dynamic port NAT translation question.... 1

[shihlin]

Hi, I have a question regards to NAT clients. I setup a Dynamic port translation for inside clients to access Internet. In the inside network, I have setup a system for sniffing the network and nothing else. However, from my IDS I seem someone is trying to connect to use ICMP hard error to that system’s management ip address. My question is how outsider (Public IP) can connect to a system that is been translated by using Dynamic Ports translation. Also the system is not establishing any outside connection to the internet at all.

Many thanks,

SL

 

[michigan]

Hello shihlin,
There are quite a few methods that can be used to bypass NAT, show extended NAT info, etc.... Some of the more creative ways are with Java, javascript, ASP exploits and others. Is it possible the machine in question (or really any machine) could have visited a malicious site?

So for example, malicious javascript runs as a user hits a site. Though to that site initially, they see your initial router IP address (NAT'd address) while the script runs, it's almost like doing an 'ipconfig /all' from the command prompt right from that users PC. The results then transmit the user' IP address (lets say 192.168.10.40) along with other info. Now seeing the info, you can pretty much guess any 192.168.10.X address will be valid on your internal side.

There are quite a few tech articles on the web that refer to bypassing NAT, and what steps are involved, when it's needed (like with certain VPN configs) and when it's not good.

Hope this helps.