Network Address Translation (11)

In the early 1990s, relevant Request For Comments (RFC) documents began raising the possibility of IP address exhaustion. As more and more IPv4 addresses are requested, driven in part by the Internet's rapid growth due to TCP/IP-based web applications, sustainable development of the Internet is becoming a major challenge. To address this challenge, IPv6 is developed as the successor to IPv4. In contrast to IPv4, which defined an IP address as a 32-bit value, IPv6 addresses have a size of 128 bits. For network applications, IPv6 has a significantly larger address space compared to IPv4. However,  IPv6 has a long way to go before it can completely replace IPv4, due to the immature technologies and huge update costs associated with IPv6.

Because IPv6 will not completely replace IPv4 immediately, certain workarounds are required to extend the use of IPv4. For example, classless inter-domain routing (CIDR), variable length subnet mask (VLSM), and NAT can be used.

Private addresses are used to implement address reuse and increase the utilization of IP address resources. Defined in RFC 1918, the following private addresses are reserved for private networks:
  • Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
  • Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
  • Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)
Private addresses are used on private networks, whereas public addresses are used on public networks (for example, the Internet). To allow communication between private and public addresses, NAT must be used to translate the addresses. 


In addition to address reuse, NAT continues to evolve and provides other advantages. The main advantages and disadvantages of NAT are as follows:
Advantages:
  • Numerous hosts on a local area network (LAN) can use a few public addresses to access external resources, and internal World Wide Web (WWW), File Transfer Protocol (FTP), and Telnet services can be used by external networks.
  • Internal and external network users are unaware of the IP address translation process.
  • Privacy protection is provided for internal network users. External network users cannot directly obtain the IP addresses and service information of internal network users.
  • Multiple internal servers can be configured for load balancing, reducing the pressure of each server in case of heavy traffic.
Disadvantages:
  • NAT cannot be performed if the packet header is encrypted. For example, for an encrypted FTP connection, the port command cannot translate IP addresses.
  • Network supervision becomes more difficult. For example, tracing a hacker who attacks a server on the public network from a private network is difficult because the IP address of the hacker has been NAT. 


NAT translates the IP addresses in IP packet headers to other IP addresses so that users on internal network can access external networks. Generally, every NAT device maintains an address translation table. The IP addresses of packets that pass through the NAT device and require address translation will be translated against this table. The NAT mechanism involves the following processes:
  • Translate the IP addresses and port numbers of internal hosts into the external addresses and port numbers of the NAT device.
  • Translate the external addresses and port numbers into the IP addresses and port numbers of internal hosts.
That is, NAT implements translation between private address+port number and public address+port number.

NAT devices are located between internal and external networks. The packets exchanged between internal hosts and external servers all pass through the NAT devices. Common NAT devices include routers and firewalls. 


NAT is divided into three categories based on application scenarios.
Source NAT: enables multiple private network users to access the Internet at the same time.
  1. Address pool mode: The public addresses in the address pool are used to translate users' private addresses. This mode applies when many private network users access the Internet.
  2. Outbound interface address mode (easy IP): The IP addresses of internal hosts are translated into the public address of an outbound interface on the public network. This mode applies when the public address is dynamically allocated.
Server mapping: enables external users to access servers on private networks.
    3. Static mapping (NAT server): maps one private address to one public address. This mode applies         when public network users access servers on private networks. 


Source NAT translates the source IP address (the internal host's address) in IP packet header into a public address. This enables numerous internal hosts to access external resources through limited public addresses and effectively hides the host IP addresses on the LAN.

The address pool mode without port translation is implemented using a NAT address pool that contains multiple public addresses. Only IP addresses are translated, and only one private address is mapped to a public address. If all addresses in the address pool are allocated, NAT cannot be performed for the remaining internal hosts until the address pool has available addresses. 


The address pool mode with port translation is implemented using a NAT address pool that contains one or more public addresses. Addresses and port numbers are both translated so that private addresses share one or more public addresses.

