Filter Internet NAT Redirection

My Cisco router has an option to:
Filter Internet NAT Redirection

The router help says only:
"This feature uses Port Forwarding to prevent access to local servers
from your local networked computers."

Can you explain to me if we should have this option turned on?
It is turned off by default.

Is this option designed to prevent me from connecting to my own
computers - or is this option designed to prevent outsiders from
connecting to my computers (perhaps via a compromised system)???

Nancy

Re: Filter Internet NAT Redirection

Nancy Pi Squared wrote:

> My Cisco router has an option to:
> Filter Internet NAT Redirection
>
> The router help says only:
> "This feature uses Port Forwarding to prevent access to local servers
> from your local networked computers."
>
> Can you explain to me if we should have this option turned on?
> It is turned off by default.
>
> Is this option designed to prevent me from connecting to my own
> computers - or is this option designed to prevent outsiders from
> connecting to my computers (perhaps via a compromised system)???
>
> Nancy

Hi Nancy hows it?

If you turn this off, it will allow you to access the server on your
local network using the Outside (Internet) IP address.

If you turn it on, it will block access to the server using the Outside
IP, but still allow by using the Internal (LAN) IP.

Flamer.

Re: Filter Internet NAT Redirection

Hi,

It will deny outside intruders to access servers (DMZ,LAN).


CK



Nancy Pi Squared wrote:
> My Cisco router has an option to:
> Filter Internet NAT Redirection
>
> The router help says only:
> "This feature uses Port Forwarding to prevent access to local servers
> from your local networked computers."
>
> Can you explain to me if we should have this option turned on?
> It is turned off by default.
>
> Is this option designed to prevent me from connecting to my own
> computers - or is this option designed to prevent outsiders from
> connecting to my computers (perhaps via a compromised system)???
>
> Nancy

Re: Filter Internet NAT Redirection

Is the help "blurb" just poorly worded? To me it imples that it
prevents traffic between local systems (not outside>in but in>in).


NETADMIN wrote:
> Hi,
>
> It will deny outside intruders to access servers (DMZ,LAN).
>
>
> CK
>
>
>
> Nancy Pi Squared wrote:
> > My Cisco router has an option to:
> > Filter Internet NAT Redirection
> >
> > The router help says only:
> > "This feature uses Port Forwarding to prevent access to local servers
> > from your local networked computers."
> >
> > Can you explain to me if we should have this option turned on?
> > It is turned off by default.
> >
> > Is this option designed to prevent me from connecting to my own
> > computers - or is this option designed to prevent outsiders from
> > connecting to my computers (perhaps via a compromised system)???
> >
> > Nancy

Re: Filter Internet NAT Redirection

On 19 Oct 2006 12:56:10 -0700, kingthorin@gmail.com wrote:

>Is the help "blurb" just poorly worded? To me it imples that it
>prevents traffic between local systems (not outside>in but in>in).

On 19 Oct 2006 12:40:34 -0700, NETADMIN wrote:
> It will deny outside intruders to access servers (DMZ,LAN).
>> The router help says only:
>> "This feature uses Port Forwarding to prevent access to local servers
>> from your local networked computers."

The help message seems to say otherwise but I do not really understand
these things which is why I asked.

The help seems to say:
From LOCAL computers to LOCAL servers.

Everything being LOCAL, the distinction between a "local computer" and
a "local server" is beyond me.

Nancy

Re: Filter Internet NAT Redirection

In article <7tqfj2hq3h94ke7a597tundfufl7976ea7@4ax.com>,
Nancy Pi Squared wrote:

>The help seems to say:
> From LOCAL computers to LOCAL servers.

>Everything being LOCAL, the distinction between a "local computer" and
>a "local server" is beyond me.

Flamer's response was correct.

If your local systems send packets to the -public- (external) IP
and port of your internal servers, then if the filtering is turned
on then the device will deny those packets; when the filtering is
turned off, the device will re-address those packets and send them
back inwards. In this situation, the source of the connection is local
and the destination ends up being the local server, but the address
used by the local computer was the outside address instead of the
inside address.

Allowing this kind of traffic to go through messes up the security
device's ideas of "source" and "destination" (especially for UDP),
so it cannot be done at the same security level as would be the
case if the source and ultimate destination were on different
interfaces of the security device.

Re: Filter Internet NAT Redirection

On Thu, 19 Oct 2006 21:32:16 GMT, roberson@hushmail.com (Walter
Roberson) wrote:
>>Everything being LOCAL, the distinction between a "local computer" and
>>a "local server" is beyond me.
>
>Flamer's response was correct.

