Nat – What all is classified as “Interesting traffic?”

aclnat;

So, recently I had read somewhere that when we write ACLs to permit local IP addresses to access those in an IP NAT pool, it's said that, "..when interesting traffic has been matched with the access list, it's pulled into the NAT process to be translated."

Now, my question is: how exactly does this pulling process work? When the ACL is detected, is it first checked with any other process that might use it (NAT for example), and then if it fails that check, only does it apply it to it's default traffic filtering function, or how does it work?

Also, what else comes under the category of "interesting traffic?"

Best Answer

Interesting traffic is literally the traffic you are interested in for a particular reason. In the case you describe, traffic that is permitted by the ACL is the interesting traffic.

When traffic is coming from an inside interface, destined for an outside interface, it is compared against the ACL to see if it should be translated before it is sent through the outside interface. Traffic that matches the ACL is what is interesting to the NAT process.

Related Solutions

Firewall NAT Issues – Preventing Access to Internal Resources via External NAT

This is a pretty common problem on a lot of stateful firewalls (SRXs and ScreenOS will do this as well).

The issue is that traffic from your wireless interface/zone will be routed out the Internet Zone/Interface, but not to the NAT.

On the SRX at least, you need to configure the NAT so that it is available on the wireless interface (as if it was another Internet-facing interface) and then the inbound traffic from your wireless interface will be destination NATted before the routing decision is made and then routed to the "LAN" interface.

I would be very surprised if Fortinet didn't require something similar.

Cisco ASA – Resolving NAT/ACL Issues Across EZVPN

Here's the solution after a lot of pounding my head against this problem: 1) Take out the nat statements at Location B since they interfere with the VPN tunnel:

nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Location_A_Networks Location_A_Networks no-proxy-arp route-lookup
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup

2) Keep the DMZ statement in the split tunnel ACL:

access-list ezvpn_split extended permit tcp object-group DMZ_Servers object (location B)-remote_network

3) I had the access list entry switch around for no good reason. It was this:

access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

when it should have been this:

access-list dmz_access_in extended permit tcp object-group DMZ_Servers object (location B)-remote_network eq https

Best Answer

Related Solutions

Firewall NAT Issues – Preventing Access to Internal Resources via External NAT

Cisco ASA – Resolving NAT/ACL Issues Across EZVPN

Related Topic