Because addresses and port numbers are both translated, multiple users on a private network can share one public address to access the Internet. The firewall can distinguish users based on port numbers, so numerous users can access the Internet at the same time. This technology uses Layer 4 information to extend Layer 3 addresses. Theoretically, 65,535 private addresses can be translated into the same public address because 65,535 ports are available for each address. The firewall can map data packets from different private addresses to different port numbers of one public address. Compared with oneto-one or multi-to-multi address translation, this mode greatly improves IP address utilization. Therefore, the address pool mode with port translation is most commonly used. 


Easy IP translates private addresses into the public address of the outbound interface, without the need of configuring a NAT address pool. Addresses and port numbers are both translated so that private addresses share public addresses of outbound interfaces. 


In an Ethernet data frame, the IP header contains a 32-bit source address and a 32-bit destination address, and the TCP header contains a 16-bit source port number and a 16-bit destination port number.

Many protocols use the data payload of IP packets to negotiate new ports and IP addresses. After the negotiation is complete, communications parties establish new connections for transmitting subsequent packets. The negotiated ports and IP addresses are often random. Therefore, an administrator cannot proactively configure NAT rules, because errors may occur with these protocols during NAT.

Common NAT can translate the IP addresses and port numbers in UDP or TCP packet headers, but not fields in application layer data payloads. In many application layer protocols, such as multimedia protocols (H.323 and SIP), FTP, and SQLNET, the TCP/UDP payload contains address or port information that cannot be NAT. NAT ALG can parse the application layer packet information of the multi-channel protocol and translate required IP addresses and port numbers or specific fields in payloads to ensure proper communication at the application layer.

For example, the FTP application requires both data connection and control connection. The data connection is dynamically established according to the payload field in the control connection. Therefore, the ALG needs to translate the payload field information to ensure the proper establishment of the data connection.

The ASPF function is proposed to implement the forwarding policy of the application layer protocol. ASPF analyzes application layer packets and applies corresponding packet filtering rules, whereas NAT ALG applies corresponding NAT rules to application layer packets. Generally, ASPF interworks with NAT ALG. Therefore, you can run only one command to enable both functions at the same time. 


As shown in this figure, the host on the private network needs to access the FTP server on the public network. The mapping between the private address 192.168.1.2 and the public address 8.8.8.11 is configured on the NAT device. If the ALG does not process the packet payload, the server cannot perform addressing based on the private address after receiving the PORT packet from the host. As a result, a data connection cannot be established. The communication process consists of four stages:
  1. The host and FTP server establish a control connection through the TCP three-way handshake.
  2. The host sends a Port packet carrying the specified destination address and port number to the FTP server to establish a data connection.
  3. The ALG-enabled NAT device translates the private address and port number carried in the packet payload to the public address and port number. That is, the NAT device translates the private address 192.168.1.2 in the payload of the received PORT packet into the public address 8.8.8.11 and the port number 1084 to 12487.
  4. The FTP server parses the PORT packet and initiates a data connection to the host, with the destination address of 8.8.8.11 and destination port number of 12487. Generally, the source port number of the packet is 20. However, the source port numbers of data connections initiated by some servers are larger than 1024 because the FTP protocol does not have strict requirements. In this example, the WFTPD server is used and the source port number is 3004. Since the destination address is a public address, the data connection can be established and the host can access the FTP server. 


In the NAT server function, NAT hides the topology of an internal network. That is, NAT masks the internal hosts. In practice, external users may need to access the internal hosts, for example, a WWW server. External hosts, however, do not have routes destine for the internal hosts. In this case, the NAT server function can be applied.

NAT allows you to add internal servers flexibly. For example, a public address such as 202.202.1.1 or an IP address and port number such as 202.202.1.1:8080 can be used as the external address of the web server.

When external users access internal servers, the following operations are involved:
  • The firewall translates destination addresses of external users' request packets into private addresses of internal servers.
  • The firewall translates source addresses (private addresses) of internal servers' response packets into public addresses.
The firewall supports security zone-based internal servers. For example, if the firewall provides access to external users on multiple network segments, you can configure multiple public addresses for an internal server based on security zone configurations. By mapping different levels of the firewall's security zones to different external network segments and configuring different public addresses for the same internal server based on security zones, you can enable external users on different network segments to access the same internal server. 


