[Dr.WoW] [No.18] Source NAT-part 1 Highlighted

Latest reply: Jun 2, 2015 07:15:33 4784 1 1 0

1 Source NAT Mechanism

When the Internet was invented, no one thought that it could grow so fast as to be pervasive in our lives in merely 20 years. Therefore, the problems that were not considered during the invention of the Internet are surfacing. For example, IPv4 addresses are exhausting. While seeking alternatives, people are also using technologies that can alleviate the exhaustion of IPv4 addresses, and the most common technology is network address translation (NAT). A lot of NAT implementations are out there. The most common one is source NAT.

Source NAT translates private source IP addresses into public source IP addresses. With source NAT, users on an intranet can access the Internet from their private addresses to use public IP addresses more efficiently.

The process of source NAT is shown in Figure 1-1. Upon receiving the packets destined from the private network to the Internet, the firewall translates the private source addresses into public addresses. Upon receiving the return packets, the firewall translates the public destination addresses back to private destination addresses. The whole NAT process is transparent to the users on the private network and hosts on the Internet.

Figure 1-1 Source NAT process

[Dr.WoW] [No.18] Source NAT-part 1-1326969-1 

Before moving on to similar and different features of NAT implementations, let's introduce the concept of NAT address pool. NAT address pool is a pool or container where we put IP addresses. During address translation, the firewall translates the private address into a public address selected from the pool. The public address is randomly selected and has nothing to do with the configuration time or value of the IP addresses.

The following command is used to configure a NAT address pool on USG2000/5000 series. The NAT address pool has four public IP addresses. We will use the USG2000/5000 as an example in NAT address pool configuration thereafter unless otherwise specified.

[FW] nat address-group 1 202.1.1.2 202.1.1.5

A configured NAT address pool can be referenced by NAT policies. On USG2000/5000 firewall series, NAT policies are similar to security policies. They all contain conditions and actions. The difference is that the action in a NAT policy is source NAT or no-NAT. If the action is source NAT, a NAT address pool must be referenced, as shown in Figure 1-2. We will use the USG2000/5000 as an example in NAT policy configuration thereafter unless otherwise specified.

Figure 1-2 NAT policy

[Dr.WoW] [No.18] Source NAT-part 1-1326969-2 

If a packet matches one NAT policy, the NAT policy is implemented, and the remaining NAT policies are ignored. If a packet does not match a NAT policy, the packet is compared against the next NAT policy.

Configuring multiple NAT policies provides flexibility. For example, user group 1 (192.168.0.2-192.168.0.5) and user group 2 (192.168.0.6-192.168.0.10) can use different public IP addresses to access the Internet. This cannot be done if we put the two public IP addresses into the same NAT address pool because the public IP addresses are randomly selected.

Instead, we can put the two IP addresses into different NAT address pools and configure two NAT policies. One NAT policy allows user group 1 to use NAT address pool 1, and the other allows user group 2 to use NAT address pool 2. Then, the two user groups can use different public IP address to access the Internet.

Table 1-1 lists the source NAT implementations supported by Huawei firewalls. 

Table 1-1 Source NAT implementations supported by Huawei firewalls

Source NAT Implementation

Description

Application Scenario

NAT No-PAT

Only IP addresses are translated, and ports are not translated.

The number of available public IP addresses is almost the same as the private network users who need Internet access.

NAPT

Both addresses and ports are translated.

The number of private network users is larger than that of available public addresses.

Egress interface address mode (also called easy-IP)

Both IP addresses and ports are translated, but the public address can only be the IP address of the egress interface.

Only one public IP address is available, and the public IP address is dynamically obtained on the egress interface.

Smart NAT

One address in an address pool is reserved for NAPT, and other addresses in the address pool are used for NAT No-PAT.

Usually, each private network user can have a public IP address in the address pool, but occasionally, public addresses are not sufficient and NAPT must be implemented so that multiple users can share the same public IP address.

Triplet NAT

The mappings between private IP address/port and public IP address/port are fixed instead of being random.

Users on the Internet initiate access to users on the private network. This is the case in P2P service.

 

Each of the NAT implementations has their own merits and demerits. Let's dive deeper into them.

2 NAT No-PAT

"No-PAT" means that port addresses are not translated and public addresses cannot be shared by more than one private network address user. Therefore, NAT No-PAT is a one-to-one address translation. Figure 1-3 shows an example of NAT No-PAT configuration. In this example, the firewall and the web server are reachable to each other.

Figure 1-3 NAT No-PAT networking

[Dr.WoW] [No.18] Source NAT-part 1-1326969-3 

The detailed configuration process is as follows:

1.         Configure a NAT address pool and NAT policy.

Configure a NAT address pool.

[FW] nat address-group 1 202.1.1.2 202.1.1.3     //Add two public IP addresses to the address pool.

Configure a NAT policy.

[FW] nat-policy interzone trust untrust outbound

[FW-nat-policy-interzone-trust-untrust-outbound] policy 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255      //Specify the match condition.

[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat  //Specify the action (source NAT).

[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1 no-pat  //Reference the NAT address pool and specify No-PAT as the NAT method.

