Solved

NAT and port scanning

Posted on 2012-04-02
18
891 Views
Last Modified: 2012-04-10
Can you still scan a server (portscan) remotely if NAT seems to be in operation. For example we were given a list of 8 external IP addresses, when you ping them you get a response from another IP (not the one we tried to ping). Would that prevent us being able to port scan these systems? Or would it just affect the ping response? How can you port scan these systems if NAT is in use?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +3
18 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 100 total points
ID: 37795953
if the 8 external Ip's are behind the NAT you cannot scan them as you will be scanning the NAT gateway. you cannot scan these machine but scan the port for NAT gateway.
0
 
LVL 2

Assisted Solution

by:4drahil
4drahil earned 100 total points
ID: 37795960
It all depends on the type of NAT in use.

Basic NAT that does 1-Many the results may be skewed as there may be ports open that are forwarded to different remote hosts.

Static 1-1 NAT would most likely result in a true approximation of the open ports on the system.

NAPT or Many - 1 would most likely result in a true approximation of the open ports on the system depending on how it is implemented.

IP Masquerading will probably result in a true approximation also but the response may come from a different host.
0
 
LVL 3

Author Comment

by:pma111
ID: 37795961
So theres no way to port scan the systems from the outside? How would you do a remote vulnerability assessment of the systems under the context of an outsider if you cant portscan them? Could this still be done?
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 2

Expert Comment

by:4drahil
ID: 37795977
See my comment above it is most likely that the system has some kind of IP Masquerading going on where all 8 addresses resolve to 1 physical machine.

If you ping each address do the responses all come from the same address? If so try using something like nmap on all 8 addresses if they all resolve on the same machine you should get the same result 8 times.

To judge correctly you really need to know what kind of NATing is going on.
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 37795983
If NAT is in use, and then let us say, the NAT range is 192.168.1.x, then that range is in use all over the world. So the short answer is, No, you cannot directly ping an internal NAT address.

You can do it if you have a VPN tunnel set up. I do this all the time.

.... Thinkpads_User
0
 
LVL 3

Author Comment

by:pma111
ID: 37795998
>>If you ping each address do the responses all come from the same address?

Interestingly no not all do.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796014
they can have multiple NAT ip's also.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796039
I am struggling to see how remote security guys can run vulnerability scanners against their public IP range with this kind of thing in place. Its often a requirement a security team run a vuln scanner/tool against the public IP simulating the rights an ousider has, but if they cant query the systems, how can they do this/
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796057
it depends upon the type of scanning and agreement done. If their network is not reachable you can scan from outer network to see what all ports are open and what all you can do to detect other stuff. Company can provide you access to their network by premise or VPN connection or they want to get it checked if their are vulnerable from Outside world.
0
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 100 total points
ID: 37796070
Make one of the hosts, behind the NAT, a DMZ host. In that context, it operates as if it were in front of the NAT.
0
 
LVL 3

Author Comment

by:pma111
ID: 37796143
>>scan from outer network

Whats the definition of an outer network?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796293
by outer network i mean scanning the network accessible through Internet for vulnerability.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 100 total points
ID: 37799760
The position of NAT/no NAT is not relevant. The port scan is run against the public ip/ip's and each of the ports. If a port is found to be open or listening then it is reported as such. If nothing is found then it is shown as clean.

From an external checking perspective, that is the main reason for running a scan. The results are then compared against your security policy. If they match - great.... if they don't then corrective measures are put forward.

If you have eight IP addresses only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself. There is only a couple of ways these addresses can be used -

1-1 NAT directly to an internal device, multiple ip's on the router/firewall external interface which reply to ARP requests and so on.
0
 
LVL 3

Author Comment

by:pma111
ID: 37800478
Thanks Keith makes a little more sense.

Can I ask though (you'll have to speak to me in laymans management terms) when you say if you have a list of 8 public IP addresses, that "only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself" - how can you then scan the other 6 systems? Or cant you? Or how do you know what you are scanning?

Say you have 8 systems, all with their own IP, how can you scan all 8, if say you only have 2 left after "you have assigned a broadcast address and an ip for the router/firewall itself", and what will those 2 represent?

 Excuse my ignorance :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37802084
Nothing to do with ignorance - we have all been where you are now.

This depends on the tool tou have used to 'front those addresses. For example, using an ISA Server or Forefront TMG, these devices allow a single IP address to front up multiple web sites because it can read the web host header in the packet but this digresses from the question - and the point.

Each IP address - whether it be a real IP address assigned to a nic or it is a 'virtual' ip that the router/firewall holds and just ARPs responses back is still a tangible entity. To take this up a level, let say you have a block from 217.155.82.112 - 217.155.82.119. the .119 is your broadcast address and the .112 is the network ID - neither of which can be assigned so this leaves you with 6 ip addresses.

I assign the .116 to the external interface of my external firewall along with the .117 and the .118 giving three addresses. I also create a 1:1 NAT to one of my DMZ boxes and use the .115 address. I don't bother assigning the .113 and the .114 address to anything - I just ignore them for the moment.

I tell my firewall to listen for smtp traffic on port 25 on the .116 address and then to forward any interesting traffic that matches this scenario to my internal mail server. I tell it to listen for http & https traffic on .117 and to forward this to my internal web server, rdp on port 3389 using the .118 address etc. I also tell it to 'pass through' any vpn traffic directly to the 115 address.

Running a port scan externally against each of the ip addresses - individually - will only return the open ports that my config has permitted (not necessarily the same as my security policy intended......). A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything.

As I mentioned above, whether an address is natted or just forwarded does not come into the equation at all.

Probably rambled a bit here but I am also on the phone.......
0
 
LVL 3

Author Comment

by:pma111
ID: 37805274
Ok thanks, think I have some reading to do!
0
 
LVL 3

Author Comment

by:pma111
ID: 37805276
can you just confirm what a clean report means  

"A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything."
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37806006
It would mean that nothing would be found against those addresses. As they will not have been assigned to an interface (NAT or not) there will be nothing to respond to. Picture it as being your telephone number - the telephone number is yours but until you plug a telephone handset into the socket, nothing can ring should anyone ever try to dial it i.e. NO RESPONSE. The same is the case with assigned IP addresses - they are yours to use but are not really in physical existence until you apply them to interfaces.

As above, we have all been where you are so don't worry about asking what may sound silly/naive questions. The only difference between us is that I was asking these questions 30+ years ago when I started with IBM :)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question