No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Huawei Firewall: What Is Network Address Translation (NAT)? How Does NAT Work?

This document defines Network Address Translation (NAT), introduces types of NAT and how NAT works. This chapter provides the application scenarios and implementation principles of source NAT, destination NAT (including static NAT and dynamic NAT), and bidirectional NAT on the NAT firewall device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Is NAT (Network Address Translation) and How NAT works?

What Is NAT (Network Address Translation) and How NAT works?

What is NAT (Network Address Translation)?

This chapter defines Network Address Translation (NAT), introduces types of NAT and How NAT works. This chapter provides the application scenarios and implementation principles of source NAT, destination NAT (including static NAT and dynamic NAT), and bidirectional NAT on the NAT firewall device.

NAT is an address translation technology that translates the IP address in an IPv4 header to another IP address. By translating multiple private addresses carried in IPv4 headers into one unique public address, NAT allows multiple intranet users to access the Internet using only one public address, effectively mitigating public IPv4 address exhaustion.

With the expansion of the Internet, a large number of private network users need to access the Internet through public IPv4 addresses. The rapid exhaustion of IPv4 address space causes significant depletion of public addresses. Although IPv6 technology can fundamentally solve the address exhaustion problem, most contents and applications are still based on IPv4, and therefore cannot be completely switched to IPv6 within a short time. The NAT technology allows public IPv4 addresses to be reused, which can solve the problem of IPv4 address exhaustion for a long term.

Prerequisites

  • This document uses Huawei USG6000E series firewall products as an example to introduce the basic principles of NAT. There may be differences in the implementation of different products and versions. Please refer to the specific version of the product documentation.
  • In this document, FW is short for firewall.
  • In this document, public IP addresses may be used in feature introduction and are for reference only unless otherwise specified.

Types of NAT

NAT is divided into three types based on the translation mode.

Table 1-1 Types of NAT

Category

Translated Item

Port Translated?

Application Scenario

Source NAT

Source address translation without port translation

Source IP address

No

This mode applies to the situation in which public IP addresses are sufficient and only a small number of intranet users access the Internet. Private and public addresses are in one-to-one translation relationships.

Source address translation with port translation

Source IP address

Yes

This mode applies when many intranet users access the Internet. A large number of private addresses are transmitted few public addresses.

Destination NAT

Static NAT: one-to-one mappings between public and private addresses

Destination IP address

Optional

This mode applies when a public address is used to access a private address or multiple public addresses are used to access multiple private addresses.

Static NAT: one-to-one mappings between public and private ports

Destination IP address

Optional

This mode applies when multiple ports of a public address are used to access multiple ports of a private address.

Static NAT: one-to-one mappings between multiple ports of a public address and multiple private addresses

Destination IP address

Yes

This mode applies when multiple ports of a public address are used to access multiple private addresses.

Static NAT: one-to-one mappings between multiple public addresses and multiple private ports

Destination IP address

Yes

This mode applies when multiple public addresses are used to access multiple ports of a private address.

Dynamic NAT: Public addresses are randomly translated into addresses in the destination address pool.

Destination IP address

Optional

This mode applies when there are no fixed mappings between public and private addresses and public addresses are randomly translated into addresses in the destination address pool.

Bidirectional NAT

Source NAT + static destination NAT (static NAT)

Source IP address + destination IP address

Optional

This mode applies when both source and destination addresses need to be translated and destination addresses have fixed mappings before and after NAT.

Source NAT + dynamic destination NAT (dynamic NAT)

Source IP address + destination IP address

Optional

This mode applies when both source and destination addresses need to be translated and destination addresses do not have fixed mappings before and after NAT.

Understanding NAT Policy

A NAT policy consists of the translated address (address pool address or outbound interface address), matching condition, and action.

  • Address pool types include Source NAT (NAT No-PAT, NAPT, Triplet NAT, and Smart NAT) and destination address pools. You can select the address pool type or outbound interface mode based on the NAT mode.
  • The matching conditions include the source address, destination address, source security zone, destination security zone, outbound interface, service, and time range. You can configure matching conditions according to requirements to perform NAT on the traffic matching the conditions.

The destination NAT policy does not support the configuration of the destination security zone and outbound interface.

  • Actions include source address translation and destination address translation. Regardless of source address translation or destination address translation, NAT can be performed or not performed on the traffic that matches the conditions.

