[c-nsp] Rogue NAT gateways
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jul 16 07:38:07 EDT 2012
On 15/07/12 23:16, Dan Letkeman wrote:
> Wondering if anyone has any tricks for disabling the use of any NAT
> gateways? I know the best way is to remove it physically, but in the
> case of guest access and mobile devices its sometimes difficult to do
> so. Now that many devices can act as a hotspot, some of these devices
Yes, how "helpful" of the vendors.
> are becoming difficult to find. I have looked into ACL's with ttl
> requirements, but I could not seem to get it to work like I wanted.
What are you asking here?
1) How can I stop the outside interface of a NAT device being connected
to my network i.e. the NATed single IP
2) How can I stop the inside interface of a NAT device (with the DHCP
server etc.) being connected to my network, and handing out DHCP leases
to other clients on my LAN?
The two are separate problems.
1) is hard to solve; as you've suggested, looking at IP TTLs can help
(more or less all OSes use even TTLs, so looking for an odd TTL can
locate them). You can inspect the OUI of the MAC address for well-known
NAT device vendors, but that trick has limited mileage. Other techniques
include looking at the IP ID field.
2) is easy; use DHCP snooping and ARP/IP source guard.
More information about the cisco-nsp
mailing list