Is NAT can provide some kind of protection?

Lamar Owen lowen at
Thu Jan 13 15:21:22 CST 2011

On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:
> That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny. 

This is demonstrably not correct.  Even in the case of dynamic overloaded NAT, at least on Cisco, there is no firewalling going on (if firewalling is defined as blocking something).  It looks like there is, but that's an illusion, a sleight-of-hand, not reality. In the NAT order of operations in IOS at least you'll find NAT occurs before the routing decision does.  Thus, if you change the address in the packet header, you change which routing table entry will be used to route that packet.  It's the rewriting of the address that then causes the routing to send the packet in a different direction; in practice most of the time there is either no route or a null route to the inside global address or address block, but it doesn't have to be that way. 

You could easily set up a NAT where the inside local addresses are on, say, GigabitEthernet0/0 and the inside global address(es) are on Null0.... or GigabitEthernet0/1 (where the honeynet or tarpit resides, perhaps?), or whatnot. Packets that don't match the NAT can just be routed elsewhere, not just to a null route, easily enough.   The default destination for most cases happens to be a null route; this is certainly a good imitation of a deny.

More information about the NANOG mailing list