Smart NAT

Smart NAT is supplementary to No-PAT. Smart NAT is a mode in which an IP address is reserved for NAPT in No-PAT mode. Smart NAT applies to scenarios where each private network user usually can have a public IP address in the address pool, but occasionally, public addresses are insufficient.

In No-PAT mode, one-to-one address translation is performed. As the number of intranet users increases, the number of addresses in the address pool may no longer meet users' Internet access requirements. As a result, certain users cannot access the Internet. In this case, the reserved IP addresses can be used for NAPT so that the users can access the Internet. Figure 1 shows its mechanism.

Figure 1 Mechanism of Smart NAT

When multiple hosts on the intranet simultaneously access the server, the process is as follows:

1. Upon receiving a packet from the intranet, the FW first checks the destination IP address, identifying that the packet is destined for the Untrust zone from the Trust zone. If the packet is permitted by an interzone security policy, the FW searches for a matching NAT policy and then finds out that address translation is required.
2. If the NAT address pool has available public addresses, the FW replaces the source IP address of the packet with such a public IP address and then forwards the packet to the server. At the same time, the FW adds an entry in the session table.
3. If the NAT address pool has no available public addresses, the FW replaces the source IP address of the packet with the reserved NAPT address, replaces the source port with a new port, and then forwards the packet to the Internet. At the same time, the FW adds an entry to the session table.

In this mode, the FW preferentially uses the No-PAT mode. After the public addresses available for No-PAT are exhausted, the reserved IP address is used for NAPT for subsequent user connections.