If multiple NAT policies are created, the policies are matched top down. If the traffic matches a NAT policy, the remaining policies are ignored.

In the NAT policy list shown in Figure 1-1, bidirectional and destination NAT policies have higher matching priorities than source NAT policies and are placed before source NAT policies. Bidirectional and destination NAT policies are ordered according to their configuration sequences, so are source NAT policies. A newly added policy or a policy with the NAT action modified is placed to the end of NAT policies of its own type.

You can adjust the matching order of NAT policies of the same type as required. For example, you can place destination NAT policy 2 above bidirectional NAT policy 1, or place source NAT policy 2 above source NAT policy 1. However, a source NAT policy cannot be placed above bidirectional and destination NAT policies. For example, source NAT policy 1 cannot be placed above destination NAT policy 4 or bidirectional NAT policy 3.

Figure 1-1 Example of a NAT policy list

Types of NAT: Source NAT

Overview of Source NAT

Source NAT translates source addresses of packets.

Source NAT translates private IP addresses into public IP addresses so that users on an intranet can use public IP addresses to access the Internet. Figure 1-2 shows the translation process.

Figure 1-2 Source NAT mechanism

FW shows the source NAT process when the host accesses the web server.

  1. Upon receiving the packets destined from the private network to the Internet, the FW translates the private source addresses into public source addresses.
  2. Upon receiving the return packets, the FW translates the public destination addresses back to private destination addresses.

Based on whether port translation is performed during source address translation, source NAT falls into NAT involving only source address translation (NAT No-PAT) and NAT involving both source address translation and source port translation (NAPT, Smart NAT, Easy IP, and triplet NAT).

What is NAT No-PAT?

NAT No-PAT translates only IP addresses and maps one private address only to a single public address. This mode applies to scenarios where each private network user usually can have a public IP address in the address pool. Figure 1-3 shows its mechanism.

Figure 1-3 Mechanism of NAT No-PAT

FW shows the NAT No-PAT process when the host accesses the web server.

  1. After the host sends a packet to the FW, the FW finds that the packet needs to travel from the Trust zone to the Untrust zone and that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.
  2. The FW replaces the source IP address of the packet with a public IP address picked from the NAT address pool, and then forwards the packet to the WAN interface. At the same time, the FW adds an entry to the server-map and session tables.
  3. The web server sends a response packet destined for the host. The FW receives the response and searches the session table for the entry created in 2. Then the FW translates the destination address in the packet into the host IP address based on the entry and forwards the packet to the host over the intranet.

In this manner, one-to-one translation is implemented on the private and public IP addresses. If all addresses in the address pool are allocated, NAT cannot be performed for the rest intranet hosts until the address pool has available addresses.

The FW generates a server-map table that stores the mappings between host private IP addresses and public IP addresses.

  • Forward server-map entries allow for fast address translation when a private network user accesses the Internet, improving the processing efficiency of the FW.
  • Return server-map entries allow for address translation when an Internet user proactively accesses a private network user.

NAT NO-PAT falls into:

  • Local No-PAT

    The server-map table generated by local NO-PAT contains security zone parameters. Only servers in this security zone can access the intranet host.

  • Global No-PAT

    The server-map table generated by global NO-PAT does not contain security zone parameters. Servers in all security zones can access the intranet host.

What is NAPT?

NAPT translates both IP addresses and ports to enable multiple private addresses to share one or multiple public addresses. NAPT applies to scenarios with a few public addresses but many private users who need to access the Internet. Figure 1-4 shows its mechanism.

Figure 1-4 Mechanism of NAPT

FW shows the NAPT process when the host accesses the web server.

  1. After the host sends a packet to the FW, the FW finds that the packet needs to travel from the Trust zone to the Untrust zone and that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.
  2. The FW replaces the original source IP address of the packet with a public IP address selected from the NAT address pool based on source IP address hashing result, replaces the original source port with a new port, and then forwards the packet to the Internet. At the same time, the firewall adds an entry to the session table.
  3. The web server sends a response packet destined for the host. The FW receives the response and searches the session table for the entry created in 2. The FW translates the destination address in the packet into the host IP address and the destination port number into the private port number based on the entry. The FW then forwards the packet to the host over the intranet.

