You are the IT administrator for a small corporate network. One of your assignments is to manage several computers in the demilitarized zone (DMZ). However, your computer resides on the LAN network. To be able to manage these machines remotely, you have decided to configure your pfSense device to allow several remote control protocols to pass through the pfSense device using NAT port forwarding.
In this lab, your task is to create NAT forwarding rules to:
> Access the
pfSense management console:
Username: admin
Password: P@ssw0rd (zero)
> Allow the RDP/TCP Protocols from the LAN network to the administrator's PC located in the DMZ using the following guidelines:
- IP address for the administrator's PC: 172.16.1.100
- Description: RDP from LAN to Admin
> Allow the SSH Protocol through the pfSense device to the Kali Linux server using the following guidelines:
- IP address for the Linux Kali server: 172.16.1.6
-
Description: SSH from LAN to Kali
> Allow the RDP/TCP Protocols from the LAN network to the web server located in the DMZ using the following guidelines:
- Destination and redirect port: Port 5151
- IP address for the web server: 172.16.1.5
- Description: RDP from LAN to web server
Complete this lab as follows:
1. Sign into the pfSense management console.
a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (zero).
c. Select
SIGN IN or press Enter.
2. Configure NAT port forwarding for the administrator's PC.
a. From the pfSense menu bar, select Firewall > NAT.
b. Select Add (either one).
c. Configure or verify the following settings:
- Interface: LAN
- Protocol: TCP
- Destination type: LAN address
- Destination port range (From and To): MS RDP
- Redirect target IP: 172.16.1.100
- Redirect target port: MS RDP
- Description: RDP from LAN to Admin
d. Select Save.
3.
Configure NAT port forwarding for the Kali Linux server.
a. Select Add (either one).
b. Configure or verify the following settings:
- Interface: LAN
- Protocol: TCP
- Destination type: LAN address
- Destination port range (From and To): SSH
- Redirect target IP: 172.16.1.6
- Redirect target port: SSH
- Description: SSH from LAN to Kali
c. Select Save.
4. Configure NAT port forwarding for the web server.
a. Select Add (either one).
b. Configure or
verify the following settings:
- Interface: LAN
- Protocol: TCP
- Destination type: LAN address
- Destination port range (From and To): Other
- Custom (From and To) 5151
- Redirect target IP: 172.16.1.5
- Redirect target port: Other
- Custom: 5151
- Description: RDP from LAN to web server
c. Select Save.
d. Select Apply Changes.
What Is NAT?
How Does NAT Work?
Let’s say that there is a laptop connected to a home router. Someone uses the laptop to search for directions to their favorite restaurant. The laptop sends this request in a packet to the router, which passes it along to the web. But first, the router changes the outgoing IP address from a private local address to a public address.
If the packet keeps a private address, the receiving server won’t know where to send the information back to — this is akin to sending physical mail and requesting return service but providing a return address of anonymous. By using NAT, the information will make it back to the laptop using the router’s public address, not the laptop’s private one.
NAT Types
There are three different types of NATs. People use them for different reasons, but they all still work as a NAT.
1. Static NAT
When the local address is converted to a public one, this NAT chooses the same one. This means there will be a consistent public IP address associated with that router or NAT device.
2. Dynamic NAT
Instead of choosing the same IP address every time, this NAT goes through a pool of public IP addresses. This results in the router or NAT device getting a different address each time the router translates the local address to a public address.
3. PAT
PAT stands for port address translation. It’s a type of dynamic NAT, but it bands several local IP addresses to a singular public one. Organizations that want all their employees’ activity to use a singular IP address use a PAT, often under the supervision of a network administrator.
Why Use NAT?
NAT is a straightforward enough process, but what is the point of it? Ultimately, it comes down to conservation and security.
IP Conservation
IP addresses identify each device connected to the internet. The existing IP version 4 (IPv4) uses 32-bit numbered IP addresses, which allows for 4 billion possible IP addresses, which seemed like more than enough when it launched in the 1970s.
However, the internet has exploded, and while not all 7 billion people on the planet access the internet regularly, those that do often have multiple connected devices: phones, personal desktop, work laptop, tablet, TV, even refrigerators.
Therefore, the number of devices accessing the internet far surpasses the number of IP addresses available. Routing all of these devices via one connection using NAT helps to consolidate multiple private IP addresses into one public IP address. This helps to keep more public IP addresses available even while private IP addresses proliferate.
On June 6, 2012, IP version 6 (IPv6) officially launched to accommodate the need for more IP addresses. IPv6 uses 128-bit numbered IP addresses, which allow for exponentially more potential IP addresses. It will take many years before this process finishes; so until then, NAT will be a valuable tool.
NAT Security
Additionally, NAT can provide security and privacy. Because NAT transfers packets of data from public to private addresses, it also prevents anything else from accessing the private device. The router sorts the data to ensure everything goes to the right place, making it more difficult for unwanted data to get by. It’s not foolproof, but it often acts as the first means of defense for your device. If an organization wants to protect its data, they’ll need to go further than just a NAT firewall — they’ll want to hire a cybersecurity professional.
NAT also allows you to display a public IP address while on a local network, helping to keep data and user history private.
All of this might seem complicated in theory, but it’s even more so in the real world. IT professionals use NAT to secure their data and use several devices under the same IP – and everyone is interested in securing their data. Getting the right certification helps IT professionals demonstrate their competence and understanding of these complicated subjects.
CompTIA Network+ covers computer networking topics including network address translation. Download the exam objectives to see all the topics covered by this IT certification.
Read more about Computer Networks.