Why it matters
Network address translation changes addressing or ports; it is not a substitute for firewall policy. Source NAT commonly supports outbound address sharing, destination NAT publishes a service, and port address translation multiplexes flows. Static, policy, hairpin, and twice-NAT patterns may be relevant depending on the platform and design.
Core concepts
Public-to-private publishing, outbound overload, and NAT object selection interact with routing and security policy. Bidirectional behavior is not universal. A VIP or destination translation object can affect matching in ways that differ by platform, especially when return traffic, load balancers, or overlapping networks are involved.
Packet-flow workflow
- State the original source, destination, port, interface, and expected return path.
- Identify the route lookup, translation decision, policy match, and post-translation destination.
- Check session and NAT logs with timestamps and a bounded test connection.
- Compare forward and return flows, including DNS answers and load-balancer targets.
Design checklist
- Is the published service protected by an explicit inbound policy and appropriate logging?
- Does the translated address have a documented owner and dependency map?
- Can operations attribute a connection after translation?
- Have hairpin, failover, and return-path cases been tested?
Common mistakes
Address hiding does not equal access control. Do not assume a public mapping makes a service reachable, or that a reachable translation proves the application is healthy. Avoid changing NAT and policy simultaneously without evidence that separates the two effects.
Fictional example
An internet-facing portal uses destination NAT to a load balancer. An internal test fails because the DNS name resolves to the public address and hairpin behavior is absent. The team records the intended internal path instead of weakening the inbound policy or assuming the translation is defective.
Related Vuln Signal content
Read Firewall Policy Review, Routing and Asymmetric Paths, DNS inspection, and Website and Domain Security Check.