Firewall Fundamentals

ISSM 535Q

Week 3A
Network Address Translation (NAT) and
Port Redirection

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective
▪ Understand how firewall can acts as an
Intermediary.
▪ Explain the fundamental concepts of Network
Address Translation.
▪ Understand the various applications of
Network Address Translation.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 2
All rights reserved.
 Key Concepts
▪ Bidirectional Network Address Translation
▪ Dynamic Network Address Translation
▪ Port Address Translation
▪ Identity Network Address Translation
▪ Port Redirection

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 3
All rights reserved.
 Firewalls acts as an Intermediary
▪ It ensures that external hosts from the Internet
can never have direct communication with the
protected host.

▪ This can be achieved through the following

technologies:

❖ Network Address Translation

❖ Port Redirection

❖ Proxy

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 4
All rights reserved.
Network Address Translation
▪ NAT is an additional translation service to the
core filtering functions of a firewall.

▪ It hides the true identity of computers on the

internal network.

▪ It translates internal addresses (Private IP

Addresses) into external addresses (Internet).

▪ it was mainly designed to address some security

concerns, and also offers some additional
benefits.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 5
All rights reserved.
Benefits of Network Address Translation
▪ Security – It helps to Keep internal IP addresses
hidden to discourage any direct attacks.
▪ IP routing solutions — Overlapping IP addresses
are not a problem when you use NAT.
▪ A network administrator can assign a set of IP
Addresses to a network that another company
might have used.
▪ Flexibility - You can change internal IP
addressing schemes without affecting the public
addresses available externally.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 6
All rights reserved.
Benefits of Network Address Translation
▪ Save Cost – NAT is necessary when the
registered IP addresses allocated to you by
your Internet Service Provider is less than
the total number of Network devices that
needs internet access.
▪ Since the public IP Address available on the
internet was getting exhausted. It helps
not to run out of IP Addresses.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 7
All rights reserved.
 Network Address Translation
▪ A NAT devices must have at least have two
network interface, one will serve as the internal
gateway and the other to the internet.

▪ We use NAT for Internet connectivity in this

classroom.

▪ All our workstations have RFC 1918 private

addresses (e.g. 10.0.0.0/8), yet we have Internet
connectivity.

▪ Types of Network Address Translation

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 8
All rights reserved.
 Types of NAT
Source Network Address Translation (SNAT)

▪ This is usually refer to as Internal Address.

▪ If the internal address is getting translated,

regardless of the direction of the access, it is
called Source NAT.

▪ The word Source here means “MY” address is

translating. The originator of the traffic
communication.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 9
All rights reserved.
 Types of NAT
Destination Network Address Translation (DNAT)

▪ This is sometimes refer to as Outside NAT.

▪ A destination NAT happened when the

External/Remote/Foreign Address is translated.

▪ The word Destination here is "THEM".

▪ When both Source NAT and Destination NAT are

implemented on the same NAT is known as Twice
NAT/Double NAT.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 10
All rights reserved.
 NAT Interface
▪ NAT can be configured to apply to any interface or
possibly all private network interfaces.

▪ But, NAT devices must have at least two network

interface, one will serve as the internal gateway
and the other to the internet.

▪ You can identify specific private address or

interface in your NAT configuration.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 11
All rights reserved.
 How NAT Works?

▪ Host A contact a machine on the internet Host B.

▪ The firewall translates the request from having a source
address of 10.1.1.100 to having a source address of
209.165.201.10 and transmits the data across the Internet.
▪ The firewall will record the changes it makes in its translation
table so that it can reverse the changes on return packets.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 12
All rights reserved.
 NAT Implementations
NAT can be implemented in four different ways base
on the requirement.
▪ Static NAT

▪ Dynamic NAT

▪ Port Address Translation (PAT)

▪ Identity NAT

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 13
All rights reserved.
 Static NAT Implementation
▪ It is sometimes referred to as Bi-directional NAT.

▪ It establish one to one mapping between an

internal IP Address and routable IP Address.

▪ It require the same number if IP Addresses as

need to be translated.

