Reflection NAT

Introduction

This document describes how to configure Reflection NAT. Reflection NAT is a mechanism that allows you to secure any Internet Site using the Acreto Platform. Technically, to achieve this, we need to:

  1. Let the user redirect the traffic to the Acreto-allocated IP address by setting correct DNS records,
  2. On the Acreto side the traffic headers sent by the user are modified:
  3. The source IP address is changed to Acreto-allocated IP address
  4. The destination IP address is changed to the Internet site’s IP address
  5. On the Internet Site side all the incoming traffic is firewalled, with the exception of what comes from the Acreto-allocated IP address.

You can find more about this technique on the Internet, for example at http://www.nycnetworkers.com/real-world/nat-reflectionnat-loopbacknat-hairpinning/

Securing website scenario

In this example, we will protect the website http://kb.acreto.net, hosted on a server with IP 52.216.94.210. In order to achieve this, we will do the following:

Configuration of Acreto Platform

Create Address object for remote Server / Application to be Protected

  1. Log in to Acreto Platform at https://wedge.acreto.net
  2. Go to Elements > Objects and click Add new object
  3. Select Address
  4. Fill fields:
    1. Name - kb.acreto.net Server
    2. Address - 52.216.94.210
    3. Category - Application
  5. Press “Save”

Allocate IP address for remote Server / Application to be Protected

  1. Go to Elements > Objects and click Add new object
  2. Select Allocated IP
  3. Fill fields:
    1. Name - kb.acreto.net Public IP
  4. Press “Save”

Create Reflection NAT Rule

  1. Go to Policies > Address Translation
  2. Press “Add New Translation Policy”
  3. Fill the fields:
    1. Name: KB ACRETO RNAT
    2. If communications attributes match this:
      1. Source - select “Any Internet IP”
      2. Destination - select previously allocated IP - “kb.acreto.net Public IP”
    3. Then translate to the following:
    4. Source - select “kb.acreto.net Public IP”
    5. Destination - select " kb.acreto.net Server”
  4. Click “Save”

Ensure that NAT policy exists

  1. Go to Policies > Address Translations
  2. Find the rule you have just created and note the IP address written below " kb.acreto.net Public IP "
    1. in our case, it is 104.193.146.129.

Create security policy to add threat management

  1. Go to Policies > Security
  2. Click “Add New Policy”
  3. Create a new policy that will allow traffic to ACRETO:
    1. Name: KB ACRETO Protection
    2. Source: any
    3. Service: select TCP/80 (HTTP)
    4. Application: any
    5. Destination: select " kb.acreto.net Server”
    6. Action: Allow
    7. Threat protection - enabled
  4. Press “Save”
  5. Commit your changes

Configuration of DNS records

In your DNS server, create or change DNS record for secure.acreto.io to point to 104.193.146.129, for example:

secure   IN   A   104.193.146.129

Note: In the future, we will use CNAME records instead of A records.

Note 2: For testing, you can put this name into your host’s file (/etc/hosts on Linux/Mac) instead:

104.193.146.129  secure.acreto.io

Configuration of ACRETO web server

On ACRETO web server, configure the firewall to allow traffic to TCP ports 80 and 443 from ACRETO Public IP, in our example - 104.193.146.129

Testing

Go to http://104.193.146.129 - you should see the ACRETO website