FAQ-On What Conditions Does NAT Require a Blackhole Route

Publication Date:  2015-07-01 Views:  264 Downloads:  0
Issue Description
On What Conditions Does NAT Require a Blackhole Route?
Solution
1. If an address in the NAT address pool does not reside on the same network segment as the IP address of the outgoing interface, you must configure a blackhole route to the address.

2. If NAT Server with port translation is configured and the NAT Server global IP address does not reside on the same network segment as the IP address of the outgoing interface, you must configure a blackhole route to the NAT Server global IP address.

You can configure a blackhole route when configuring NAT on the firewall to prevent packets destined to the address in the NAT address pool or NAT Server global IP address from forwarded to the outgoing interface and being forwarded by the downstream device back to the firewall. You can also configure a blackhole route even if the address in the NAT address pool or NAT Server global IP address resides on the same network segment as the IP address of the outgoing interface. In this case, the firewall sends an ARP request to the address in the NAT address pool or NAT Server global IP address before forwarding packets. Without receiving any ARP reply, the firewall discards the packets to avoid route loops. You can configure a blackhole route to the address in the NAT address pool or NAT Server global IP address to block ARP packets to these IP addresses to save firewall ARP resources.

END