Application Firewall

Application Firewall

 > Products>Network Security>Application Firewall >Related Resources >Technical White Paper >Technical White Paper on NAT
Technical White Paper on NAT

\ Download


With the development of the Internet and the increase of network applications, the exhausted IPv4 address space is becoming a constraint to the development of Internet. Although IPv6 can help avoid IPv4 address space insufficiency, it is true that many network devices and network applications are based on IPv4. Meanwhile, the deepening of services of major domestic operators leads to the growing number of Internet users and results in scarce IP address resources, which calls for immediate attention for IPv4 network development. Before the widespread adoption of IPv6, Network Address Translation is mainly used to effectively address this issue.

As a transitional solution, NAT can meet the needs of IP addresses by address multiplexing, alleviating the pressure caused by exhausted IP address space to some extent. Private IP addresses are available for internal access. As for external communication or access to external resources, the NAT gateway replace the source IP address in the original packet with a legal public network IP address and keep record of this conversion. When the packet is returned from the external network, the NAT gateway will look for the original record, replace the destination address of the packet with its original private network IP address, and send it back to the original host that sent the request. For ordinary users, there is no difference from ordinary network access.

2、DPtech NAT technology

Encompassing multiple NAT technologies, DPtech NAT solution aims to meet various networking requirements such as metropolitan area networks, IDCs, and campus networks.

2.1 Source address NAT

As a kind of N:1 address translation technology, the source address NAT performs address translation through a combination of IP address and port number, allowing multiple private network users to share a public IP address for external network access. It is the primary form of IP address translation, also known as NAPT.


Fig. 1 Source NAT configuration

DPtech provides flexible NAT multiplexing modes. Users may choose to borrow an outbound interface and the NAT address pool, and disable NAT function on specific streams. It boasts convenient deployment and can meet various needs.

2.2 Destination address NAT

Public network users are generally not allowed to have access to most private network hosts due to security reasons. However, it is necessary to provide public network users with access to private network servers in some actual scenarios. In the source NAT mode, access initiated by the public network user cannot establish the NAT entry in a dynamic manner, resulting in the public network user’s failure in access to private network hosts. In response to the above issue, the destination address NAT (mapping internal server) mode enables a reverse translation from a public network address to a private one by configuring the mapping relationship between the “public IP address + port number” and the “private IP address + port number”.

The destination address NAT has the following process:

1. Manually configure the static destination NAT translation entries (forward and reverse) on the NAT device.

2. The NAT device receives the packet sent by the host on the public network side to access the server on the private network side.

3. According to the "destination IP address + destination port number" of the public network side packet, the NAT device searches for the destination NAT rule entry, converts the packet to the private network side based on the table lookup result, and establishes sessions.

4. Upon receiving the response packet from the private network side, the NAT device looks up the session information based on its 5-Tuples. At the same time, it matches the reverse stream information of the session and converts the packet to the public network side according to the lookup result.


Fig. 2 Destination NAT configuration

2.3 One-to-one NAT

As an advanced destination address NAT, the One-to-one NAT maps the private network IP of the internal server to a public network IP address through a static one-to-one configuration. In other words, one-to-one NAT is to open all services of the internal private network server and allow public network users to access through the public network IP address. The configuration is as follows:


2.4 Sticky NAT function

When an IP address passes through the NAT translation device, it will be translated. Based on the mapping relationship between the translated IP and the initiator IP, any IP address passing through the NAT translation device will be translated into the first mapped IP address.

Fig. 3 Sticky NAT

Some video surveillance client software requires constant communication with multiple servers and consistency between IP and port. Besides, the same IP address is required for log in, authentication, and transactions of online banking services. Without the Sticky NAT, neither the monitoring service nor the online banking application would work properly. This issue is often seen in devices where discrete allocation of resources is made according to port and IP. DPtech NAT devices eliminate the issue by adopting different algorithms for allocation of IP and port.

2.5 Symmetric NAT

After passing through the NAT translation device, the stream will establish a mapping table in the NAT gateway. During the aging period of the entry, only when the reverse traffic of the aforementioned device reaches the NAT gateway can the mapping table be matched and the NAT translation be performed.


Fig. 4 Symmetric NAT

2.6 Cone NAT

After a stream is translated by the NAT translation device, any IP address is allowed to access the translated IP and port during the aging period of the entry.

