9.2. NAT

Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address as packets traverse a network device. Outgoing packets from the device then appear to come from a different source IP address. Incoming packets returning to that source address have their IP address translated back to the original one.

NAT is configured in cOS Stream by specifying the SourceTranslation property of an IP Rule to have an action of NAT. cOS Stream allows NAT to be applied to both IPv4 and IPv6 addresses, and NATing can be done both with a single IP Rule object. An example of this is given towards the end of this section.

NAT Benefits

NAT can have two important benefits:

NAT Provides many-to-one IP Address Translation

NAT provides many-to-one translation. This means that each NAT rule in the main IP rule set will translate between several source IP addresses and a single source IP address.

To maintain session state information, each NAT flow is translated to a unique combination of port number and IP address for the source. cOS Stream then performs automatic translation of the source port number as well as the IP address for returning packets. In other words, the actual source IP addresses for flows are all translated to the same IP address and the flows are distinguished from one another by the allocation of a unique port number to each.

The diagram below illustrates the NAT concept.

NAT IP Address Translation

Figure 9.1. NAT IP Address Translation

In the diagram above, three flows from IP addresses A, B and C are NATed through a single source IP address N. The original port numbers are also changed.

The next source port number allocated for a new NAT flow will be the first free port selected randomly by cOS Stream. Ports are allocated randomly to increase security from external attack.

Limitations on the Number of Flows

There is a limitation of approximately 65,500 simultaneous NAT flows where each flow consists of a unique pair of IP addresses. The term IP pair means one IP address on an interface and the IP address of some external host to which a flow is being made. If two different IP addresses on an external host are being connected to from the same NAT address on the firewall then this will constitute two, unique IP pairs. The 65,500 figure is therefore not a limitation for the entire Clavister NetShield Firewall.

When discussing the 65,500 simultaneous NAT flow limit, a "flow" is considered to be a unique pair of IP addresses where different port numbers are not used or the same destination port is used. For example, if a remote server demands that all flows are to a single destination port then this limit will apply.

However, since there is a possible range of 65,500 source ports and the same number for destination ports, it is theoretically possible to have over 4 billion flows between two IP addresses if all ports are used.

The Source IP Address Used for Translation

There are three options for how cOS Stream determines the source IP address that will be used for NAT:

The NAT Translation Process

To explain the NAT process in a simple example, consider a protected client behind the firewall which has the private IPv4 address 192.168.1.5. It wants to make an HTTP connection on port 80 of a server with the public IPv4 address 203.0.113.10.

The public IPv4 address of the Ethernet interface connected to the Internet is 203.0.113.5 (for simplicity, assume that the interface and the server are on the same network). NAT translation is applied to flows originating on this interface by specifying a NATing IP Rule object that allows flows from the client to the server.

The sequence of these events in the NAT process is illustrated in the diagram below and the description of steps that follows.

The NAT Translation Process

Figure 9.2. The NAT Translation Process

  1. The sender at IP address 192.168.1.5 sends a packet from a dynamically assigned port number (assume port 1038) to the server at 203.0.113.10 on port 80.

    		 => 
  2. Assume that the NAT Use Interface Address option is used in the IP rule. cOS Stream changes the source port to a random unused port on its interface which is above port 1024. In this example, assume port 32,789 is chosen. The packet is then sent to its destination with this source port and the source IP of the interface.

    		 => 

  3. The server then processes the packet and sends its response back to the source IP and port.

    		 => 

  4. cOS Stream receives the packet and looks up the destination IP and port in its list of open flows. If it finds the flow, it restores the original source IP address and port number and forwards the packet.

    		 => 

  5. The original sender has now received the response without needing a public IP address of its own.

Example 9.1. Adding an IPv4 NAT Rule

This example will add a NAT rule that will perform IPv4 address translation for all HTTP/HTTPS traffic originating from the internal network if1 as it flows out to the public Internet on the wan interface. The IPv4 address of the wan interface will be used as the NATing address for all flows.

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_HTTP

Now, return to the default CLI context if no more rules are needed:

System:/IPRuleSet/main> cc
System:/> 

DNS Traffic Needs a Separate Rule

Note that a second, similar rule will be needed to NAT DNS traffic from the internal HTTP/HTTPS clients so that web browsers can resolve URLs. Everything will be the same except the Service property should be set to dns-all in such a rule.

Specifying the NAT IP Address

In the preceding example, the IP address used for NAT is the IPv4 address of the destination interface. The alternative is to specify another IPv4 address that is to be used on the destination interface. This is done by specifying the SetSourceAddress option as AllToOne and using the NewSourceIP4 option to specify the new NAT address for the interface.

Example 9.2. Specifying an IPv4 NAT Address

This example is the same as the preceding example except the NAT address used on the wan interface is to be explicitly specified as 10.0.0.1

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=AllToOne
			NewSourceIP4=10.0.0.1
			Name=NAT_HTTP

The IPv4 address 10.0.0.1 must also be explicitly ARP published on the wan interface if it is not already one of the addresses assigned to that interface.

ARP Publishing the NAT IPv4 address

As mentioned in the last NAT example, if the NAT IPv4 address is not already ARP published on the Ethernet interface then this must be done explicitly. Doing this is described in Chapter 4, ARP.

ARP publishing of all the IP addresses already assigned to an Ethernet interface is done automatically and any Ethernet interface can have multiple IP addresses associated with it.

IPv6 NAT Addresses

It is possible to NAT IPv6 traffic in the same way that NAT is used for IPv4 traffic. It is also possible to combine IPv4 and IPv6 traffic in the same IP rule.

Example 9.3. Adding an IPv6 NAT Rule

This example will add a NAT rule that will perform IPv6 address translation for all IPv6 HTTP/HTTPS traffic originating from the internal network if1 as it flows out to the public Internet on the wan interface. The IPv6 address of the wan interface will be used as the NATing address for all flows.

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=LAN
			SourceNetwork=LAN_ip6_net
			DestinationInterface=WAN
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_IP6_HTTP

Example 9.4. Adding a Combined IPv4 and IPv6 NAT Rule

This example repeats the preceding example but will perform NAT on both IPv4 and IPv6 traffic. The difference in how the SourceNetwork property is specified.

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=LAN
			SourceNetwork=LAN_net,LAN_ip6_net
			DestinationInterface=WAN
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_IPv4_IP6_HTTP

Specifying the IPv6 NAT Address

Note that the property NewSourceIP6 could be used to specify an IPv6 address as the NAT address for IPv6 traffic. Either or both of NewSourceIP4 and NewSourceIP6 must be specified in the same rule when the SetSourceAddress=AllToOne option is used.

If the NAT rule allows both IPv4 and IPv6 addresses (for example, the source IP might be all-nets) then both NewSourceIP4 and NewSourceIP6 will have to be specified since the rule must deal with applying NAT to both address types.

Protocols Handled by NAT

Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols. For other IP level protocols, unique flows are identified by their sender addresses, destination addresses and protocol numbers.

This means that for protocols other than TCP, UDP and ICMP:

[Note] Note: Restrictions only apply to IP level protocols

These restrictions apply only to IP level protocols other than TCP, UDP and ICMP, such as OSPF and L2TP. They do not apply to the protocols transported by TCP, UDP and ICMP such as telnet, FTP, HTTP and SMTP.

cOS Stream can alter port number information in the TCP and UDP headers to make each flow unique, even though such flows have had their sender addresses translated to the same IP.

Some protocols, regardless of the method of transportation used, can cause problems during address translation.