[Dr.WoW] [No.20] Bidirectional NAT

Latest reply: Aug 13, 2018 07:05:05 3497 3 2 0
With the description in the previous sections, I believe you have known what are Source NAT and NAT Server. With the two NAT functions, a firewall easily and skillfully translates both incoming and outgoing traffic. Well, can the two NAT functions work together? The answer is definitely "YES".

If both source and destination addresses of packets need to be translated, Source NAT and NAT server are required. This configuration is also called "bidirectional NAT". Note that bidirectional NAT is not an independent function. Instead, it is only a combination of Source NAT and NAT Server. This combination applies to the same flow (for example, a packet from an Internet user to an intranet server). When receiving the packet, the firewall translates both its source and destination addresses. If Source NAT and NAT Server are configured on a firewall for different flows, the configuration is not called bidirectional NAT.

To help you understand Source NAT, we assume the networking in which intranet users access the Internet and verify the Source NAT configuration in that networking. Actually, Source NAT can be classified into interzone NAT and intrazone NAT based on packet transmission directions on the firewall.

  • Interzone NAT

NAT is performed on the packet transmitted between security zones. Interzone NAT can also be classified into the following types based on packet transmission directions:

-NAT Inbound

NAT is performed on the packets transmitted from a low-level security zone to a high-level security zone. Generally, such NAT applies when Internet users access an intranet, and therefore this technique is seldom used.

-NAT Outbound

NAT is performed on the packets transmitted from a high-level security zone to a low-level security zone. Such NAT applies when intranet users access the Internet, which is a common scenario.

  • Intrazone NAT

NAT is performed when packets are transmitted within a security zone. Typically, intrazone NAT works with NAT Server. Intrazone NAT is seldom separately configured.

When intrazone or interzone NAT works with NAT Server, bidirectional NAT is implemented. Of course, the prerequisites of the previous description are the proper setting of security levels for security zones and appropriate network planning: the intranet belongs to the Trust zone (with a high security level); intranet servers belong to the DMZ (with a medium security level); and the Internet belongs to the Untrust zone (with a low security level).

Bidirectional NAT is not special in terms of technologies and implementation principles, but its applicable scenario has characteristics. When is bidirectional NAT required? What are benefits after bidirectional NAT is configured? Is that OK if I do not configure bidirectional NAT? These questions must be considered for the planning and deployment of live networks.

1 NAT Inbound + NAT Server

Figure 1-1 shows a typical NAT Server scenario in which an Internet user accesses an intranet server. The following part describes how to configure and apply bidirectional NAT in this scenario and the advantages of bidirectional NAT.

Figure 1-1 Networking for NAT Inbound + NAT Server

[Dr.WoW] [No.20] Bidirectional NAT-1329849-1 

The NAT Server and Source NAT are configured as follows. The security policy and blackhole route configurations are the same as those provided in previous sections and therefore are omitted in this part. Let's first look at the NAT Server configuration.

[FW] nat server protocol tcp global 1.1.1.1 9980 inside 10.1.1.2 80 

I think you have no doubt about the NAT Server configuration. After the configuration is complete, the following server map is generated on the firewall:

[FW] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

 Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

Then, let's look at the Source NAT configuration.

[FW] nat address-group 1 10.1.1.100 10.1.1.100

[FW] nat-policy interzone untrust dmz inbound

[FW-nat-policy-interzone-dmz-untrust-inbound] policy 1

[FW-nat-policy-interzone-dmz-untrust-inbound-1] policy destination 10.1.1.2 0   //As NAT Server is performed prior to Source NAT, the destination address here is the post-NAT Server address, namely, the private address of the server.

[FW-nat-policy-interzone-dmz-untrust-inbound-1] action source-nat

[FW-nat-policy-interzone-dmz-untrust-inbound-1] address-group 1

[FW-nat-policy-interzone-dmz-untrust-inbound-1] quit

[FW-nat-policy-interzone-dmz-untrust-inbound] quit

The Source NAT configuration is different from that described in the previous section. The difference is that the NAT address pool here has private addresses, not public addresses. In addition, the NAT policy direction is inbound, indicating that NAT is performed when packets flow from a low-level security zone to a high-level security zone. This NAT configuration is NAT Inbound.

After the configuration is complete, when the Internet user accesses the intranet server, we can view the session table on the firewall. The command output shows that both the source and destination addresses of the packet have been translated.

[FW] display firewall session table

Current Total Sessions : 1

  http  VPN:public --> public 1.1.1.2:2049[10.1.1.100:2048]-->1.1.1.1:9980[10.1.1.2:80]

Let's see the NAT process as indicated in Figure 1-2. After the packet from the Internet user to the intranet server arrives at the firewall, NAT Server translates the destination address (public address of the intranet server) into a private address, and NAT Inbound translates the source address into a private address in the same network segment as the server address. In this way, both the source and destination addresses of the packet are translated, implementing bidirectional NAT. When the response packet from the intranet server arrives at the firewall, bidirectional NAT is performed again. To be specific, both the source and destination addresses of the packet are translated into public addresses.

Figure 1-2 Address translation procedures for NAT Inbound + NAT Server

[Dr.WoW] [No.20] Bidirectional NAT-1329849-2 

Here you may have a question: The Internet user can still access the intranet server even if NAT Inbound is not configured. Why do you configure it? The answer lies in how the intranet server processes the response packet.

We have set the addresses in the NAT address pool into the same network segment as the intranet server address. When the intranet server replies to the access requests from the Internet user, it finds that its address and the destination address are in the same network segment. Then, the server does not search the routing table. Instead, it sends an ARP broadcast packet to query the MAC address corresponding to the destination address. In this case, the firewall sends the MAC address of the interface connecting to the intranet server to the intranet server and asks the intranet server to reply. Then, the intranet server sends the response packet to the firewall, and the firewall processes the packet.