Flamer said
If you turn this off, it will allow you to access the server on your
local network using the Outside (Internet) IP address.

If you turn it on, it will block access to the server using the
Outside IP, but still allow by using the Internal (LAN) IP.

All I have is a computer, a router, and a modem.

Which of these three is the "server?"

Nancy

Re: Filter Internet NAT Redirection

In article ,
Nancy Pi Squared wrote:

>Flamer said
>If you turn this off, it will allow you to access the server on your
>local network using the Outside (Internet) IP address.

>If you turn it on, it will block access to the server using the
>Outside IP, but still allow by using the Internal (LAN) IP.

>All I have is a computer, a router, and a modem.

>Which of these three is the "server?"

The computer is.

If you had the filter turned off, then you could use the computer
to place a request to the public (external) IP address of the
computer, and the router would calmly forward it back to the computer.

With the filter turned on, then if you tried to use the computer
to place a request to the public (external) IP address of the
computer, the router would block the packets.

For example, you might be running a web server on your computer,
even if it happens to be a PC. And if it does happen to be a Windows PC,
then chances are that it is acting as a "server" for a number
of different services, like file sharing (NETBIOS), or pop-up messaging
spam. Every networked computer is potentially a server.

Anyhow, if you go back to the help blurb, it talks about your "servers".
If you don't happen to have any servers, then the feature will
control access to all zero of them. The services provided by any
particular feature of your router might be vacuously provided, doing
nothing useful for you until you drop a new device into the network
that does happen to use the network that way. (But as noted above,
your one computer probably -is- a server of -something- -- most computers
are servers by default.)

Re: Filter Internet NAT Redirection

On Thu, 19 Oct 2006, roberson@hushmail.com (Walter Roberson) scribed:

> Every networked computer is potentially a server.

Say I have a single computer, router, and modem.

Say my one computer has an ip address of 192.168.0.1
But my computer/router/modem ip address is 66.249.65.231

Say my computer is acting as a "server" for something.
Say that something is it's acting as an FTP server.

Say the router is not filtering NAT redirection.

Are you telling me that I can sit at my computer (server) at
192.168.0.1 to ftp 66.249.65.231 and that ftp request will go to the
router, to the modem, to the isp domain name server, and then loop
back to the modem, to the router, and finally back to the one computer
on my network that the router knows is at 66.249.65.231?

Then I turn on the router option to filter NAT redirection.

I sit at my computer (server) at 192.168.0.1 to ftp 66.249.65.231 and
that ftp request will go to the router, to the modem, to the isp
domain name server, and then loop back to the modem, to the router,
and stop there never making it back to the computer only the router
knows is at 66.249.65.231?

Correct yet?

Nancy

Re: Filter Internet NAT Redirection

In article ,
Nancy Pi Squared wrote:

>Say I have a single computer, router, and modem.

I'll take it that you mean something like "DSL modem" rather than
acoustic modem.

>Say my one computer has an ip address of 192.168.0.1
>But my computer/router/modem ip address is 66.249.65.231

>Say my computer is acting as a "server" for something.
>Say that something is it's acting as an FTP server.

>Say the router is not filtering NAT redirection.

>Are you telling me that I can sit at my computer (server) at
>192.168.0.1 to ftp 66.249.65.231 and that ftp request will go to the
>router, to the modem, to the isp domain name server, and then loop
>back to the modem, to the router, and finally back to the one computer
>on my network that the router knows is at 66.249.65.231?

The router itself knows that its IP address is 66.249.65.231, so
the ftp request would go out from your computer to the router, which
would see that the destination was the same as the public IP of
the router, and so would rewrite the packet to be addressed to
192.168.0.1 and would send it back to the computer.

The ADSL modem and ISP DNS server would only be involved if you
were to ask for the resource by hostname and your computer's DNS
client asked the ISP DNS server to resolve the name and got told
your public IP address. The DNS request would go out via the ADSL
link to some server and come back again, but once the IP address of
the destination was known to your local computer, it would place
the ftp request by IP address, and your local router would
short-circuit the run.


>Then I turn on the router option to filter NAT redirection.

>I sit at my computer (server) at 192.168.0.1 to ftp 66.249.65.231 and
>that ftp request will go to the router, to the modem, to the isp
>domain name server, and then loop back to the modem, to the router,
>and stop there never making it back to the computer only the router
>knows is at 66.249.65.231?

>Correct yet?

No, if the filtering was on, then when the outgoing request reached
your router, your router would see that the public IP of the
destination was one handled by the router, and the router would deny
the request without allowing it out to the ISP.