Got it
Huawei Enterprise Support Community
Community Forums Security
Source NAT types of firew...

Source NAT types of firewall

Latest reply: Feb 2, 2022 14:09:55 3532 43 39 0 4
View the author 1#

A firewall, like a router, can deploy the NAT function to perform address translation. But compared to routers, the NAT function of the firewall provides richer options, allowing administrators to use the NAT function more flexibly. In this article, we will discuss the firewall in the source NAT function.

The source NAT of the firewall can be divided into two types: address translation only and address and port translation simultaneously. The address-translation-only mode includes NAT No-PAT, while the address-and-port-translation mode includes NAPT, Smart NAT, easy IP, and triple NAT.

NAT No-PAT

NAT No-PAT only performs simple source address translation. When the administrator configures NAT No-PAT, a NAT address pool needs to be specified. When the device performs source address translation of user messages, it will select an IP address from the address pool, replace the source IP address in the message, and create a server-map entry and session entry, and then send the message.

Since each user will need a public network address to perform source address replacement, if there are 100 internal network users, 100 public network addresses are needed to meet the simultaneous source address translation requests. Therefore, NAT No-PAT will not save public network addresses resource.

nat no-pat

Figure 1: NAT No-PAT translate per source IP to a unique public IP address

NAPT

Compared with NAT No-PAT, NAPT will not only translate the source IP address, but also the source port. Because of this mechanism, NAPT allows one public IP address to correspond to multiple private network users, and the firewall distinguishes different users based on port numbers. In addition, NAPT does not generate a server-map table and a session entry for each conversion at the same time as NAT No-PAT does. Instead, it only generates a session entry for each conversion.

napt

Figure 2: NAPT translates both the IP and port

Smart NAT

The emergence of Smart NAT is to solve the contradiction that NAT No-PAT can only provide a few address translation needs to the intranet users. Smart NAT combines two modes of NAT No-PAT and NAPT. It specifies an IP address in the address pool as a reserved IP. When the remaining addresses in the address pool are exhausted by NAT No-PAT, if there are additional users who need address translation services, NAPT translation will be performed by the firewall for these users' address translation requirements.

Easy IP

Easy IP mode is very similar to NAPT mode, both of which convert the source IP address and source port at the same time. However, NAPT will encounter scenarios where the user’s public IP is not a fixed IP, such as a PPPoE dial-up user. At this time, there is no way to specify a NAT address pool on the device, and the easy IP mode can be used.

The Easy IP mode replaces the source IP address of the message with the IP address of the export interface, eliminating the need for the process of specifying a NAT address pool. This makes it possible for address translation in PPPoE scenarios.

Triple NAT

Triple NAT is also a mode that translates addresses and ports at the same time. But the biggest difference from other source NAT methods is that triple NAT allows public network users to access private network users. This is because the other source NAT modes are performed in the 5-tuple NAT mode, and there may be different private network users sharing the same port number of the same public IP, such as:

Assuming that the NAT address is 1.1.1.1,

When the source address 10.1.1.1 accesses the TCP 80 port of 2.2.2.2, the port 1000 of 1.1.1.1 is used to mark the conversation. At this time, when 10.1.1.2 accesses the TCP 200 port of 2.2.2.2, the port 1000 of 1.1.1.1 can still be used to mark the new conversation. However, when 10.1.1.2 also accesses the TCP 80 port of 2.2.2.2, it is necessary to mark the session with other ports of 1.1.1.1.

port reuse

Figure 3: Port reuse in the 5-tuple NAT

In other words, when the firewall marks the session with a five-tuple (source port, destination port, source address, destination address, protocol number), even if the source address and source port after the replacing are duplicated, as long as the destination port or destination IP address is not the same, the firewall can distinguish these two sessions

Unlike five-tuple NAT, the three-tuple NAT mode does not reuse port numbers, so it can uniquely identify a user, and make it possible to access private network users from the public network.

Like NAT No-PAT, triple NAT also generates server-map entry and session entry at the same time

Summarize

Table 1 shows the similarities and differences of these five source NAT modes in detail.


