How is CGNAT routed on the client?

WoJ

6/14/23, 3:03 PM

When testing a Zscaler POC (from a security perspective), I had a hard time understanding how CGNAT is routed on the client.

My main concern (and question) is that the 100.64.x.y route is not in the routing table (Windows 10). The default gateway is on my local network gateway so that traffic cannot go there either.

What is special about how CGNAT traffic is routed?

The routing table on the client is

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.43.1   192.168.43.107     50
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.22.208.0    255.255.240.0         On-link      172.22.208.1    271
     172.22.208.1  255.255.255.255         On-link      172.22.208.1    271
   172.22.223.255  255.255.255.255         On-link      172.22.208.1    271
     192.168.43.0    255.255.255.0         On-link    192.168.43.107    306
   192.168.43.107  255.255.255.255         On-link    192.168.43.107    306
   192.168.43.255  255.255.255.255         On-link    192.168.43.107    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.43.107    306
        224.0.0.0        240.0.0.0         On-link      172.22.208.1    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.43.107    306
  255.255.255.255  255.255.255.255         On-link      172.22.208.1    271

Below is the resolution of an internal corporate service that is set up on zscaler (and therefore routed though the CGNAT). The same name outside of zscaler points to a classical RFC1918 address.

> nslookup internalcorporatesite.com
Server:  xxx.com
Address:  192.168.43.1

Non-authoritative answer:
Name:    internalcorporatesite.com
Address:  100.64.1.9

Please note that the default gateway 192.168.43.1 has no knowledge of the CGNAT - it is a local network and the CGNAT is used by zscaler.

175

0 + 0

nat

routing

Score:4

Server

vidarlo

6/14/23, 3:08 PM

It uses a filter driver that picks up packets from the networking stack and redirects it. Thus there's no virtual NIC for zScaler connectivity.

With the filter driver option, the app does not create a virtual network adapter. Instead, it uses Windows filtering to capture and forward traffic to the cloud. This allows for more granular control over traffic and also reduces interoperability issues for applications that manage network adapters on the system.

This also means that destinations that go over ZPA does not show up in the routing table.

zScaler doesn't really use CGNAT. It simply needs an address range that should not have legitimate traffic destined for it, that it can hijack and redirect, with minimal consequences. How the packets is handled after it enters zScaler is basically their secret sauce.

0 + 0

WoJ

6/14/23, 3:19 PM

Thank you. I did not even know that this was a possibility in Windows - it will also probably explain the DNS resolution of such hosts (the DNS server is not changed when the zscaler client is on, but responses to some requests are pointing to the zscaler CGNAT)

vidarlo

6/14/23, 3:28 PM