NAT and port scanning

Can you still scan a server (portscan) remotely if NAT seems to be in operation. For example we were given a list of 8 external IP addresses, when you ping them you get a response from another IP (not the one we tried to ping). Would that prevent us being able to port scan these systems? Or would it just affect the ping response? How can you port scan these systems if NAT is in use?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if the 8 external Ip's are behind the NAT you cannot scan them as you will be scanning the NAT gateway. you cannot scan these machine but scan the port for NAT gateway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It all depends on the type of NAT in use.

Basic NAT that does 1-Many the results may be skewed as there may be ports open that are forwarded to different remote hosts.

Static 1-1 NAT would most likely result in a true approximation of the open ports on the system.

NAPT or Many - 1 would most likely result in a true approximation of the open ports on the system depending on how it is implemented.

IP Masquerading will probably result in a true approximation also but the response may come from a different host.
pma111Author Commented:
So theres no way to port scan the systems from the outside? How would you do a remote vulnerability assessment of the systems under the context of an outsider if you cant portscan them? Could this still be done?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

See my comment above it is most likely that the system has some kind of IP Masquerading going on where all 8 addresses resolve to 1 physical machine.

If you ping each address do the responses all come from the same address? If so try using something like nmap on all 8 addresses if they all resolve on the same machine you should get the same result 8 times.

To judge correctly you really need to know what kind of NATing is going on.
JohnBusiness Consultant (Owner)Commented:
If NAT is in use, and then let us say, the NAT range is 192.168.1.x, then that range is in use all over the world. So the short answer is, No, you cannot directly ping an internal NAT address.

You can do it if you have a VPN tunnel set up. I do this all the time.

.... Thinkpads_User
pma111Author Commented:
>>If you ping each address do the responses all come from the same address?

Interestingly no not all do.
they can have multiple NAT ip's also.
pma111Author Commented:
I am struggling to see how remote security guys can run vulnerability scanners against their public IP range with this kind of thing in place. Its often a requirement a security team run a vuln scanner/tool against the public IP simulating the rights an ousider has, but if they cant query the systems, how can they do this/
it depends upon the type of scanning and agreement done. If their network is not reachable you can scan from outer network to see what all ports are open and what all you can do to detect other stuff. Company can provide you access to their network by premise or VPN connection or they want to get it checked if their are vulnerable from Outside world.
Jason WatkinsIT Project LeaderCommented:
Make one of the hosts, behind the NAT, a DMZ host. In that context, it operates as if it were in front of the NAT.
pma111Author Commented:
>>scan from outer network

Whats the definition of an outer network?
by outer network i mean scanning the network accessible through Internet for vulnerability.
Keith AlabasterEnterprise ArchitectCommented:
The position of NAT/no NAT is not relevant. The port scan is run against the public ip/ip's and each of the ports. If a port is found to be open or listening then it is reported as such. If nothing is found then it is shown as clean.

From an external checking perspective, that is the main reason for running a scan. The results are then compared against your security policy. If they match - great.... if they don't then corrective measures are put forward.

If you have eight IP addresses only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself. There is only a couple of ways these addresses can be used -

1-1 NAT directly to an internal device, multiple ip's on the router/firewall external interface which reply to ARP requests and so on.
pma111Author Commented:
Thanks Keith makes a little more sense.

Can I ask though (you'll have to speak to me in laymans management terms) when you say if you have a list of 8 public IP addresses, that "only a portion of these will be useable once you have assigned a broadcast address and an ip for the router/firewall itself" - how can you then scan the other 6 systems? Or cant you? Or how do you know what you are scanning?

Say you have 8 systems, all with their own IP, how can you scan all 8, if say you only have 2 left after "you have assigned a broadcast address and an ip for the router/firewall itself", and what will those 2 represent?

 Excuse my ignorance :)
Keith AlabasterEnterprise ArchitectCommented:
Nothing to do with ignorance - we have all been where you are now.

This depends on the tool tou have used to 'front those addresses. For example, using an ISA Server or Forefront TMG, these devices allow a single IP address to front up multiple web sites because it can read the web host header in the packet but this digresses from the question - and the point.

Each IP address - whether it be a real IP address assigned to a nic or it is a 'virtual' ip that the router/firewall holds and just ARPs responses back is still a tangible entity. To take this up a level, let say you have a block from - the .119 is your broadcast address and the .112 is the network ID - neither of which can be assigned so this leaves you with 6 ip addresses.

I assign the .116 to the external interface of my external firewall along with the .117 and the .118 giving three addresses. I also create a 1:1 NAT to one of my DMZ boxes and use the .115 address. I don't bother assigning the .113 and the .114 address to anything - I just ignore them for the moment.

I tell my firewall to listen for smtp traffic on port 25 on the .116 address and then to forward any interesting traffic that matches this scenario to my internal mail server. I tell it to listen for http & https traffic on .117 and to forward this to my internal web server, rdp on port 3389 using the .118 address etc. I also tell it to 'pass through' any vpn traffic directly to the 115 address.

Running a port scan externally against each of the ip addresses - individually - will only return the open ports that my config has permitted (not necessarily the same as my security policy intended......). A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything.

As I mentioned above, whether an address is natted or just forwarded does not come into the equation at all.

Probably rambled a bit here but I am also on the phone.......
pma111Author Commented:
Ok thanks, think I have some reading to do!
pma111Author Commented:
can you just confirm what a clean report means  

"A scan against the .113 and .114 would return a completely clean report because they have not been assigned to anything."
Keith AlabasterEnterprise ArchitectCommented:
It would mean that nothing would be found against those addresses. As they will not have been assigned to an interface (NAT or not) there will be nothing to respond to. Picture it as being your telephone number - the telephone number is yours but until you plug a telephone handset into the socket, nothing can ring should anyone ever try to dial it i.e. NO RESPONSE. The same is the case with assigned IP addresses - they are yours to use but are not really in physical existence until you apply them to interfaces.

As above, we have all been where you are so don't worry about asking what may sound silly/naive questions. The only difference between us is that I was asking these questions 30+ years ago when I started with IBM :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.