As both addresses and ports are translated, multiple private users can share one public address to access the Internet. The FW can distinguish users based on ports, so more users can access the Internet at the same time. Note that NAPT does not generate server-map entries. This is different from NAT No-PAT.

What is Smart NAT?

Smart NAT is supplementary to No-PAT. Smart NAT is a mode in which an IP address is reserved for NAPT in No-PAT mode. Smart NAT applies to scenarios where each private network user usually can have a public IP address in the address pool, but occasionally, public addresses are insufficient.

In No-PAT mode, one-to-one address translation is performed. As the number of intranet users increases, the number of addresses in the address pool may no longer meet users' Internet access requirements. As a result, certain users cannot access the Internet. In this case, the reserved IP addresses can be used for NAPT so that the users can access the Internet. Figure 1-5 shows its mechanism.

Figure 1-5 Mechanism of Smart NAT

When multiple hosts on the intranet simultaneously access the server, the process is as follows:

  1. Upon receiving a packet from the intranet, the FW first checks the destination IP address, identifying that the packet is destined for the Untrust zone from the Trust zone. If the packet is permitted by an interzone security policy, the FW searches for a matching NAT policy and then finds out that address translation is required.
  2. If the NAT address pool has available public addresses, the FW replaces the source IP address of the packet with such a public IP address and then forwards the packet to the server. At the same time, the FW adds an entry in the session table.
  3. If the NAT address pool has no available public addresses, the FW replaces the source IP address of the packet with the reserved NAPT address, replaces the source port with a new port, and then forwards the packet to the Internet. At the same time, the FW adds an entry to the session table.

In this mode, the FW preferentially uses the No-PAT mode. After the public addresses available for No-PAT are exhausted, the reserved IP address is used for NAPT for subsequent user connections.

What is Easy IP?

Easy IP uses the public IP address of the outbound interface as the post-NAT address and translates both the IP address and port. Easy IP also applies to scenarios where the interface IP address is dynamically obtained.

When the outbound interface of the FW obtains the public IP address through dial-up, you cannot add the public IP address to the address pool because the public address is dynamically obtained. In this case, you need to configure the Easy IP mode so that the FW can translate addresses when the public IP address changes. Figure 1-6 shows its mechanism.

Figure 1-6 Mechanism of Easy IP

FW shows the Easy IP process when the host accesses the web server.

  1. After the host sends a packet to the FW, the FW finds that the packet needs to travel from the Trust zone to the Untrust zone and that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.
  2. The FW replaces the source IP address in the packet with a public IP address of a WAN interface and replaces the source port number with a public port number. Then the FW creates a session entry in the session table and forwards the packet over the Internet.
  3. The web server sends a response packet destined for the host. The FW receives the response and searches the session table for the entry created in 2. The FW translates the destination address in the packet into the host IP address and the destination port number into the private port number based on the entry. The FW then forwards the packet to the host over the intranet.

As both addresses and ports are translated, multiple private users can share one public address to access the Internet. The FW can distinguish users based on ports, so more users can access the Internet at the same time.

What is Triplet NAT?

Triplet NAT can translate the source addresses and ports of packets. It allows Internet users to access private users, coexisting with P2P-based file sharing, audio communication, and video transmission.

If the FW uses quintuple NAT (NAPT) in a scenario where intranet PCs access the Internet, extranet devices cannot proactively access intranet PCs through the translated IP addresses and ports.

Triplet NAT can perfectly resolve the issue because triplet NAT has the following two features. Figure 1-7 shows its mechanism.

  1. The ports after triplet NAT cannot be reused. This ensures the port consistency of intranet PCs but lowers the public IP address usage.
  2. Extranet devices can proactively access intranet PCs through the translated IP addresses and ports. The FW permits such access packets, even when no security policy is configured for such packets.
Figure 1-7 Mechanism of triplet NAT

FW shows the triplet NAT process when host A accesses host B.

  1. After receiving a packet sent from host A, the FW determines that the packet needs to travel between the Trust and Untrust zones based on the destination IP address. After interzone security policy check is performed, the FW searches for the interzone NAT policy and discovers that NAT needs to be performed on the packet.
  2. The FW selects a public IP address from the NAT address pool to replace the source IP address of the packet with 1.1.1.10 and the source port number of the packet with 2296. After a session entry and a server-map entry are established, the FW sends the packet to host B.
  3. After receiving a response packet sent from host B, the FW searches the session table for the session entry established in 2. The FW replaces the destination IP address of the packet with 192.168.1.2 and the port number of the packet with 6363 and then sends the packet to host A.
  4. When receiving host C's request to access host A before the server-map table ages, the FW can also search the server-map table and send the packet to host A based on the mappings in the table.

