DNAT and Security+

Posted on by Darril

DNAT and Security+

If you take the Security+ exam, you may come across the acronym DNAT so it’s important to understand how DNAT and Security+ are related. DNAT is short for destination network address translation and provides port forwarding for incoming traffic.

As an example, here’s a practice test question that tests your knowledge of this information.

Master Security+ Performance Based Questions Video

DNAT and Security+ Practice Test Question

Q. You need to ensure that all Internet traffic coming into a firewall using port 8080 is sent to an internal web server. What would you configure on the firewall?

A. DNAT
B. PAT
C. HTTP
D. HTTPS

DNAT and Security+ Practice Test Question Answer

Correct Answer: A. Since you know that this blog is about DNAT, you probably answered this question correctly. When enabled on the firewall for this scenario, port 8080 would be mapped to the IP address of the internal web server. Or said another way, by enabling port forwarding on the firewall, you can redirect traffic with a destination port of 8080 to the IP address of the internal web server. Traffic follows this path:

Internet —> Firewall —> Internal web server

Assume for a moment that Joe has an internal network at his home. It has a firewall performing traditional network address translation (NAT) between public IP addresses on the Internet, and private IP addresses on his internal network. Within his internal network, Joe has created a web server with a private IP address of 192.168.1.100. Joe wants to be able to access this web server while he’s away from home.

He can configure port forwarding (or DNAT) on the firewall mapping port 8080 traffic to 192.168.1.100 port 80. As long as he knows the public IP address of his router, he can connect to his internal web server using port 8080 with a standard web browser. For example, if his router was assigned a public IP address of 70.160.136.150, he could plug this into a web browser while away from home: 70.160.136.150:8080

When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Answer B is incorrect. Port address translation (PAT or sometimes called network address and port translation) is used for outgoing traffic. For example, this shows the path when an internal system accesses a web server on the Internet.

Internal system with private IP —> Firewall with PAT —> Internet web server with a public IP

Internal systems have an internal IP address assigned. When they access an Internet system, NAT on the firewall translates the private source IP address to the public IP address of the firewall. It also keeps a record of the original source port. The traffic is sent to the public web server. The web server replies sending the traffic back to the firewall. When the traffic returns, the firewall translates the destination IP address from the web server to the private IP address of the original system.

Realistic practice test questions for the Security+ exam.
Available through Learnzapp on your mobile phone
Apps for Your Mobile Devices
Are you looking for an app that includes quality practice test questions and flashcards? Learnzapp has published several including apps on A+, Network+, and Security+. Some of the features include:
  • Extremely easy to navigate.
  • Excellent performance and stability.
  • Fluid user interface with colorful tiles design.
  • Available for most mobile smartphones and tablets.
  • Versions are available for Apple iOS 7, Android 4.X, and Amazon Kindle Fire.

See the Security+ app in action in this short video:

https://www.youtube.com/watch?v=xhbvBcXEvYA

See the Network+ app in action in this short video:

https://www.youtube.com/watch?v=MVy0eKZkp2I

See the A+ app in action in this short video:

https://www.youtube.com/watch?v=Yrkf-piY0EA

C and D are incorrect. While web servers use Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), you don’t configure these on a firewall. It is possible to open port 80 to allow HTTP traffic and open port 443 to allow HTTPS traffic. However, opening ports does not change the destination IP address.

When working with firewalls (and preparing for the Security+ exam), it’s useful to know many of the commonly used well-known ports.

Security+ Full Access Package
Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day. 

Here’s what you’ll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Realistic SY0-601 Security+ Practice Test Questions
  • Performance-based questions.
  • All of the flashcards from the study guide. View them in any Web browser. See demo here
  • All of the audio from the study guide.
  • Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

DNAT and Security+ Summary

DNAT is another name for port forwarding. It changes the destination address and port based on the destination port for incoming traffic. Knowing what DNAT is can help you with the Security+ exam.

Other Security+ Study Resources

Security+ (SY0-601) Practice Test Questions

SY0-601 Practice Test Questions 

Over 385 realistic Security+ practice test questions

At least 10 performance-based questions

All questions include explanations so you’ll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Upgrade Your Resume with the Security+ New Version

Multiple quiz formats to let you use these questions based on the way you learn.
  • Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
  • Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions.

Pass the First Time You Take It

Get the full bank of SY0-601 Practice Test Questions Here

Click here if you’re looking for SY0-501 Online Study Package

Security+ Full Access Package
Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day. 

Here’s what you’ll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 40 new multiple-choice questions we’ve added after publishing the study guide.
  • Over 30 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Free No Risk Discount CompTIA Voucher Code

Discount CompTIA Vouchers

Are you ready to take your CompTIA certification exam? If so, get a free discount code here. No risk. Use the code at CompTIAs site and get a discount that is often better than sellers of discount vouchers.

4 thoughts on “DNAT and Security+

  1. Dear Darril,

    Just a public note of thanks for your great guidebook: COMPTIA Securitty+ Study Guide. Using your guide as part of my study program, I achieved a score today of 853 out of 900. There were no performance based questions, but it was challenging. I used the technique of doing a first pass, and flagging questions I was not 100% sure on, then I continued making multiple passes on the review questions until I felt confident.

    I was wondering if you could do a blog-posts on:

    a. What the CompTIA continuing education option is as opposed to the take the test every three years options is, and what are some continuing education options. I agree a lifetime certification in a area that changes by the day made no sense.

    b. What would you recommend for someone with 25+ years experience in the technology industry with solid overall knowledge and having specialized in small to mid-size business who wants to move up the latter for a next certification, or a general certification path. I want to specialize in security. SANS looks to have some great products too.

    Your book made a difference, and allowed be to ace the test on my first try with a few months study.

    THANKS!

    Chris

  3. Thanks. However, this appears to contradict the Dynamic NAT definition on page 166 of your Get Certified – Security+ book. Did I miss something or is this an error in the book?

    1. Hi Nathan,

      The key is that dynamic NAT and destination NAT (DNAT) are two separate terms. Page 166 of the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide describes dynamic NAT and this blog is discussing destination NAT.

      This page provides definitions of each if you’re interested: http://en.wikipedia.org/wiki/Network_address_translation

      DNAT: http://en.wikipedia.org/wiki/Network_address_translation#Destination_network_address_translation_.28DNAT.29

      Dynamic NAT: http://en.wikipedia.org/wiki/Network_address_translation#Dynamic_network_address_translation

      HTH,

      Darril

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!