but is that the only reason? To hide IP address?

Speaking on a conceptual level, NAT has two practical purposes:

#1 - IP Conservation. If you have more hosts than you have public IP's, then you need to NAT. This was the primary reason NAT was developed. The proper remedy for this situation is to migrate to ipv6.

#2 - Overlapping IP space. If two companies merge or one acquires the other, or you need to interconnect with another network for any reason, but you're using the same address space, NAT can solve the problem and allow the networks to communicate. The proper remedy for this situation is to renumber one of the networks if it's a permanent arrangement.

And that's it. From a security standpoint, the only 'advantage' NAT provides is obscuring the origin of traffic, and a smart threat actor who can access your data stream can probably still ascertain with a reasonable degree of accuracy how many hosts you have behind the NAT, as well as identify individual flows from hosts behind the NAT.

networker050184

thadizzy wrote: »

It is a simple way to only allow initiating traffic from network 192.168.1.0/24 to DMZ and not the other way around.

Wouldn't that be what firewall rules are for? I'm definitely not an expert on this, but it seems to me that using NAT for something like this would be a less than proficient way of doing it rather than setting up your ACLs the right way.