The FW generates a server-map table that stores the mappings between host private IP addresses and public IP addresses.

  • Forward server-map entries ensure that the post-NAT addresses and ports of intranet PCs remain unchanged.
  • Return server-map entries allow extranet devices to proactively access intranet PCs.

Triplet NAT can be categorized into two types:

  • Local triplet NAT

    The server-map table generated by local triplet NAT contains security zone parameters. Only the hosts in the security zone can access Intranet hosts. As shown in Figure 1-7, if host B and host C are in different security zones and the triplet NAT relationship has been established between host A and host B, host C cannot use the established server-map table to access host A.

  • Global triplet NAT

    The server-map table generated by global triplet NAT does not contain security zone parameters. Once the server-map table is established, the hosts in all security zones can access Intranet hosts. As shown in Figure 1-7, if host B and host C are in different security zones and the triplet NAT relationship has been established between host A and host B, host C can also use the established server-map table to access host A.

The FW supports Smart triplet NAT and determines the port assignment mode based on packet destination ports, allowing for the reuse of some public IP addresses. If a packet's destination port number is in the configured range, the NAPT mode is used for port assignment; otherwise, the triplet NAT mode is used.

Types of NAT: Destination NAT

Overview of Destination NAT

Destination NAT translates the destination addresses and ports of packets.

Source NAT translates private IP addresses into public IP addresses so that users on an intranet can use public IP addresses to access the Internet. Figure 1-8 shows the translation process.

Figure 1-8 Mechanism of destination NAT

When an extranet user accesses the intranet server, the FW performs as follows:

  1. Upon receiving the packets destined from the extranet user to the intranet server, the FW translates the public destination addresses into private destination addresses.
  2. Upon receiving the return packets, the FW translates the private source addresses back to public source addresses.

Based on whether post-NAT destination addresses are fixed, destination NAT falls into static NAT and dynamic NAT.

Static NAT VS Dynamic NAT

Types of Destination NAT

Description

Dynamic NAT

Public addresses are randomly translated into addresses in the destination address pool.

Dynamic NAT applies when there are no fixed mappings between public and private addresses and public addresses are randomly translated into addresses in the destination address pool.

Static NAT

One-to-one mappings between public and private addresses.

This mode of static NAT applies when a public address is used to access a private address or multiple public addresses are used to access multiple private addresses.

One-to-one mappings between public and private ports.

This mode of static NAT applies when multiple ports of a public address are used to access multiple ports of a private address.

One-to-one mappings between multiple ports of a public address and multiple private addresses.

This mode of static NAT applies when multiple ports of a public address are used to access multiple private addresses.

One-to-one mappings between multiple public addresses and multiple private ports.

This mode of static NAT applies when multiple public addresses are used to access multiple ports of a private address.

NAT Server.

This mode of static NAT applies to scenarios where there are fixed mappings between private IP addresses and public IP addresses, between private IP addresses and public port numbers, between private port numbers and public IP addresses, and between private port numbers and public port numbers. NAT Server is implemented by running the nat server command.

What is Static Destination NAT (Static NAT)?

Static destination NAT translates the destination IP address of the packet, and there is a fixed mapping between the pre-NAT and post-NAT addresses.

For the sake of security, extranets are generally not allowed to proactively access intranets. Occasionally, however, a method is expected to permit access from extranets. For example, a company intends to provide resources for customers and employees on business trips.

Figure 1-9 shows the mechanism of static destination NAT based on the NAT policy.

Figure 1-9 Mechanism of static destination NAT based on the NAT policy

As shown in Figure 1-9, when the host accesses the server, the FW performs as follows:

  1. Upon receiving a packet destined for 1.1.1.10 from an Internet user, the FW searches for a matching NAT policy and then performs destination address translation on the packet.
  2. The FW replaces the destination IP address of the packet with a selected private IP address, replaces the original destination port with a new port or keeps the original destination port. After the security policy is passed and a session table is created, the packet is sent to the intranet server.
  3. Upon receiving the packet that the server replies to the host, the FW searches the session table and the entry created in 2 is matched. Accordingly, the FW changes the destination address of the packet to the IP address of the server and then forwards the packet to the host.
  4. When receiving subsequent packets sent from the host to the server, the FW directly translates their addresses according to session entries.

