NAT ALG
The application level gateway (ALG) provides transparent translation for some application layer protocols.
Packets of many application layer protocols contain user information, including IP addresses and port numbers. These protocol packets may fail to be forwarded because NAT cannot identify the IP addresses and port numbers carried in these protocol packets. To address this problem, the NAT ALG technique can be used to perform the mapping for IP addresses and port numbers of protocol packets and also translate IP addresses and port numbers carried in protocol packets.
NAT ALG supports various protocols, such as the Internet Control Message Protocol (ICMP), UDP-based Session Initiation Protocol (SIP), TCP-based Real-Time Streaming Protocol (RTSP), Point-to-Point Tunneling Protocol (PPTP), domain name service (DNS), and File Transfer Protocol (FTP).
NAT ALG does not support HA.
NAT ALG Support for FTP
- An FTP server on a public network is working in port mode.
- An FTP server on a private network is working in passive mode.
- The private network host and the public network FTP server establish a TCP control connection using three handshakes.
- The host sends FTP Port packets carrying a destination IP address and port number to the FTP server to request to establish a data connection to the server.
- Upon receipt of the FTP Port packets, the ALG-capable NAT device maps the private IP address and port number carried in payload to the public IP address and port number, respectively. In this example, the private IP address 192.168.0.10 carried in payload is translated to a public IP address 10.10.10.10, and private port 1024 to public port 5000.
- Upon receipt of the FTP Port packets, the public network FTP server parses the packets and sends packets with a destination public IP address of 10.10.10.10 and a port number of 5000 to initiate a data connection to the private network host.
- Upon receipt of the packets, the NAT device translates the destination public IP address and port number to the private IP address and port number, respectively before sending the packets to the host. Then the host can successfully establish a data connection to the FTP server.
NAT ALG Support for ICMP
The data payload of the ICMP error message carries a private IP address. Without the NAT ALG function, the NAT device forwards the message to the public network host without processing the private IP address in the data payload. Upon receipt of the message, the public network cannot identify the application to which the message belongs. In addition, the private IP address of the private network FTP server is leaked to the public network.
With the NAT AGL function, the NAT device translates the private IP address of 192.168.0.10 of the FTP server to a public IP address of 10.10.10.10 and then forwards the ICMP message to the public network host. Upon receipt of the ICMP message, the host can properly identify the FTP application. In addition, the risk of leaking the private IP address of the FTP server to the public network is eliminated.
NAT ALG Support for RTSP
- Inband mode: Also called the interleaving mode. A media stream is transmitted along a control channel and does not need to be processed by the ALG function.
- Outband mode: A media stream is transmitted along a data channel and carries a port number that is negotiated using control packets. The ALG function must process the media stream packets.
- The client is on a private network, and the server is on a public network. The client private port number in payload of each SETUP packet is replaced with a public port number. The client public port number in each SETUP response packet is replaced with the client private port number.
- The client is on a public network, and the server is on a private network. The client private port number in the SETUP packet payload is unchanged, and the server private port number in SETUP response packet payload is replaced with the server public port number.
The ALG module also identifies the TEARDOWN packet, changes the aging time of a stream table, and deletes the aging stream table to release resources.
NAT ALG Support for PPTP
In Figure 2-8, a PPTP client is on a private network, and a PPTP server is on a public network. Packets transmitted along the data channel between the client and server must be processed by the ALG function. Generic Routing Encapsulation (GRE) packets transmitted along the data channel carry IP addresses and call IDs, but not port numbers. If a NAT device maps IP addresses in packets of various PPTP clients to the same public IP address, the NAT device cannot forward returned public network PPTP packets to the clients.
To distinguish clients on the private network, the NAT device replaces the call IDs in packets with different call IDs and saves call ID mappings to distinguish private clients. After the server sends response packets, the NAT server can restore the call ID in each packet based on call ID mappings and properly forward the packets to the clients.
- Set up a PPTP TCP connection.
- A PPTP client sends a PPTP Outgoing-Call-Request packet to a PPTP server to establish a PPTP tunnel and selects a call ID to identify the PPTP tunnel along which the client sends data to a PPTP server.
- Upon receipt of the Outgoing-Call-Request packet, the PPTP server sends an Outgoing-Call-Reply packet and selects a call ID to identify the tunnel along which the server sends data to the client.
- The PPTP client and server send GRE data packets on a GRE tunnel.
- The client sends a PPTP Clear-Call-Request packet to inform the PPTP server that the PPTP control connection is to be terminated.
- The server replies with a PPTP Call-Disconnected-Notify packet.
- The server replies with a PPTP Stop-Control-Connection-Reply packet.
- The client closes the PPTP TCP connection.
NAT ALG Support for SIP
Users are connected to various NAT devices in a SIP ALG scenario.
In Figure 2-9, user packets carrying private IP addresses, and each user is connected to a specific NAT device. UA1 sends SIP packets to NAT device 1, and NAT device 1 performs the ALG function on the SIP packets and forwards them along a media stream channel. NAT device 2 processes the ALG function on UA2 packets and forwards them along the media stream channel. UA1 and UA2 communicate through the media stream channel.Users are connected to the same NAT device in a SIP ALG scenario.
In Figure 2-10, user packets carrying private IP addresses, and users are connected to the same CGN device. NAT device 1 performs the AGL function on UA1 packets and forwards them along a media stream channel. The destination IP address carried in the packets is an IP address pool address. The ALG function is performed again on the packets. UA1 and UA2 communicate through the media stream channel.Private and public network users coexist in a SIP ALG scenario.
In Figure 2-11, UA1 is assigned a private IP address, and UA2 is assigned a public IP address. The NAT device processes the source information in UA1-to-UA2 packets and the destination information in UA2-to-UA1 packets.
NAT ALG Support for DNS Mapping
- A DNS server is on a private network, and an ISP server is on either a public or private network. In this situation, DNS ALG is not used.
- A DNS server and an ISP server are on a public network. This situation is supported naturally and is irrelevant to NAT devices.
- A DNS server is deployed on a public network, and an ISP server is on a private network. The NAT Server function or DNS mapping function can be used.
The NAT Server function allows DNS to traverse through a NAT device, whereas all DNS traffic must travel through the NAT device. In this case, DNS mapping must be configured to translate a public IP address in payload of the DNS response packet into a private IP address so that users can access the private ISP server.
- The private network host sends a DNS request packet carrying a domain name to the public network DNS server.
- Upon receipt of the request, the DNS server obtains the public IP address (10.10.10.10) mapped to the domain name of www.sample.com, adds the IP address to the DNS response packet, and sends the response to the private host.
- Upon receipt of the response, the ALG-capable NAT device replaces the public IP address of 10.10.10.10 in payload of the response packet with the private IP address of 192.168.0.10 of the private network www server. Then the NAT device forwards the DNS response packet to the private network host.
- Upon receipt of the DNS response packet, the host obtains the private IP address mapped to the domain name of www.sample.com and is able to communicate with the private network WWW server.