DNAT and Security+
If you take the Security+ exam, you may come across the acronym DNAT so it’s important to understand how DNAT and Security+ are related. DNAT is short for destination network address translation and provides port forwarding for incoming traffic.
As an example, here’s a practice test question that tests your knowledge of this information.
Master Security+ Performance Based Questions Video
DNAT and Security+ Practice Test Question
Q. You need to ensure that all Internet traffic coming into a firewall using port 8080 is sent to an internal web server. What would you configure on the firewall?
DNAT and Security+ Practice Test Question Answer
Correct Answer: A. Since you know that this blog is about DNAT, you probably answered this question correctly. When enabled on the firewall for this scenario, port 8080 would be mapped to the IP address of the internal web server. Or said another way, by enabling port forwarding on the firewall, you can redirect traffic with a destination port of 8080 to the IP address of the internal web server. Traffic follows this path:
Internet —> Firewall —> Internal web server
Assume for a moment that Joe has an internal network at his home. It has a firewall performing traditional network address translation (NAT) between public IP addresses on the Internet, and private IP addresses on his internal network. Within his internal network, Joe has created a web server with a private IP address of 192.168.1.100. Joe wants to be able to access this web server while he’s away from home.
He can configure port forwarding (or DNAT) on the firewall mapping port 8080 traffic to 192.168.1.100 port 80. As long as he knows the public IP address of his router, he can connect to his internal web server using port 8080 with a standard web browser. For example, if his router was assigned a public IP address of 22.214.171.124, he could plug this into a web browser while away from home: 126.96.36.199:8080
When the traffic hit the firewall, DNAT would change the destination IP address and port to 192.168.1.100 and port 80, and the packet would be rerouted to the web server.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
Answer B is incorrect. Port address translation (PAT or sometimes called network address and port translation) is used for outgoing traffic. For example, this shows the path when an internal system accesses a web server on the Internet.
Internal system with private IP —> Firewall with PAT —> Internet web server with a public IP
Internal systems have an internal IP address assigned. When they access an Internet system, NAT on the firewall translates the private source IP address to the public IP address of the firewall. It also keeps a record of the original source port. The traffic is sent to the public web server. The web server replies sending the traffic back to the firewall. When the traffic returns, the firewall translates the destination IP address from the web server to the private IP address of the original system.
Available through Learnzapp on your mobile phone
C and D are incorrect. While web servers use Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), you don’t configure these on a firewall. It is possible to open port 80 to allow HTTP traffic and open port 443 to allow HTTPS traffic. However, opening ports does not change the destination IP address.
When working with firewalls (and preparing for the Security+ exam), it’s useful to know many of the commonly used well-known ports.
DNAT and Security+ Summary
DNAT is another name for port forwarding. It changes the destination address and port based on the destination port for incoming traffic. Knowing what DNAT is can help you with the Security+ exam.
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance-based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: Learn by listening with over 6 hours of audio on Security+ topics
- Flashcards: 494 Security+ glossary flashcards, 222 Security+ acronyms flashcards and 223 Remember This slides
- Quality Practice Test Questions: Over 300 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards
4 thoughts on “DNAT and Security+”
Just a public note of thanks for your great guidebook: COMPTIA Securitty+ Study Guide. Using your guide as part of my study program, I achieved a score today of 853 out of 900. There were no performance based questions, but it was challenging. I used the technique of doing a first pass, and flagging questions I was not 100% sure on, then I continued making multiple passes on the review questions until I felt confident.
I was wondering if you could do a blog-posts on:
a. What the CompTIA continuing education option is as opposed to the take the test every three years options is, and what are some continuing education options. I agree a lifetime certification in a area that changes by the day made no sense.
b. What would you recommend for someone with 25+ years experience in the technology industry with solid overall knowledge and having specialized in small to mid-size business who wants to move up the latter for a next certification, or a general certification path. I want to specialize in security. SANS looks to have some great products too.
Your book made a difference, and allowed be to ace the test on my first try with a few months study.
Perfect – thanks!
Thanks. However, this appears to contradict the Dynamic NAT definition on page 166 of your Get Certified – Security+ book. Did I miss something or is this an error in the book?
The key is that dynamic NAT and destination NAT (DNAT) are two separate terms. Page 166 of the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide describes dynamic NAT and this blog is discussing destination NAT.
This page provides definitions of each if you’re interested: http://en.wikipedia.org/wiki/Network_address_translation
Dynamic NAT: http://en.wikipedia.org/wiki/Network_address_translation#Dynamic_network_address_translation