What is Dynamic Destination NAT (Dynamic NAT)?

Dynamic destination NAT dynamically translates the destination IP address of the packet, and there is no fixed mapping between the pre-NAT and post-NAT addresses.

Static destination NAT can meet the requirements of most destination address translation scenarios. In some cases, however, the post-NAT address is expected to be not fixed. The scenario where mobile devices access wireless networks through destination address translation is a case in point.

Figure 1-10 shows the mechanism of dynamic destination NAT based on the NAT policy.

Figure 1-10 Mechanism of dynamic destination NAT based on the NAT policy

FW shows the destination NAT process when host A accesses the server.

  1. After receiving the packet from Host A, the FW translates the destination address of the packet that matches the NAT policy, randomly selects an address from the address pool as the translated address, and translates the destination IP address of the packet from 172.16.16.2 to 192.168.1.2.
  2. After checking the interzone security policy, the FW establishes a session table and sends the packet to the server.
  3. Upon receiving the packet that the server replies to host A, the FW searches the session table and the entry created in 2 is matched. Accordingly, the FW changes the source address of the packet to 172.16.16.2 and then forwards the packet to host A.

Types of NAT: Bidirectional NAT

Bidirectional NAT translates both source information and destination information in packets. Bidirectional NAT is not an independent function. Instead, it is only a combination of source NAT and destination NAT. Bidirectional NAT applies to the same flow. When receiving the packet, the firewall translates both its source and destination addresses.

Bidirectional NAT applies manly to the following scenarios.

Extranet Users Accessing Intranet Servers

When an extranet user accesses an intranet server, bidirectional NAT can be used to translate both the source and destination addresses of the packet and save the effort of setting the gateway on the intranet server, simplifying configuration.

Figure 1-11 Mechanism for extranet users accessing intranet servers

As shown in Figure 1-11, when the host accesses the server, the FW performs as follows:

  1. The FW performs address translation for the packet that matches the bidirectional NAT policy.
  2. The FW selects a public IP address from the destination NAT address pool to replace the destination IP address of the packet and replaces the destination port number with the new port number.
  3. The FW checks whether the packet passes the security policy. If so, the FW replaces the source IP address of the packet with a private IP address picked from the NAT address pool and the source port with a new port, and then forwards the packet to the intranet. At the same time, the FW adds an entry in the session table.
  4. Upon receiving the packet that the server replies to the host, the FW searches the session table and the entry created is matched. Accordingly, the FW changes the source and destination addresses of the packet to its original source and destination addresses and the source and destination ports to its original source and destination ports. Then the FW forwards the packet to the Internet.

Intranet Users Accessing Intranet Servers

Users on the intranet attempt to access the public address of the intranet server on the same subnet in their own security zone.

Figure 1-12 Mechanism for intranet users accessing intranet servers

As shown in Figure 1-12, when the host accesses the server, the FW performs as follows:

  1. The FW performs address translation for the packet that matches the bidirectional NAT policy.
  2. The FW selects a public IP address from the destination NAT address pool to replace the destination IP address of the packet and replaces the destination port number with the new port number.
  3. The FW checks whether the packet passes the security policy. If so, the FW replaces the source IP address of the packet with a private IP address picked from the NAT address pool and the source port with a new port, and then forwards the packet to the intranet. At the same time, the FW adds an entry in the session table.
  4. Upon receiving the packet that the server replies to the host, the FW searches the session table and the entry created is matched. Accordingly, the FW changes the source and destination addresses of the packet to its original source and destination addresses and the source and destination ports to its original source and destination ports. Then the FW forwards the packet to the host.

How to configure NAT?

Refer to NAT for information to configure NAT.

How to troubleshoot NAT issues?

Refer to Troubleshooting: NAT Policy for information to troubleshoot NAT.

Learn more about NAT implementation principles

Download
Updated: 2020-06-21

Document ID: EDOC1100086056

Views: 49207

Downloads: 627

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :