DNAT and Security+
If you take the Security+ exam, you may come across the acronym DNAT so it’s important to understand how DNAT and Security+ are related. DNAT is short for destination network address translation and provides port forwarding for incoming traffic.
As an example, here’s a practice test question that tests your knowledge of this information.
Master Security+ Performance Based Questions Video
DNAT and Security+ Practice Test Question
Q. You need to ensure that all Internet traffic coming into a firewall using port 8080 is sent to an internal web server. What would you configure on the firewall?
A. DNAT
B. PAT
C. HTTP
D. HTTPS
DNAT and Security+ Practice Test Question Answer
Correct Answer: A. Since you know that this blog is about DNAT, you probably answered this question correctly. When enabled on the firewall for this scenario, port 8080 would be mapped to the IP address of the internal web server. Or said another way, by enabling port forwarding on the firewall, you can redirect traffic with a destination port of 8080 to the IP address of the internal web server. Traffic follows this path:
Internet —> Firewall —> Internal web server
Assume for a moment that Joe has an internal network at his home. It has a firewall performing traditional network address translation (NAT) between public IP addresses on the Internet, and private IP addresses on his internal network. Within his internal network, Joe has created a web server with a private IP address of 192.168.1.100. Joe wants to be able to access this web server while he’s away from home.
He can configure port forwarding (or DNAT) on the firewall mapping port 8080 traffic to 192.168.1.100 port 80. As long as he knows the public IP address of his router, he can connect to his internal web server using port 8080 with a standard web browser. For example, if his router was assigned a public IP address of 70.160.136.150, he could plug this into a web browser while away from home: 70.160.136.150:8080
When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.
Answer B is incorrect. Port address translation (PAT or sometimes called network address and port translation) is used for outgoing traffic. For example, this shows the path when an internal system accesses a web server on the Internet.
Internal system with private IP —> Firewall with PAT —> Internet web server with a public IP
Internal systems have an internal IP address assigned. When they access an Internet system, NAT on the firewall translates the private source IP address to the public IP address of the firewall. It also keeps a record of the original source port. The traffic is sent to the public web server. The web server replies sending the traffic back to the firewall. When the traffic returns, the firewall translates the destination IP address from the web server to the private IP address of the original system.
Realistic practice test questions for the Security+ exam.
Available through
Learnzapp on your mobile phone
Apps for Your Mobile Devices
C and D are incorrect. While web servers use Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), you don’t configure these on a firewall. It is possible to open port 80 to allow HTTP traffic and open port 443 to allow HTTPS traffic. However, opening ports does not change the destination IP address.
When working with firewalls (and preparing for the Security+ exam), it’s useful to know many of the commonly used well-known ports.
Security+ Full Access Package
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based
questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.
Buy The Full Access Study Package Today
60 Days Access
Need more time?
You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:
- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Realistic SY0-601 Security+ Practice Test Questions
- Performance-based questions.
- All of the flashcards from the study guide. View them in any Web browser. See demo here
- All of the audio from the study guide.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
DNAT and Security+ Summary
DNAT is another name for port forwarding. It changes the destination address and port based on the destination port for incoming traffic. Knowing what DNAT is can help you with the Security+ exam.
Other Security+ Study Resources
Security+ (SY0-601) Practice Test Questions
SY0-601 Practice Test Questions
Over 385 realistic Security+ practice test questions
At least 10 performance-based questions
All questions include explanations so you’ll know why the correct answers are correct,
and why the incorrect answers are incorrect.
Upgrade Your Resume with the Security+ New Version
Multiple quiz formats to let you use these questions based on the way you learn.
- Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
- Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
- Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions.
Pass the First Time You Take It
Get the full bank of SY0-601 Practice Test Questions Here
Click here if you’re looking for SY0-501 Online Study Package
Security+ Full Access Package
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based
questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.
Buy The Full Access Study Package Today
60 Days Access
Need more time?
You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:
- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we’ve added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Free No Risk Discount CompTIA Voucher Code
Dear Darril,
Just a public note of thanks for your great guidebook: COMPTIA Securitty+ Study Guide. Using your guide as part of my study program, I achieved a score today of 853 out of 900. There were no performance based questions, but it was challenging. I used the technique of doing a first pass, and flagging questions I was not 100% sure on, then I continued making multiple passes on the review questions until I felt confident.
I was wondering if you could do a blog-posts on:
a. What the CompTIA continuing education option is as opposed to the take the test every three years options is, and what are some continuing education options. I agree a lifetime certification in a area that changes by the day made no sense.
b. What would you recommend for someone with 25+ years experience in the technology industry with solid overall knowledge and having specialized in small to mid-size business who wants to move up the latter for a next certification, or a general certification path. I want to specialize in security. SANS looks to have some great products too.
Your book made a difference, and allowed be to ace the test on my first try with a few months study.
THANKS!
Chris
Perfect – thanks!
Thanks. However, this appears to contradict the Dynamic NAT definition on page 166 of your Get Certified – Security+ book. Did I miss something or is this an error in the book?
Hi Nathan,
The key is that dynamic NAT and destination NAT (DNAT) are two separate terms. Page 166 of the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide describes dynamic NAT and this blog is discussing destination NAT.
This page provides definitions of each if you’re interested: http://en.wikipedia.org/wiki/Network_address_translation
DNAT: http://en.wikipedia.org/wiki/Network_address_translation#Destination_network_address_translation_.28DNAT.29
Dynamic NAT: http://en.wikipedia.org/wiki/Network_address_translation#Dynamic_network_address_translation
HTH,
Darril