Generally, if strict packet filtering is configured, the device permits only internal users to proactively access external networks. In practice, however, this may prevent successful file transfers in FTP. For example, when FTP in port mode is used, the client needs to proactively initiate a control connection to the server, and the server needs to proactively initiate a data connection to the client. If packet filtering configured on the device allows packets through in only one direction, FTP file transfer will fail.

To resolve such issues, the USG device introduces the server map table. The server map is based on triplets and is used to record data connection mappings negotiated using control data or address mappings configured for NAT to allow external users to access internal networks.

If a data connection matches an entry in the server map table, the device will forward the associated packet without looking up the session table.

After the NAT server is configured, the device automatically generates server map entries that record the mappings between public and private addresses.

If no-reverse is not specified, a pair of forward and return static server map entries is generated for each valid NAT server. If no-reverse is specified, the valid NAT server generates only the forward static server map entry. If a NAT server is deleted, the associated server map entries are deleted at the same time.

After No PAT is configured, the device creates a server map table for data flows generated by the configured multi-channel protocol. 


When an internal server proactively access an external network, the device cannot translate the private address of the internal server into a public address. Therefore, the internal server cannot initiate a connection to the external network. In this case, you can specify the no-reverse parameter to prevent internal servers from proactively accessing external networks.

If an internal server advertises multiple public addresses for external networks through the NAT server function with no-reverse specified, the internal server cannot access external networks proactively. To enable an internal server to access an external network, configure a source NAT policy. This policy is configured between the security zone of the internal server and the security zone of the external network to translate the private address of the internal server to a public address. The source NAT policy can reference the global address or another public address. 


The source security zone is usually the zone where the pre-NAT private address resides. In this example, it is the trust zone. The destination security zone is usually the zone where the post-NAT public address resides. In this example, it is the untrust zone. 


During NAT server configuration, the external address is the public IP address that the internal server provides for external users.

The internal address is the IP address of an internal server on the LAN. 


On the web configuration page, perform the following steps to configure interzone packet filtering rules:
  • Choose Firewall > Security Policy > Forward Policy.
  • Under Forward Policy List, click Add.
  • Set the parameters 


Reference commands for configuring interzone access rules:
  • [USG6600]security-policy
  • [USG6600-policy-security]rule name natpolicy
  • [USG6600-policy-security-rule-natpolicy]source-address 192.168.0.0 24
  • [USG6600-policy-security-rule-natpolicy]action permit
Source NAT is configured to implement NAT for internal users attempting to access the external network. The data flows a high-level security zone to a low-level security zone; Therefore, the source address should be a network segment that belongs to the internal network, and the address pool allocated to internal users should be an external network segment for access to Internet resources.
  • nat address-group address-group-name
  • section [ section-id | section-name ] start-address end-address
  • nat-mode { pat | no-pat } 


When both NAT and internal servers are configured on the USG, the internal servers have a higher priority and take effect first.

If multiple internal servers use the same public address, you can run the nat server command multiple times to configure them, and distinguish them using protocols. 


When either communication party accesses the other party in a twice NAT scenario, the destination address is not a real address but a NATed address. Generally, internal networks belong to high-priority zones, and external networks belong to low-priority zones. When an external user in a low-priority zone accesses the public address of an internal server, the destination address of the packet is translated into the private address of the internal server. The route destined for the public address must be configured on the internal server.

To avoid configuring a route destined for the public address, you can configure NAT from a low-priority zone to a high-priority zone. If NAT is required for access within the same security zone, configure intrazone NAT. 


In NAT server configuration, the internal server can send the response packet only after the route destined for the public address is configured. To simplify configuration without configuring the route destined for the public address, you can configure the firewall to translate the source address of the external user. The source address after NAT must be on the same network segment as the private address of the internal server. In this way, the internal server sends the response packet to the device by default, and the device then forwards the response packet. 


If both parties that require address translation are in the same security zone, intrazone NAT is involved. When both the user and FTP server are in the Trust zone, the user accesses the public address of the FTP server. In this way, all the packets exchanged between the user and FTP server pass through the firewall, and the internal server and intrazone NAT must be configured.

Intrazone NAT is used when the internal user and server are in the same security zone, but the internal user is required to access only the public address of the server. In intrazone NAT, the destination address of the packet sent to the internal server must be translated from a public address into a private address, and the source address must be translated from a private address into a public address. 

Ref : [1]