Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kadar2
Participant

Manual Static NAT question

Jump to solution

Hello,

I would really appreciate it if someone could help me clarify the following issue.

 

Say that I have a site2site VPN. Traffic is initiated from the remote site. I would like to hide my internal server IPs behind a NAT subent, lets call it NAT_Internal.

Because I want my internal servers to still have internet access, I suppose that I need to create manual static NAT rules.The question is... do I need to create bidirectional manual static rules or just in one direction, depending on who initiates the traffic?

Example of rules:

Outgoing:

Original source: Real_inside_IP  --> Destination Source: Remote_subnet  Translated source: NAT_subnet_IP --> Translated destination: Original

Incoming:

Original source:Remote_subnet --> Destination Source: NAT_subnet_IP Translated source: Original --> Translated destination: Real_Inside_IP

The traffic will be initiated from the remote site. So are both rules needed?

My other question is if the policy access rules should contain the NATed IPs or the real IPs.

 

Thank you in advance!

0 Kudos
1 Solution

Accepted Solutions
JackPrendergast
Collaborator

Hi  @kadar2 

 

Understood.

However, hiding your internal services seems unnecessary to me. "Security through obscurity" is generally a bad practice to follow as hiding your IP addresses provides what? Nothing..

If you hide them, they can not see the real IP, however they will still get to the intended destination via NAT - so whats the difference?

If you are concerned about remote users and their access to the internal servers, you should employ a proper firewall policy to restrict what they can and cant do.

Employing NAT over the VPN starts to open complications regarding 'NAT-T' and opening up different ports for NAT traversal - when really, your issue here is how you are tackling your security concerns.

 

To answer your questions regarding NAT. Bi-directional is needed if both sides need to INITIATE a connection.

If it's only 1 side initiating the connection, then 1 one NAT is needed.

If its initiated on both sides, bi-directional is needed

 

These are rules in general for NAT - however, as mentioned above, I don't recommend you employing this as you arent securing yourself any more than you think.

View solution in original post

4 Replies
JackPrendergast
Collaborator

@kadar2  Hello -

 

First question is, why do you want to hide private internal IP's behind another IP address via NAT? What is the reasoning behind this?

 

You dont need bi-directional is traffic from the Internet isnt initiating a connection to a server i.e a incoming connection to a web server.

 

If this is client access out to the internet, you should need to have a NAT to hide your internal subnets behind your public IP - one way.

 

But the VPN bit confuses me. What are you trying to achieve here? Does the remote site have to go across the VPN to go out to the internet? Can it not break out locally? Whats your design?

0 Kudos
kadar2
Participant

Maybe I did not correctly explain the situation in my original post.

If my internal servers want to go to the Internet, their IP will be hidden behind the Public IP. No problem there.

We need to create a site2site VPN. The peer subnets need to access some internal servers and for security reasons we would like the internal servers to be "hidden" from the peer, behind the NATed subnet. This should be done via manual static translation.

Does the translation need to be made bidirectional as per the example above?

And in the access rules should I include the real IPs of the servers or the NATed ones, when entering the VPN community?

Thanks!

0 Kudos
JackPrendergast
Collaborator

Hi  @kadar2 

 

Understood.

However, hiding your internal services seems unnecessary to me. "Security through obscurity" is generally a bad practice to follow as hiding your IP addresses provides what? Nothing..

If you hide them, they can not see the real IP, however they will still get to the intended destination via NAT - so whats the difference?

If you are concerned about remote users and their access to the internal servers, you should employ a proper firewall policy to restrict what they can and cant do.

Employing NAT over the VPN starts to open complications regarding 'NAT-T' and opening up different ports for NAT traversal - when really, your issue here is how you are tackling your security concerns.

 

To answer your questions regarding NAT. Bi-directional is needed if both sides need to INITIATE a connection.

If it's only 1 side initiating the connection, then 1 one NAT is needed.

If its initiated on both sides, bi-directional is needed

 

These are rules in general for NAT - however, as mentioned above, I don't recommend you employing this as you arent securing yourself any more than you think.

View solution in original post

kadar2
Participant

I understand what you are implying. None the less, I would not like to further analyze what leads us to such an implementation...

So if only one participant initiates the connection, then one direction is needed. Understood!

Thank you for your time.