Fig. 5 Cone NAT

Cone NAT is mainly used in environments with wide application of P2P. As NAT destroys the end-to-end network model of IP, the cone NAT aims to compensate for the defects of NAT in terms of UDP. Nowadays, various UDP protocols also take into consideration the NAT devices, therefore, some UDP-based applications to be launched in the future will be able to traverse the NAT devices, such as QQ.

The cone NAT is mainly deployed in application scenarios where users are sensitive to the application experience, such as P2P download. Since the end-to-end network model is destroyed, the download packet initiated by the public network side to the translated private network will be discarded by the NAT device if no NAT traversal protocol (such as STUN and others) is supported. This is where the cone NAT plays a part.

The public network IP and port pair of cone NAT set the cone NAT rules of packet matching, and are created when the first user accesses a UDP application on external network. The aging time is 30 seconds by default. The resource will be updated in real time if a public network user is accessing its public network IP and port pair. If no packets pass through after 30 seconds, the resource pair will be deleted.


Fig 6 Cone NAT configuration

There are two special Cone NAT types: restricted cone NAT and port restricted cone NAT, both imposing further restrictions on the IP and port of external devices. For example, the restricted cone NAT restricts IP addresses by allowing only access from PC2 ports, and the port restricted cone NAT restricts the port by allowing only access from PC port, which is quite different from core NAT with no restrictions on IP or port at all.

2.7 Port block NAT

First allocate the port range (1025-65535, 1-1023 is reserved as they are well-known ports) to make sure each block is of the same size; each IP in the address pool is provided with (port range/block size) port blocks, the total number of which equals to ip * port / block; each intranet IP has an exclusive port block, and the number of intranet IP addresses must be less than or equal to the number of port blocks.

Fig. 7 Port block NAT

Port block NAT: the intranet IP range of network device is addr1~addr2, external network address pool is addr3~addr4, and block size is n. Based on ip * port / block allocation, the port block resource is obtained, wherein PC1 is allocated to block1, and PC2 to block2. The IP address and port translated after PC1 accesses PC3 is located in block1, and the IP address and port translated after PC2 accesses PC3 is in block2.

This type of NAT is widely used in scenarios with a high requirement for log traceability but instead a poor log tracing system. Users may not be aware of log loss due to the large amount of NAT logs. Therefore, port block allocation is adopted to replace session logs with port block. If a log system is competent and no NAT loss happens, it indicates the traceability is proper and there is no need to deploy this NAT.

Port block NAT configuration consists of static port block NAT and dynamic port block NAT. In static NAT, the mapping relationship between the port block and IP is established, and the total size of resources equals to the port range / port block size * the number of public network IPs.

Fig. 8 Static port NAT configuration

In dynamic NAT, the total number of ports is fixed. A newly initiated intranet IP occupies a port block until the resources are exhausted. In this case, new resources will be released for port block without session reference, so new IP can reoccupy the resource.

Fig 9 Dynamic port NAT configuration

2.8 NAT64 and DS-Lite

By definition, NAT 64 translation mechanism refers to the translation of IPv6 data packets into IPv4 data packets. DPtech provides a sound NAT64 translation technology. In NAT64 network environment, IPv6 data of the initiator is processed by NAT64 on the NAT gateway before forwarding to IPv4 network.

Fig. 10 NAT64 configuration

DS-Lite (Dual Strack Lite) is a kind of IPv4-over-IPv6 tunneling technology. CPE (Customer Premises Equipment) and CGN (Carrier Grade NAT) support dual-stack IPv4-over-IPv6 tunneling technology.

As operators are running out of IPv4 addresses, they will choose to build an IPv6 network directly. To ensure the normal operation and continuity of IPv4 service, the tunneling and NAT technology can be combined and used. By building a IPv4-over-IPv6 tunnel between CPE and CGN, the CPE sends IPv4 private network packets to CGN through the tunnel, which are subject to NAT at CGN. CPE and CGN support dual stacks.

Fig. 11 DS-Lite schematic diagram

As shown in the figure above, CPE assigns an IPv4 private network address to the Private hosts. When a host that supports IPv4 protocol desires to access an IPv4 network through an IPv6 network, it can perform address translation through DS-Lite.

