Is NAT can provide some kind of protection?

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday, January 13, 2011 04:32:17 pm Owen DeLong wrote:
> No match, no rewrite, no forward.

This is what you're missing; 'no rewrite' does not mean 'no forward'.  Non-rewritten packets along with the rewritten *are* forwarded to routing; in a firewall they're not forwarded to routing.  What routing does with either packet isn't the NAT's concern.

The clever network engineer can take advantage of this to do things with NAT that are difficult to do with firewalls.  Now, policy routing can do the same things that NAT can do in this context, without the packet header munging.  But if you're already needing to do the translation, NAT kills two birds with one stone.

But, you are correct in that most folks lump the words 'NAT' and 'firewall' into the same process, when they are not. 

I do look forward to the day when NAT will not be necessary for any reason; route-maps and policy routing are more easily understood and just as powerful for the type of packet redirection that NAT enables, with its twist.  (route-maps can be the source of the NAT translation, for that matter, in Cisco IOS NAT past a fairly old IOS version).  Policy routing doesn't break protocols, either.  But policy routing isn't firewalling, any more than NAT is.  Even if the route-map points to a next hop of Null0.  :-)

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]