/var/logmarcus chiu

Network Address Translation (NAT)

Created on · Last Modified on

Network Address Translation (NAT)

NAT - Common Traits

Every TCP packet contains a source IP address, source port, destination IP address, and destination port. All types of NAT create NAT mappings using these values. For example, a connection from an internal client with IP 192.168.0.1 using port 56876 may go to a website IP 56.45.78.89 (destination IP address) on port 80 (destination port) using IP of 45.34.78.98 (translated source IP) and port 56876 (source port). NAT creates a mapping using these 4 values to the 192.168.0.1 internal client for that specific connection. When packets come back from the website to the router using the same values associated with that mapping NAT forwards the packets to the internal client.

Don’t confuse NAT Restriction with NAT Translation – For example, a Full Cone NAT only looks at the destination port when choosing whether to accept the connection or not (the restriction). When it does the actual the NAT translation however, it always uses the 4 values mentioned above.

NAT - Categories

  • Static NAT - the NAT mappings are manually set up and are usually associated with inbound types of NAT
  • Dynamic NAT - the NAT mappings are automatically set up on demand and are usually associated with outbound types of NAT

NAT - Translation Methods

see: https://www.youtube.com/watch?v=FExZvpVvYxA&t=1014s

Translation Method

Category

Description

Full Cone NAT - Port Forwarding

STATIC
  • once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort
  • any external host can send packets to iAddr:iPort by sending packets to eAddr:ePort

Address Restricted Cone NAT

DYNAMIC
  • once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort
  • an external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:any. “Any” means the port number doesn’t matter.

Address Port Restricted Cone NAT

DYNAMIC
  • once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort
  • an external host (hAddr:hPort) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:hPort

Symmetric NAT

DYNAMIC
  • each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port; if the same internal host sends a packet even with the same internal IP address and port but to a different destination, a different mapping is used
  • only an external host that receives a packet from an internal host can send a packet back

NAT - Translation Methods Comparison

Let’s say the NAT device has public IP address 5.5.5.5 and it assigned an internal computer with a private IP address 10.0.0.2

Let’s also say that the NAT device contains a STATIC mapping

Internal IP

Internal Port

External IP

External Port

10.0.0.2

8992

5.5.5.5

3333

Let’s also say that the NAT device contains the following DYNAMIC mappings

Internal IP

Internal Port

External IP

External Port

Destination IP

Destination Port

10.0.0.2

8992

5.5.5.5

3333

4.4.4.4

80

10.0.0.2

8888

5.5.5.5

2222

3.3.3.3

8080

Given the STATIC and DYNAMIC mappings above, let’s simulate incoming packets sent to the NAT device of each of the following Translation Methods

Packet Details

Translation Methods

Packet Number

Source IP

Source Port

Dest IP

Dest Port

Full Cone

Address Restricted

Address Port Restricted

Symmetric

1

4.4.4.4

80

5.5.5.5

3333

PASS

PASS

PASS

PASS

2

3.3.3.3

8080

5.5.5.5

3333

PASS

PASS

PASS

DROP

3

3.3.3.3

22

5.5.5.5

3333

PASS

PASS

DROP

DROP

4

9.8.1.2

23

5.5.5.5

3333

PASS

DROP

DROP

DROP

5

9.8.1.2

23

5.5.5.5

22

DROP

DROP

DROP

DROP