1. When the CPE receives an IPv4 packet, an IPv6 header will be added to the packet. The source address of an IPv6 packet is the CPE address, and the destination address is the tunnel address. CPE sends the packet to the CGN device.

2. Upon receiving a packet, the CGN device deletes the IPv6 header, performs NAT44 translation on the IPv4 packet, replaces the source IP and source port in the IPv4, and sends the packet to the IPv4 public network.

3. When the reverse packet reaches the CGN, the destination IP and destination port of the packet is replaced based on IPv4 translation information. The translated IPv6 and the IPv6 header are added to the packet, which is then sent to the CPE device.

4. After CPE deletes the IPv6 header, it forwards the packet to the host.

In this way, the IPv4 private network can access the IPv4 public network through the IPv6 public network.

Fig. 12 Firewall configuration of DS-Lite

2.9 Session-level NAT

Session-level NAT is mainly used to support a single address in the NAT address pool. In traditional NAT technology, there are only 65,535 ports available for a single address, while in Session-level NAT, an unlimited number of NAT is supported. Unlimited NAT can distinguish sessions based on the five-element information, realizing port multiplexing by assigning a port to different sessions.

Session-level NAT is generally deployed in scenarios with strained public network addresses.

2.10 NAT session management and traceability

All types of NAT sessions, including the source NAT, destination NAT and one-to-one NAT, are established and managed by the session management module. In various protocols, such as TCP, HTTP, streaming, and P2P, the establishment and deletion of sessions are performed in a unified manner. The aging time of sessions, which is maintained by timers, varies in different application protocols. Management for this type of sessions is the same if without ALG. The only difference between the various application protocols lies in the aging time, the processing method of which is also the same.

On the strength of powerful NAT traceability, DPtech enables UAG of user behaviors. The log packets are sent to a unified network management platform for analysis and storage, which contributes to easy inquiries and retrieval. Record the time of establishing the NAT translation table, the aging time of translation entries, and the time when translation entries exceed the active duration. The logs can be sent reliably to make sure all session logs can be completely recorded even in case of heavy traffic.

2.11 NAT ALG

Generally speaking, NAT only changes the address of IP header, rather than making analysis on the packet load. This has no impact on services of ordinary application protocols (such as Telnet); however, the packet payloads at some application-layer protocols might include address or port information, which can lead to issues without proper translation. For example, some application-layer protocols negotiate the port number between the client and the server. The negotiated port number is then used by the server to initiate a connection request to the client. If the NAT device has no idea of the negotiation process between the two, when the server initiates a connection request to the client, the connection will fail as there is no correspondence between the internal and external IP addresses/port numbers.

This issue can be addressed by applying an application-layer gateway (ALG). As a translation proxy for specific application protocols, ALG analyzes the payload of IP packets, changes the address and port information encapsulated in these packets, and completes all necessary work to make sure the application protocol can traverse NAT. Application-layer protocols that can be handled by ALG include DNS, FTP, H.323, ILS and SIP. The following describes the ALG process with FTP protocol as an example.

When FTP is working, there will be two TCP connections between the client and the server: one serves as control connection which transmits user commands and parameters (including port information for initiating data connections), and the other serves as data connection which establishes data channel between the server and the client for file transfer. With active and passive modes, FTP decides whether to perform ALG processing based on the mode and the location of server/client.

NAT ALG processing in FTP active mode

In active mode, when the client initiates a control connection, and send designated port to the server with PORT command, the server will then initiate a data connection to the port. There might be two options as shown below.

■ When the client is in the public network while the server in the private network, the server can directly initiate a data connection as the address and port notified by the client to the server are in the public network. In this case, no ALG processing is required in control connection.

■ When the client is in the private network while the server in the public network, the server needs to translate the address and port to public network before initiating a data connection, as the address and port notified by the client to the server are in the private network. See below for details.

Fig. 13 FTP ALG processing in active mode

1) Firstly, the client sends a PORT command to the server, notifying the address and port (IP 1, Port 1) for data connection to the server;

2) Upon receiving the command, the NAT device replaces the private network address and port (IP 1, Port 1) with a public one (IP 2, Port 2), and establishes a corresponding NAPT table. This process is known as ALG.

3) Upon receiving the command, the server initiates a data connection to the public network address and port (IP 2, Port 2), and translates it to a private one (IP 1, Port 1) when it passes through the NAT device.

Subscription account Service account