▪ Static NAT is not an effective method of saving the

number of IP addresses required for access to a
network or the Internet.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 14
All rights reserved.
 Static NAT Implementation
▪ It is known as a Bidirectional NAT because it
provides for the use of NAT regardless of the
direction of the traffic flow.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 15
All rights reserved.
 Dynamic NAT Implementation
▪ Dynamic NAT translates a group of private
addresses to a pool of public addresses that are
routable on the internet.
▪ A pool of registered IP Addresses is used for
translation.
▪ The pool of routable addresses can be smaller than
the total number of IP addresses that need to be
translated.
▪ This enables you to reduce the number of routable
IP Addresses in use.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 16
All rights reserved.
 Dynamic NAT Implementation
▪ When a internal host is communicating to internet,
the NAT device will translate the internal IP address
to any available routable address from the pool.
▪ The translation is created only when the private
host initiates the connection.
▪ The translation is in place only for the duration of
the connection, and a given user does not keep the
same IP address after the translation times out.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 17
All rights reserved.
 Dynamic NAT Implementation
▪ Users on the destination network, therefore, cannot
initiate a reliable connection to a host that uses
dynamic NAT, even if the connection is allowed by
an access rule.
▪ Because the address is unpredictable, a connection
to the host is unlikely.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 18
All rights reserved.
 Port Address Translation (PAT)
▪ This allows multiple internal addresses to be
translated to a single registered IP address.
▪ This is achievable with the use of Port Numbers.
▪ The firewall builds a NAT table, but instead of
assigning IP Address to the outbound
communications, it assigns a port number.
▪ The source internal port is mostly maintained with
the registered IP Address.
▪ But, if the source internal port is not available, a
translated unique port is allocated to the internal
host automatically from available ports.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 19
All rights reserved.
 Port Address Translation (PAT)
▪ Each connection requires a separate translation
session because the source port differs for each
connection.
▪ After the connection expires, the port translation
also expires after 30 seconds of inactivity.
▪ The goal of PAT is to conserve IP Addresses.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 20
All rights reserved.
 Identity Network Address Translation
▪ Identity NAT happens when the Internal (Private) IP
address is statically translated to itself.
▪ It is essentially use to bypass a NAT configured.
That is, to exempt a smaller subnet of address from
a NAT configured.
▪ Identity NAT is necessary for remote access VPN,
where you need to exempt the client traffic from
NAT.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 21
All rights reserved.
 Twice NAT
▪ Twice NAT helps you identify both the source and
the destination address in a single NAT rule.
▪ A translation rule created for traffic from Source A
to Source B can have a different translation when
the same Source A is communicating to Source C.
▪ Although, the destination address is optional.
▪ If you specify the destination address, you can
either map it to itself (identity NAT), or you can
map it to a different address.
▪ The destination mapping is always a static
mapping.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 22
All rights reserved.
 Twice NAT with Different Destination
Address

▪ When the host accesses the server at 209.165.201.11, the

private address is translated to 209.165.202.129.
▪ When the host accesses the server at 209.165.200.225,
the private address is translated to 209.165.202.130.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 23
All rights reserved.
 Twice NAT with Different Destination
Ports

▪ The host on the 10.1.2.0/24 network accesses a

single host for both web services and Telnet
services.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 24
All rights reserved.
 Twice NAT with Different Destination
Ports
▪ When the host accesses the server for web
services, the real address is translated to
209.165.202.129.
▪ When the host accesses the same server for
Telnet services, the real address is translated to
209.165.202.130.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 25
All rights reserved.
 Port Redirection
▪ It is also called Destination NAT.
▪ This allows servers located in internal network
(commonly situated at DMZ zone) to be accessible
from the internet.
▪ Redirection also helps to avoid direct access to the
internal servers from the internet.
▪ Port Redirection happen when a customised port is
redirected to a known port.
▪ This redirection is often implemented on the
perimeter device.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Network Security, Firewalls, and VPNs www.jblearning.com Page 26
All rights reserved.
 Summary
▪ NAT was created to address the concerns of IP
Addresses limitation by providing a mechanism
by which any number of IP Addresses can be
translated to a different range of IP Addresses.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Network Security, Firewalls, and VPNs www.jblearning.com Page 27
All rights reserved.