Overview of NAT
Network Address Translation (NAT) supports the translation of source and destination addresses of packets.
NAT Types
NAT is divided into three categories based on the translation mode.
| Category | Translated Item | Port Translated? | Application Scenario | ||
|---|---|---|---|---|---|
Source NAT |
Source address translation without port translation |
Source IP address |
No |
This mode applies to the situation in which public IP addresses are sufficient and only a small number of intranet users access the Internet. Private and public addresses are in one-to-one translation relationships. |
|
Source address translation with port translation |
Source IP address |
Yes |
This mode applies when many intranet users access the Internet. A large number of private addresses are transmitted few public addresses. |
||
Destination NAT |
Static destination NAT (including the destination NAT policy and NAT Server): one-to-one mappings between public and private addresses | Destination IP address |
Optional |
This mode applies when a public address is used to access a private address or multiple public addresses are used to access multiple private addresses. |
|
| Static destination NAT (including the destination NAT policy and NAT Server): one-to-one mappings between public and private ports | Destination IP address |
Optional |
This mode applies when multiple ports of a public address are used to access multiple ports of a private address. |
||
| Static destination NAT (including the destination NAT policy and NAT Server): one-to-one mappings between multiple ports of a public address and multiple private addresses | Destination IP address |
Yes |
This mode applies when multiple ports of a public address are used to access multiple private addresses. |
||
| Static destination NAT (including the destination NAT policy and NAT Server): one-to-one mappings between multiple public addresses and multiple private ports | Destination IP address |
Yes |
This mode applies when multiple public addresses are used to access multiple ports of a private address. |
||
| Dynamic destination NAT (including the destination NAT policy and ACL-based destination NAT): Public addresses are randomly translated into addresses in the destination address pool. | Destination IP address |
Optional |
This mode applies when there are no fixed mappings between public and private addresses and public addresses are randomly translated into addresses in the destination address pool. |
||
Bidirectional NAT |
Source NAT+static destination NAT |
Source IP address+destination IP address |
Optional |
This mode applies when both source and destination addresses need to be translated and destination addresses have fixed mappings before and after NAT. |
|
Source NAT+dynamic destination NAT |
Source IP address+destination IP address |
Optional |
This mode applies when both source and destination addresses need to be translated and destination addresses do not have fixed mappings before and after NAT. |
||
NAT Policy
A NAT policy consists of the translated address (address pool address or outbound interface address), matching condition, and action.
- Address pool types include Source NAT (NAT No-PAT, NAPT, 3-Tuple NAT, and Smart NAT) and destination address pools. You can select the address pool type or outbound interface mode based on the NAT mode.
The matching conditions include the source address, destination address, source security zone, destination security zone, outbound interface, service, and time range. You can configure matching conditions according to requirements to perform NAT on the traffic matching the conditions.
The destination NAT policy does not support the configuration of the destination security zone and outbound interface.
- Actions include source address translation and destination address translation. Regardless of source address translation or destination address translation, NAT can be performed or not performed on the traffic that matches the conditions.
If multiple NAT policies are created, the policies are matched top down. If the traffic matches a NAT policy, the remaining policies are ignored. Bidirectional and destination NAT policies have higher matching priorities than source NAT policies and are ranked in front of source NAT policies. Bidirectional and destination NAT policies are ranked according to their configuration sequence, so are source NAT policies. A newly added policy or policy with the NAT action modified is ranked at the end of NAT policies of its own type. You can adjust the matching sequence of NAT policies as required. However, you cannot bring a source NAT policy to be in front of a bidirectional or destination NAT policy.
NAT Processing Flow
Different NAT types correspond to different NAT policies. The matching priorities of the NAT policies are different on the FW.
As shown in the preceding figure, the NAT processing flow is described as follows:
- The FW receives a packet from a user and searches for a server-map entry that is generated using the NAT Server function:
- Search for Destination NAT based on the ACL. If the packet meets the matching condition, the destination address of the packet is translated. Then, step 4 is performed. If the packet does not match the matching condition, go to step 3.
- Search for Destination NAT in the NAT policy. If the packet meets the matching condition, the destination address of the packet is translated. Then, the packet is forwarded based on the routing table. If the packet does not match the matching condition, it is directly forwarded based on the routing table.
- The FW searches routing information, including policy-based routing, to obtain a route for the packet.
- If a matching route is found, the FW performs 5.
- If no matching route is found, the FW discards the packet.
- Search for a security policy. If the security policy allows the packet to pass through and the packet does not match the NAT policy before (destination NAT or bidirectional NAT), the FW performs 6. If the security policy allows the packet to pass through and the packet matches the bidirectional NAT before, the source address is translated directly. Then, creates a session for the packet and performs 7. If the security policy allows the packet to pass through and the packet matches the destination NAT before, the FW directly creates a session for the packet. Then, step 7 is performed. If the security policy does not allow the packet to pass through, the packet is discarded.
- The FW searches for a Source NAT entry.
- If the packet matches a Source NAT entry, the FW translates the source address from a private address to a public address and creates a session for the packet.
- If the packet does not match any Source NAT entry, the FW directly creates a session for the packet.
- The FW sends the packet based on the session.
Destination NAT in the NAT policy is processed before the route and security policy. Source NAT in the NAT policy is processed after the route and security policy. Therefore, the source address of the route and security policy is the source address before NAT, and the destination address of the route and security policy is the destination address after NAT.