As the intranet server does not search the routing table, it is unnecessary to set a gateway. This is the benefit of using NAT Inbound. Someone may say "it is easier to set a gateway on the server than configuring NAT Inbound on the firewall". It is true if there is only one server on the network. If there are dozens of or even hundreds of servers on the network, you will find how convenient the NAT Inbound configuration is. Certainly, applying bidirectional NAT in such a scenario has a prerequisite that the intranet server and firewall must be in the same network segment. Otherwise, bidirectional NAT does not apply.

If I add a Trust zone in this networking and intranet users in the Trust zone need to access the intranet server in the DMZ, how can I configure bidirectional NAT? The NAT Server configuration remains unchanged, while the Source NAT configuration changes a little bit. As the security level of the Trust zone is higher than that of the DMZ, NAT Outbound is required for the packets transmitted from the Trust zone to the DMZ. That is, the bidirectional NAT configuration changes to NAT Server + NAT Outbound.

2 Intrazone NAT + NAT Server

The combination of intrazone NAT + NAT Server applies to small networks. Figure 1-3 shows a typical small network. The administrator saves the trouble and plans the intranet host and server in the same security zone.

Figure 1-3 Networking diagram for intrazone NAT + NAT Server

[Dr.WoW] [No.20] Bidirectional NAT-1329849-3 

In this networking, if the intranet host wants to use the public address 1.1.1.1 to access the intranet server, NAT Server must be configured on the firewall. However, merely configuring NAT Server is not enough. As shown in Figure 1-4, after a packet from the intranet host to the intranet server arrives at the firewall, the firewall translates the destination address of the packet from 1.1.1.1 to 10.1.1.2. When the intranet server replies, it finds that the destination address is in the same network segment as its own address, and the reply packet is directly forwarded through the switch to the intranet host, bypassing the firewall.

Figure 1-4 Diagram for packet forwarding after NAT Server is configured

[Dr.WoW] [No.20] Bidirectional NAT-1329849-4 

To improve intranet security by forcing the packets replied by the intranet server to pass through the firewall, we must configure intranet NAT to translate the source address of the packet sent from the intranet host to the intranet server. The post-NAT source address can be a public or private address as long as it is not in the same network segment as the intranet server address, ensuring that the reply packets from the intranet server can be forwarded to the firewall.

The NAT Server and intrazone NAT are configured as follows. The blackhole route configuration is the same as that provided in previous sections and therefore is omitted in this part. Let's first look at the NAT Server configuration.

[FW] nat server protocol tcp global 1.1.1.1 9980 inside 10.1.1.2 80

After the configuration is complete, the following server map is generated on the firewall:

[FW] display firewall server-map

server-map item(s)

 ------------------------------------------------------------------------------

 Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80], Zone: ---

   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

 

 Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any, Zone: ---

   Protocol: any(Appro: ---), Left-Time: --:--:--, Addr-Pool: ---

   VPN: public -> public

Then, let's look at the intrazone NAT configuration. The intrazone NAT configuration is almost the same as the interzone NAT configuration. The only difference is that NAT is performed within a zone for intrazone NAT while between zones for interzone NAT.

[FW] nat address-group 1 1.1.1.100 1.1.1.100   //The address can be either a public or private address but cannot be in the same network segment as the intranet server.

[FW] nat-policy zone trust

[FW-nat-policy-zone-trust] policy 1

[FW-nat-policy-zone-trust-1] policy destination 10.1.1.2 0   //As NAT Server is performed prior to intrazone NAT, the destination address here is the post-NAT Server address, namely, the private address of the server.

[FW-nat-policy-zone-trust-1] action source-nat

[FW-nat-policy-zone-trust-1] address-group 1

[FW-nat-policy-zone-trust-1] quit

[FW-nat-policy-zone-trust] quit

The security policy configuration is not provided because firewalls (except the USG6000 series) do not control the packets transmitted within a security zone by default. Of course, administrators can configure proper intrazone security policies as required.

After the configuration is complete, when the intranet host at 1.1.1.1 accesses the intranet server, we can view the session table on the firewall. The command output shows that both the source and destination addresses of the packet have been translated.

[FW] display firewall session table

Current Total Sessions : 1

  http  VPN:public --> public 10.1.1.3:2050[1.1.1.100:2048]-->1.1.1.1:9980[10.1.1.2:80]

Figure 1-5 shows the packet forwarding process.

Figure 1-5 Diagram for packet forwarding after intrazone NAT and NAT Server are configured

[Dr.WoW] [No.20] Bidirectional NAT-1329849-5 

On the basis of this networking, if we connect the intranet host and server to the firewall through interfaces in different network segments, only NAT Server is required, and all the packets transmitted between the intranet host and server are forwarded through the firewall.

By way of the previous description, do you feel that the principle and configuration of bidirectional NAT is not complicated? It is important to clarify the NAT direction and the function of post-NAT addresses, not the attribute of the post-NAT addresses (public or private). In addition, bidirectional NAT is not required. Sometimes, only Source NAT or NAT Server can achieve the same effect. The flexible use of bidirectional NAT simplifies network configuration and facilitates network management, achieving the effect that one plus one is greater than two.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

wissal
MVE Created Apr 10, 2018 15:49:05 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
w1
Created May 19, 2018 01:28:58 Helpful(0) Helpful(0)

useful document, thanks:)
  • x
  • convention:

karam_nashwan
Created Aug 13, 2018 07:05:05 Helpful(0) Helpful(0)

a very useful document, thank you
  • x
  • convention:

" The quieter you become, the more you are able to hear "

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login