Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
2
Replies

No NAT - To exclude Interesting Traffic...Please clarify!

jhoneycutt1
Level 1
Level 1

‎07-20-2006 04:20 AM

Hi all,

I hope someone can clarify something for me.

I've never understood why you exclude your interesting traffic from the NAT process. If you're protecting your traffic (assumed to be NON-ROUTABLE RFC 1918 addresses), then when the traffic exists the egress interface, how is it able to reach the intended destination if the layer 3 header isn't rewritten with a publicly routable source address? It would have to be sourced off the public IP of the PIX/Router acting as the tunnel termination peer to be routed through the Internet, so I would like to know how we can exclude it? If it's not NAT'd then the source would exit as 192.168.1.x which would never make it to the remote peer.

Simple Configuration PIX to PIX VPN:

PIX 1: Inside segment (to be encrypted)

192.168.1.0/24

PIX 2: Inside segment (to be encrypted)

172.16.1.0/24

ACL to define Interesting Traffic:

access−list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

* This command tells the PIX not to NAT any traffic deemed as interesting for IPsec.

nat (inside) 0 access−list 101

With the statement above, how would the existing traffic ever make it to the intended destination if it's not being sourced with a routable address?

Any help is appreciated!

Labels:
0 Helpful
2 Replies 2

grant.maynard
Level 4
Level 4

‎07-20-2006 04:41 AM

You use no-NAT when traffic is going between internal interfaces (e.g. inside<->DMZ), or over a VPN, or if you have public IPs on the inside (as at many educational establishments).

You are talking about a L2L VPN. This is an encrypted point-point tunnel between the public IP addresses of PIX1 & PIX2. So the LAN-LAN traffic is encapsulated in an IPsec packet, and the source and destination addreses on that packet are PIX1 & PIX2. No one on the internet can see the original packet with its private IPs.

Clear as mud?

0 Helpful

jhoneycutt1
Level 1
Level 1
In response to grant.maynard

‎07-20-2006 04:46 AM

Sorry, I should've said...how is return traffic supposed to get back to the respective host if it's sourced using its non-routable address (i.e. 172.16.1.1).

I guess it's implied that the traffic will exit with the routable source address of the PIX. So in essence, the original layer 3 header still contains the inside source - so it's essentially being NAT'd in a non-NAT'd way...just new header is added with source address of the PIX for return traffic and to maintain confidentiality of inside block. =D

Clear as a bell now. Thanks.

0 Helpful
Customers Also Viewed These Support Documents