Breaking Stuff by Fixing NAT

Eliot Lear lear at cisco.com
Tue Nov 12 00:44:39 UTC 2002


Crist J. Clark wrote:

> But there are still management reservations, the only reservation we
> do not have a good answer for is the (arbitrary) claim that turning
> off NAT may break stuff for customers who depend on it. Now we have
> customers that do some pretty messed up stuff, and everybody knows
> about various commercial apps that do really, really messed up stuff,
> but none of us can think of anything that turning NAT off will
> break. But perhaps all of our minds are just too cluttered with all of
> the weird stuff that turning off NAT will allow to _work._

I have to admit a certain amount of amusement when I read this.

In general you should be okay.  The things that could break are likely 
those things that have IP addresses hardcoded.  None of the following 
checks is any different than what you would do to renumber a network.

So, check your access lists on your routers, check any UNIX 
configuration files, as well as any SSL certificates that were somehow 
gotten with 10/8 addresses.  Also, if you do H.323, check your gateway 
configurations.  Users that make use of personal firewalls may have some 
minor complications along these same lines, particularly if servers are 
changing addresses.

The one change that you should be mindful of is this: if the company 
*was* relying in some way on security through obscurity, you may need to 
add a few additional protections, particularly if you want to prevent 
peer-to-peer access, such as Gnutella.  Make sure that you have a real 
firewall in place, as you should have before ;-)

Regards,

Eliot




More information about the NANOG mailing list