NAT No-PAT

NAPT

Smart NAT

Easy IP

Triple NAT

Translation source IP

Y

Y

Y

Y

Y

Conversion source port

N

Y

Y

Y

Y

Generate server-map entry

Y

N

N

N

Y

Generate session entry

Y

Y

Y

Y

Y

Allow public network users   to actively access

Y

N

N

N

Y

Need NAT address pool

Y

Y

Y

N

Y


For the destination NAT part, you can visit Destination NAT types of firewall.


1

You have gained a firecracker 

The post is synchronized to: Routing & SwitchingWLANSingapore Technical Discussion GroupPartner Technical Support Services GroupPhilippine Communication GroupMiddle East Engineer Technical Group

Like (39) Dislike (0) Favorite(4) Share Report
Previous: Vulnerability Assessment and Penetration Testing
Next: Which of the following are features of a virtual system?
(3) (0)
2#
chenhui
Admin Created Dec 23, 2021 11:29:00

What purposes do you think that the firewall divides the source NAT into so many modes?
@Unicef @Haseeb_Haris @wissal @zaheernew @sachandio @Vesper_EvenStar @Diego.Silva @Sara_Obaid @Vlada85 @Caroline_Herrera @Laiheang @AL_93 @Kevin_Thomas @Chanbora @user_4326135 @adrian_alucard @Saqib123 @Herediano @IndianKid @Sokrin @hemin88 @simchamnan @Zemo_Mccracken @user_4237671 @andersoncf1 @BAZ @kunthea @Rumana @Anno7 @Precious @Abdussamed @umaryaqub @MahMush @taha_29four @nochhie @chantha @Malik3000 @smileymind @Navin_kay @user_4358465 @Majdi.Chebil @AndresMoreno @shakeela @phuta @Ayeshaali @user_4001805 @VinceD @lucian2003 @NTan33 @E.DR_91 @gululu @Alibaba8000 @Abrar_Akbar
View more
  • x
  • convention:

Unicef
Unicef Created Dec 23, 2021 11:58:30 (0) (0)
thanks  
wissal
wissal Created Dec 23, 2021 13:15:50 (0) (0)
Thank you, my friend  
zaheernew
zaheernew Created Dec 23, 2021 18:22:01 (0) (0)
Thanks for tag  
lucian2003
lucian2003 Created Dec 23, 2021 23:55:30 (0) (0)
It is good to know  
andersoncf1
andersoncf1 Created Dec 31, 2021 16:43:53 (0) (0)
thanks master  
Ferfox86
Ferfox86 Created Jan 31, 2022 13:25:02 (0) (0)
Thanks for the information.  
View more replies
(0) (0)
3#
Unicef
MVE Created Dec 23, 2021 11:59:04

Very interesting of similarities and differences of these five source NAT modes
View more
  • x
  • convention:
(0) (0)
4#
wissal
MVE Created Dec 23, 2021 13:17:44

Very important knowledge, well explained.
View more
  • x
  • convention:

chenhui
chenhui Created Dec 24, 2021 01:05:24 (0) (0)
Thank you!  
(0) (0)
5#
IndianKid
Moderator Author Created Dec 23, 2021 14:37:07

very useful and important post, thanks for sharing dear
View more
  • x
  • convention:
(0) (0)
6#
Anno7
Created Dec 23, 2021 15:59:17

good one
View more
  • x
  • convention:

chenhui
chenhui Created Dec 27, 2021 01:13:19 (0) (0)
Thank you!  
(0) (0)
7#
Zonger
Created Dec 24, 2021 16:16:53

useful document
View more
  • x
  • convention:
(0) (0)
8#
MahMush
Author Created Dec 24, 2021 20:45:15

informative
View more
  • x
  • convention:

chenhui
chenhui Created Dec 27, 2021 01:13:30 (0) (0)
Thank you!  
(0) (0)
9#
IndianKid
Moderator Author Created Dec 25, 2021 04:12:18

good article about Source NAT mode of USG firewall , Thanks for sharing
View more
  • x
  • convention:
(1) (0)
10#
NTan33
Created Dec 26, 2021 04:48:02

Good information to be aware of.
View more
  • x
  • convention:

chenhui
chenhui Created Dec 27, 2021 01:13:39 (0) (0)
Thank you!  
123
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.