Filter Internet NAT Redirection

My Cisco router has an option to: Filter Internet NAT Redirection

The router help says only: "This feature uses Port Forwarding to prevent access to local servers from your local networked computers."

Can you explain to me if we should have this option turned on? It is turned off by default.

Is this option designed to prevent me from connecting to my own computers - or is this option designed to prevent outsiders from connecting to my computers (perhaps via a compromised system)???

Nancy

Reply to
Nancy Pi Squared
Loading thread data ...

Hi Nancy hows it?

If you turn this off, it will allow you to access the server on your local network using the Outside (Internet) IP address.

If you turn it on, it will block access to the server using the Outside IP, but still allow by using the Internal (LAN) IP.

Flamer.

Reply to
die.spam

Hi,

It will deny outside intruders to access servers (DMZ,LAN).

CK

Nancy Pi Squared wrote:

Reply to
NETADMIN

Is the help "blurb" just poorly worded? To me it imples that it prevents traffic between local systems (not outside>in but in>in).

NETADM> Hi,

Reply to
kingthorin

The help message seems to say otherwise but I do not really understand these things which is why I asked.

The help seems to say: From LOCAL computers to LOCAL servers.

Everything being LOCAL, the distinction between a "local computer" and a "local server" is beyond me.

Nancy

Reply to
Nancy Pi Squared

Flamer's response was correct.

If your local systems send packets to the -public- (external) IP and port of your internal servers, then if the filtering is turned on then the device will deny those packets; when the filtering is turned off, the device will re-address those packets and send them back inwards. In this situation, the source of the connection is local and the destination ends up being the local server, but the address used by the local computer was the outside address instead of the inside address.

Allowing this kind of traffic to go through messes up the security device's ideas of "source" and "destination" (especially for UDP), so it cannot be done at the same security level as would be the case if the source and ultimate destination were on different interfaces of the security device.

Reply to
Walter Roberson

Flamer said If you turn this off, it will allow you to access the server on your local network using the Outside (Internet) IP address.

If you turn it on, it will block access to the server using the Outside IP, but still allow by using the Internal (LAN) IP.

All I have is a computer, a router, and a modem.

Which of these three is the "server?"

Nancy

Reply to
Nancy Pi Squared

The computer is.

If you had the filter turned off, then you could use the computer to place a request to the public (external) IP address of the computer, and the router would calmly forward it back to the computer.

With the filter turned on, then if you tried to use the computer to place a request to the public (external) IP address of the computer, the router would block the packets.

For example, you might be running a web server on your computer, even if it happens to be a PC. And if it does happen to be a Windows PC, then chances are that it is acting as a "server" for a number of different services, like file sharing (NETBIOS), or pop-up messaging spam. Every networked computer is potentially a server.

Anyhow, if you go back to the help blurb, it talks about your "servers". If you don't happen to have any servers, then the feature will control access to all zero of them. The services provided by any particular feature of your router might be vacuously provided, doing nothing useful for you until you drop a new device into the network that does happen to use the network that way. (But as noted above, your one computer probably -is- a server of -something- -- most computers are servers by default.)

Reply to
Walter Roberson

On Thu, 19 Oct 2006, snipped-for-privacy@hushmail.com (Walter Roberson) scribed:

Say I have a single computer, router, and modem.

Say my one computer has an ip address of 192.168.0.1 But my computer/router/modem ip address is 66.249.65.231

Say my computer is acting as a "server" for something. Say that something is it's acting as an FTP server.

Say the router is not filtering NAT redirection.

Are you telling me that I can sit at my computer (server) at

192.168.0.1 to ftp 66.249.65.231 and that ftp request will go to the router, to the modem, to the isp domain name server, and then loop back to the modem, to the router, and finally back to the one computer on my network that the router knows is at 66.249.65.231?

Then I turn on the router option to filter NAT redirection.

I sit at my computer (server) at 192.168.0.1 to ftp 66.249.65.231 and that ftp request will go to the router, to the modem, to the isp domain name server, and then loop back to the modem, to the router, and stop there never making it back to the computer only the router knows is at 66.249.65.231?

Correct yet?

Nancy

Reply to
Nancy Pi Squared

I'll take it that you mean something like "DSL modem" rather than acoustic modem.

The router itself knows that its IP address is 66.249.65.231, so the ftp request would go out from your computer to the router, which would see that the destination was the same as the public IP of the router, and so would rewrite the packet to be addressed to

192.168.0.1 and would send it back to the computer.

The ADSL modem and ISP DNS server would only be involved if you were to ask for the resource by hostname and your computer's DNS client asked the ISP DNS server to resolve the name and got told your public IP address. The DNS request would go out via the ADSL link to some server and come back again, but once the IP address of the destination was known to your local computer, it would place the ftp request by IP address, and your local router would short-circuit the run.

No, if the filtering was on, then when the outgoing request reached your router, your router would see that the public IP of the destination was one handled by the router, and the router would deny the request without allowing it out to the ISP.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.