Module 7 NAT Policies Flashcards
What are the two NAT types?
Source and Destination NAT.
What is Source NAT?
Private (internal) users to access the public internet.
What is Destination NAT?
Hosts on public external network, access to private, internal servers.
Is NAT directional?
Yes, the forms are directional are are described from the perspective of the NAT device.
What is source NAT
NAT to translate outbound traffic, private network to the internet
Are private and extranet in the same NAT zone?
Yes, both exist within the private network.
What is the difference between static, dynamic and dynamic IP and port( DIPP)
Static is 1 to 1 translation, source port unchanged. Dynamic no port number, 1 to 1 translation to next available address in the range. DIPP allows multiple clients same IP with diff source port.
For NAT, what can you specify besides an IP address to be translated?
IP address, a range of IP addresses, a subnet, or a combination.
What if the egress interface has a dynamically assigned IP address, always changes?
You can specify the interface in the DIPP rule - this ensures NAT policy updates automatically
What is the flow logic with NAT?
Security policy rule enforced after NAT policy rule is evaluated, but before NAT translation is applied.
What is the first thing to do when configuring NAT
Create a NAT policy rule
What is important to remember when creating a NAT policy rule
Use the fields in the Original Packet tab to define the match criteria, pre-nat IP’s, zones, etc.
How does a NAT policy rule match packets?
A NAT policy rule matches the packet based on the original pre-NAT source and destin address and pre-NAT dest zone.
What are the problems with dynamic NAT?
Translated pool can be exhausted if the number of internal hosts concurrently creation outbound sessions exceeds the number of IP addresses in the pool.
What can help with Dynamic IP NAT exhaustion
Setting Advanced (Dynamic IP/Port Failback) button - uses DIPP if dynamic IP pool runs out.
When would DIPP be used?
One or more public IP address from the ISP and not enough public IPs to allocate one address to each internal host.
What is DIPP Oversubscription?
Allows the reuse of port number’s by using destination IP addresses as an additional NAT session identifier. Same source port, but we are using the destination address as another session identifier.
When would you use Destination NAT?
Destination NAT is used when you as a user want to reach a private server inside the network.
What are diff and similarities between source and destination static NAT?
1 to 1 fixed translations, changes dest IP address for destination NAT. Also leaves destination port unchanged, whereas static leaves source port unchanged.
What must be added when configuring a Security Policy Rule post NAT rule?
Source, Destination, Application and Action
Explain flow logic again?
NAT policy evaluated, Security Policy and then NAT translation occurs
How does Dynamic IP address work for destination NAT?
Translate add can be a FQDN, add object, or an address group that uses a FQDN. DHCP server assigns a new add to the host, you will not have to update the FQDN.
What should you do when you create a NAT policy rule?
Use the original packet characteristics -
Creating NAT policy
Use pre-NAT zones!
What are the two destination NAT types?
Port forwarding and Static IP
What is destination NAT port forwarding
Destination port numbers - you have multiple servers, email, web-hosting, etc. All servers are configured with the server-trust appear to have the same IP but diff port numbers.
What is bi-directional source NAT?
Only available with static NAT, your public facing servers must be able to send and receive packets.
