Breaking Stuff by Fixing NAT
Eliot Lear
lear at cisco.com
Tue Nov 12 00:44:39 UTC 2002
Crist J. Clark wrote:
> But there are still management reservations, the only reservation we
> do not have a good answer for is the (arbitrary) claim that turning
> off NAT may break stuff for customers who depend on it. Now we have
> customers that do some pretty messed up stuff, and everybody knows
> about various commercial apps that do really, really messed up stuff,
> but none of us can think of anything that turning NAT off will
> break. But perhaps all of our minds are just too cluttered with all of
> the weird stuff that turning off NAT will allow to _work._
I have to admit a certain amount of amusement when I read this.
In general you should be okay. The things that could break are likely
those things that have IP addresses hardcoded. None of the following
checks is any different than what you would do to renumber a network.
So, check your access lists on your routers, check any UNIX
configuration files, as well as any SSL certificates that were somehow
gotten with 10/8 addresses. Also, if you do H.323, check your gateway
configurations. Users that make use of personal firewalls may have some
minor complications along these same lines, particularly if servers are
changing addresses.
The one change that you should be mindful of is this: if the company
*was* relying in some way on security through obscurity, you may need to
add a few additional protections, particularly if you want to prevent
peer-to-peer access, such as Gnutella. Make sure that you have a real
firewall in place, as you should have before ;-)
Regards,
Eliot
More information about the NANOG
mailing list