My Cisco router has an option to: Filter Internet NAT Redirection
The router help says only: "This feature uses Port Forwarding to prevent access to local servers from your local networked computers."
Can you explain to me if we should have this option turned on? It is turned off by default.
Is this option designed to prevent me from connecting to my own computers - or is this option designed to prevent outsiders from connecting to my computers (perhaps via a compromised system)???
If your local systems send packets to the -public- (external) IP and port of your internal servers, then if the filtering is turned on then the device will deny those packets; when the filtering is turned off, the device will re-address those packets and send them back inwards. In this situation, the source of the connection is local and the destination ends up being the local server, but the address used by the local computer was the outside address instead of the inside address.
Allowing this kind of traffic to go through messes up the security device's ideas of "source" and "destination" (especially for UDP), so it cannot be done at the same security level as would be the case if the source and ultimate destination were on different interfaces of the security device.
If you had the filter turned off, then you could use the computer to place a request to the public (external) IP address of the computer, and the router would calmly forward it back to the computer.
With the filter turned on, then if you tried to use the computer to place a request to the public (external) IP address of the computer, the router would block the packets.
For example, you might be running a web server on your computer, even if it happens to be a PC. And if it does happen to be a Windows PC, then chances are that it is acting as a "server" for a number of different services, like file sharing (NETBIOS), or pop-up messaging spam. Every networked computer is potentially a server.
Anyhow, if you go back to the help blurb, it talks about your "servers". If you don't happen to have any servers, then the feature will control access to all zero of them. The services provided by any particular feature of your router might be vacuously provided, doing nothing useful for you until you drop a new device into the network that does happen to use the network that way. (But as noted above, your one computer probably -is- a server of -something- -- most computers are servers by default.)
On Thu, 19 Oct 2006, snipped-for-privacy@hushmail.com (Walter Roberson) scribed:
Say I have a single computer, router, and modem.
Say my one computer has an ip address of 192.168.0.1 But my computer/router/modem ip address is 66.249.65.231
Say my computer is acting as a "server" for something. Say that something is it's acting as an FTP server.
Say the router is not filtering NAT redirection.
Are you telling me that I can sit at my computer (server) at
192.168.0.1 to ftp 66.249.65.231 and that ftp request will go to the router, to the modem, to the isp domain name server, and then loop back to the modem, to the router, and finally back to the one computer on my network that the router knows is at 66.249.65.231?
Then I turn on the router option to filter NAT redirection.
I sit at my computer (server) at 192.168.0.1 to ftp 66.249.65.231 and that ftp request will go to the router, to the modem, to the isp domain name server, and then loop back to the modem, to the router, and stop there never making it back to the computer only the router knows is at 66.249.65.231?
I'll take it that you mean something like "DSL modem" rather than acoustic modem.
The router itself knows that its IP address is 66.249.65.231, so the ftp request would go out from your computer to the router, which would see that the destination was the same as the public IP of the router, and so would rewrite the packet to be addressed to
192.168.0.1 and would send it back to the computer.
The ADSL modem and ISP DNS server would only be involved if you were to ask for the resource by hostname and your computer's DNS client asked the ISP DNS server to resolve the name and got told your public IP address. The DNS request would go out via the ADSL link to some server and come back again, but once the IP address of the destination was known to your local computer, it would place the ftp request by IP address, and your local router would short-circuit the run.
No, if the filtering was on, then when the outgoing request reached your router, your router would see that the public IP of the destination was one handled by the router, and the router would deny the request without allowing it out to the ISP.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.