[FW-nat-policy-interzone-trust-untrust-outbound-1] quit

[FW-nat-policy-interzone-trust-untrust-outbound] quit

Note that security policies and blackhole routes must be configured after the NAT configuration is complete.

2.         Configure a security policy.

Security policies and NAT policies are similar, just as their names suggest. However, they have different functions. Security policies determine whether packets can pass through the firewall, whereas NAT policies determine how to translate IP addresses in the packets. NAT is performed only for permitted packets. Security policies are processed before NAT policies. Therefore, if you configure a security policy for a source address, the source address must be the private address.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

3.         Configure blackhole routes.

A blackhole route is a route that goes nowhere and is used to drop packets that match the route. To avoid routing loops, blackhole routes must be configured on the firewall for the addresses in the public address pool. The blackhole routes are configured as follows. The reason why we need to configure blackhole routes will be discussed later.

[FW] ip route-static 202.1.1.2 32 NULL 0

[FW] ip route-static 202.1.1.3 32 NULL 0

After the previous configurations are complete, the users on the private network can access the web server. If you display the sessions on the firewall, you can see the following information:

[FW] display firewall session table

 Current Total Sessions : 1

  http  VPN:public --> public 192.168.0.2:2050[202.1.1.2:2050]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.3:2050[202.1.1.3:2050]-->210.1.1.2:80

From the session table, we can see that the two private IP addresses have been translated into different public IP addresses in the brackets, but the port is not translated.

Do you remember that we have mentioned "server-map" table in Chapter 2 Security Policies? NAT No-PAT generates two server-map entries, one in the forward direction, and the other in the return direction.

[FW] display firewall server-map

 server-map item(s)

 ------------------------------------------------------------------------------

 No-Pat, 192.168.0.2[202.1.1.2] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: 00:11:59, Addr-Pool: 1

   VPN: public -> public

 

 No-Pat Reverse, any -> 202.1.1.2[192.168.0.2], Zone: untrust

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

No-Pat, 192.168.0.3[202.1.1.3] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: 00:11:59, Addr-Pool: 1

   VPN: public -> public

 

 No-Pat Reverse, any -> 202.1.1.3[192.168.0.3], Zone: untrust

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

The server-map entry in the forward direction allows for fast address translation when a private network user accesses the Internet, because in NAT No-PAT, each private address is exclusively translated to a public IP address and the translation is performed when the packets match the server-map entry. Similarly, when the packets destined from the Internet to the private network match the server-map entry in the return direction, address translation is performed. Note that packets matching the server-map entries must be checked against security policies. Only packets permitted by the security policies can pass through the firewall.

Other users on the private network cannot access the web server, because only two public IP addresses are available in the address pool and both public IP addresses have been used. Other users must wait until the public addresses are released. As we can see, one public IP address can be used by only one private network user in NAT No-PAT. This implementation does not conserve public addresses. The following NAT implementation, NAPT, can conserve public IP addresses.

3 NAPT

Network address and port translation (NAPT), sometimes also known as port address translation (PAT), means both the network address and port are translated. NAPT is the most widely used address translation implementation. NAPT allows a large number of private network users to share a small number of public IP addresses to access the Internet.

The difference between NAPT and NAT No-PAT configuration is: In NAPT configuration, the "no-pat" keyword is not specified when you reference a NAT address pool in a NAT policy. The following NAPT configuration is still based on Figure 4-3.

1.         Configure a NAT address pool.

[FW] nat address-group 1 202.1.1.2 202.1.1.3

2.         Configure a NAT policy.

[FW] nat-policy interzone trust untrust outbound

[FW-nat-policy-interzone-trust-untrust-outbound] policy 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1   //Reference the NAT address pool

[FW-nat-policy-interzone-trust-untrust-outbound-1] quit

[FW-nat-policy-interzone-trust-untrust-outbound] quit

3.         Configure a security policy.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

4.         Configure blackhole routes.

[FW] ip route-static 202.1.1.2 32 NULL 0

[FW] ip route-static 202.1.1.3 32 NULL 0

After the previous configurations are complete, the users on the private network can access the web server. If you display the sessions on the firewall, you can see the following information:

[FW] display firewall session table

 Current Total Sessions : 2

  http  VPN:public --> public 192.168.0.2:2053[202.1.1.2:2048]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.3:2053[202.1.1.3:2048]-->210.1.1.2:80

From the session table, we can see that the two private IP addresses have been translated into different public IP addresses and the port is also translated.

Other users on the private network can also access the web server. If you display the sessions on the firewall, you can see the following information:

[FW] display firewall session table

 Current Total Sessions : 3

  http  VPN:public --> public 192.168.0.2:2053[202.1.1.2:2048]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.3:2053[202.1.1.3:2048]-->210.1.1.2:80

  http  VPN:public --> public 192.168.0.4:2051[202.1.1.2:2049]-->210.1.1.2:80

From the session table, we can see that two users on the private network share the same public IP address, but the ports of the users are different. The two users sharing the same public IP address are distinguished by the ports. Therefore, you do not need to worry about IP address conflict.

Note that in NAPT, no server-map entry will be generated. This is different than in NAT No-PAT.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jun 2, 2015 07:15:33 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login