Re: NAT devices not translating privileged ports

[Fernando Gont via NANOG <nanog () nanog org>]

Hi, Blake,

Thanks a lot for your comments! In-line....


On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
> Current gen Cisco ASA firewalls have logic so that if the connection 
> from a private host originated from a privileged source port, the
> NAT 
> translation to public IP also uses an unprivileged source port (not 
> necessarily the same source port though).

Did you actaully mean "...also uses a *privileged port*"?



> I found out that this behavior can cause issues when you have devices
> on 
> your network that implement older DNS libraries or configs using UDP
> 53 
> as a source and destination port for their DNS lookups. Occasionally
> the 
> source port gets translated to one that ISC BIND servers have in a 
> blocklist (chargen, echo, time, and a few others) and the query is 
> ignored. As I recall, this behavior is hard coded so patching and 
> recompiling BIND is required to work around it.
>
> I forget what the older ASA behavior was. It may have been to leave
> the 
> source port unchanged through the NAT process (I think this is what
> you 
> mean by "not translated"). In that case the client doesn't implement 
> source port randomization and the NAT doesn't "upgrade" the
> connection 
> to a random source port so I don't really see it as an issue. 

The issue would be that if the port is not translated, and multiple
systems in the internal real of the NAT try to use the same privileged
port (say, 123) simultaneously, things wouldn't work.



Thanks,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531