I am trying to understand need of Nat-t in trusted or untrusted zone. Why do we need nat-t and how does it related to untrusted and trusted zone in any firewall?
if you mean nat t for VPNs it doesn’t have anything to do with trusted and untrusted zones, you do it when your device doesn’t have a direct internet connection and it’s natted to internet by another device, basically nat t encapsulates the packets in UDP so they can be natted
I’ll give a real world scenario. A client of mine is a medical company that has clinics in international airports to screen folks from certain countries where infectious disease might be an issue. They are embedded in the airport and are not allowed to bring in a circuit. They only have access to the LAN for IPsec and have to use the airports internet. So it’s traversing a private network with an rfc1918 address then a NAT to public internet. IPsec tries to be a “secure protocol” and as such doesn’t like the header to change in transport. NAT traversal tells it to suck it up and let it happen.
VPN device behind firewall needs to complete two phases. I will reach out on port 500 to the peer that is over the internet. The VPN peer will then start the negotiation process, but it can’t complete it as the return traffic can’t traverse the nat. This is a limitation in the protocol. Then the VPN peer will switch to port 4500 with is the nat t port this aspect of the protocol will encapsulate the traffic so that it can traverse the nat.
Sorry what is Nat-t? I only know DNat, sNAT, NoNAt, uTurnNAt…educate me please
Nat-T is really useful when you’re behind another NAT point.
So let’s say you have a primary firewall which carries your public IP for context well call that the outside firewall.
Then you spin up a Layer 3 interface and put another firewall on the inside (in this config both firewalls are doing Routing and NAT). Your inside firewall is initiated an IPSec tunnel and therefore to avoid any NAT related issues you turn on Nat-T. Now the firewall knows that your behind NAT and not directly NAT’ing which seriously helps IPSec communication.
I am having hard time understanding this sorry. Whats the purpose of nat-t? What scenario is would enable it? Does this mean i have fw2 behind fw1 and fw2 has vpn tunnel with another site. I will enable nat-t on fw2 or fw1?
So is it safe to assume that if we see phase2 negotiation on port 4500 then its a nat-t enabled scenario? Where will i see this traffic , between nat device and opposite peer fw1 or between nat device and fw2?
if you have a firewall that doesn’t have internet public IPs, but establishes VPNs behind a router or anything that nats the prior device, you enable nat t in the firewall with VPNs and without internet public IPs.
that’s it
you would enable on fw2 and othersite
A prime example of this is when you are creating an IPsec tunnel from a site to a firewall in Azure. At least that’s the only time I use it.
Firewall logs should show. You can also fo a packet capture on the external interface.
I read a lil bit so since there is another NAT device in between , it only inspects and translate the header of the outer UDP packet, leaving inner packet untouched. Trying to understand how this encapsulation work? Does the nat device do something when looks at the traffic that is on udp port 500?
The reason for NAT-T is that IPSec VPNs use two protocols for the two different phases. Phase1 uses UDP 500 (protocol 17), and phase2 uses IPSec ESP or IPSec AH (protocols 50 and 51 respectively), although most VPNs use ESP. The problem is that ESP/AH do not support NAT, so any NAT device causes the phase 2 communication to fail.
NAT-T resolves this issue by encapsulating the ESP/AH packets inside UDP packets, which use UDP 4500/4501 respectively. By encapsulating the ESP packets inside UDP packets, it allows the VPN traffic to traverse NAT devices. When NAT-T is enabled on the VPN, NAT devices are detected as part of the phase1 exchange, and the phase2 automatically switches to encapsulating the ESP/AH packets.
So to address your original question, and as RoseRoja already highlighted, it has nothing to do with zones, unless you were terminating the VPNs on your trusted interfaces and the VPN packets had to traverse from untrusted to trusted (or vice versa), which would not be recommended.
This is great. So if there is a NAT device, do we use public Ip of that nat device or the FW2 which is VPN ? Fw2 will now have a lan ip/private ip right?
If your setup is something like this:
FW1 ------- Internet ------- NAT -------- FW2
Then:
- FW1 will use the Public IP of the NAT device.
- FW2 will use the Public IP of FW1
- You will only be able to initiate from FW2, unless you have some form of bi-directional NAT setup on the NAT device.