Tag Archives: NAT

Cisco Router: Disable DNS Rewrite ALG for Static NATs

Cisco Systems, Memorandum, NAT, , ,

I am using a Cisco router for my basic ISP connection with a NAT/PAT configuration that translates all client connections to the IPv4 address of the outside interface of the router. Furthermore,  I am translating all my static public IPv4 addresses to private ones through static NAT entries. I basically thought, that only the IPv4 addresses in the mere IPv4 packet header would be translated. However, this was not true since I immediately discovered that public DNS addresses are translated to my private IPv4 addresses, too. This was a bit confusing since I have not explicitly configured an application layer gateway (ALG) on that router.

“Google is my friend” and helped me one more time to find out the appropriate solution: The “no ip nat service alg udp dns” keyword to disable the DNS rewrite. (The synonym from Cisco for DNS rewrite is: DNS doctoring.) Here comes a basic example:

Continue reading Cisco Router: Disable DNS Rewrite ALG for Static NATs

Policy-Based Routing (PBR) on a Juniper ScreenOS Firewall

Juniper Networks, Routing, Tutorial/Howto, , , , , ,

Here comes an example on how to configure policy-based routing (PBR) on a Juniper ScreenOS firewall. The requirement at the customers site was to forward all http and https connections through a cheap but fast DSL Internet connection while the business relevant applications (mail, VoIP, ftp, …) should rely on the reliable ISP connection with static IPv4 addresses. I am showing the five relevant menus to configure PBR on the ScreenOS GUI.

[UPDATE] I later on wrote an article with policy-based routing with two different virtual routers. See it here.[/UPDATE]

Continue reading Policy-Based Routing (PBR) on a Juniper ScreenOS Firewall

Policy Based Forwarding (PBF) on a Palo Alto Firewall

Palo Alto Networks, Routing, Tutorial/Howto, , , , , ,

This is a small example of how to configure policy based forwarding (PBF) on a Palo Alto Networks firewall. The use case was to route all user generated http and https traffic through a cheap ADSL connection while all other business traffic is routed as normal through the better SDSL connection. Since I ran into two problems with this simple scenario, I am showing the solutions here.

[UPDATE] I also wrote an article about policy based forwarding with two different virtual routers on the Palo Alto firewall. See it here.[/UPDATE]

Continue reading Policy Based Forwarding (PBF) on a Palo Alto Firewall

Why NAT has nothing to do with Security!

Design/Policy, NAT, Privacy, Security, , ,

During my job I am frequently discussing with people why they use NAT or why they believe that NAT adds any security to their networks, mainly some obscurity as NAT (PAT) hides the internal network structure. However, NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design. To emphasize this thesis, here is a discussion:

Continue reading Why NAT has nothing to do with Security!