DNAT and Security+
DNAT and Security+
If you take the Security+ exam, you may come across the acronym DNAT so it’s important to understand how DNAT and Security+ are related. DNAT is short for destination network address translation and provides port forwarding for incoming traffic.
As an example, here’s a practice test question that tests your knowledge of this information.
Master Security+ Performance Based Questions Video
DNAT and Security+ Practice Test Question
Q. You need to ensure that all Internet traffic coming into a firewall using port 8080 is sent to an internal web server. What would you configure on the firewall?
DNAT and Security+ Practice Test Question Answer
Correct Answer: A. Since you know that this blog is about DNAT, you probably answered this question correctly. When enabled on the firewall for this scenario, port 8080 would be mapped to the IP address of the internal web server. Or said another way, by enabling port forwarding on the firewall, you can redirect traffic with a destination port of 8080 to the IP address of the internal web server. Traffic follows this path:
Internet —> Firewall —> Internal web server
Assume for a moment that Joe has an internal network at his home. It has a firewall performing traditional network address translation (NAT) between public IP addresses on the Internet, and private IP addresses on his internal network. Within his internal network, Joe has created a web server with a private IP address of 192.168.1.100. Joe wants to be able to access this web server while he’s away from home.
He can configure port forwarding (or DNAT) on the firewall mapping port 8080 traffic to 192.168.1.100 port 80. As long as he knows the public IP address of his router, he can connect to his internal web server using port 8080 with a standard web browser. For example, if his router was assigned a public IP address of 18.104.22.168, he could plug this into a web browser while away from home: 22.214.171.124:8080
When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.
Answer B is incorrect. Port address translation (PAT or sometimes called network address and port translation) is used for outgoing traffic. For example, this shows the path when an internal system accesses a web server on the Internet.
Internal system with private IP —> Firewall with PAT —> Internet web server with a public IP
Internal systems have an internal IP address assigned. When they access an Internet system, NAT on the firewall translates the private source IP address to the public IP address of the firewall. It also keeps a record of the original source port. The traffic is sent to the public web server. The web server replies sending the traffic back to the firewall. When the traffic returns, the firewall translates the destination IP address from the web server to the private IP address of the original system.
C and D are incorrect. While web servers use Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), you don’t configure these on a firewall. It is possible to open port 80 to allow HTTP traffic and open port 443 to allow HTTPS traffic. However, opening ports does not change the destination IP address.
When working with firewalls (and preparing for the Security+ exam), it’s useful to know many of the commonly used well-known ports.
DNAT and Security+ Summary
DNAT is another name for port forwarding. It changes the destination address and port based on the destination port for incoming traffic. Knowing what DNAT is can help you with the Security+ exam.