3-Tuple NAT

3-Tuple NAT can translate the source addresses and ports of packets. It allows Internet users to access private users, coexisting with P2P-based file sharing, audio communication, and video transmission.

If the FW uses 5-tuple NAT (NAPT) in a scenario where intranet PCs access the Internet, extranet devices cannot proactively access intranet PCs through the translated IP addresses and ports.

3-Tuple NAT can perfectly resolve the issue because 3-tuple NAT has the following two features. Figure 1 shows its mechanism.

1. The ports after 3-tuple NAT cannot be reused. This ensures the port consistency of intranet PCs but lowers the public IP address usage.
2. Extranet devices can proactively access intranet PCs through the translated IP addresses and ports. The FW permits such access packets, even when no security policy is configured for such packets.
   

   By default, the independent end point filtering function is enabled. After this function is enabled, the FW matches the packet sent by an Internet user to communicates with an intranet user with the server-map table. The FW translates the addresses based on the mapping in the destination server map table and forwards the packet without performing security policy. If the function is disabled, the FW searches for a matching security policy rule and determines whether to forward the packet.

Figure 1 Mechanism of 3-tuple NAT

FW shows the 3-tuple NAT process when host A accesses host B.

1. After receiving a packet sent from host A, the FW determines that the packet needs to travel between the Trust and Untrust zones based on the destination IP address. After interzone security policy check is performed, the FW searches for the interzone NAT policy and discovers that NAT needs to be performed on the packet.
2. The FW selects a public IP address from the NAT address pool to replace the source IP address of the packet with 1.1.1.10 and the source port number of the packet with 2296. After a session entry and a server-map entry are established, the FW sends the packet to host B.
3. After receiving a response packet sent from host B, the FW searches the session table for the session entry established in 2. The FW replaces the destination IP address of the packet with 192.168.1.2 and the port number of the packet with 6363 and then sends the packet to host A.
4. When receiving host C's request to access host A before the server-map table ages, the FW can also search the server-map table and send the packet to host A based on the mappings in the table.

The FW generates a server-map table that stores the mappings between host private IP addresses and public IP addresses.

• Forward server-map entries ensure that the post-NAT addresses and ports of intranet PCs remain unchanged.
• Return server-map entries allow extranet devices to proactively access intranet PCs.

3-Tuple NAT can be categorized into two types:

• Local 3-tuple NAT

  The server-map table generated by local 3-tuple NAT contains security zone parameters. Only the hosts in the security zone can access Intranet hosts. As shown in Figure 1, if host B and host C are in different security zones and the 3-tuple NAT relationship has been established between host A and host B, host C cannot use the established server-map table to access host A.

• Global 3-tuple NAT

  The server-map table generated by global 3-tuple NAT does not contain security zone parameters. Once the server-map table is established, the hosts in all security zones can access Intranet hosts. As shown in Figure 1, if host B and host C are in different security zones and the 3-tuple NAT relationship has been established between host A and host B, host C can also use the established server-map table to access host A.

The FW supports Smart 3-tuple NAT and determines the port assignment mode based on packet destination ports, allowing for the reuse of some public IP addresses. If a packet's destination port number is in the configured range, the NAPT mode is used for port assignment; otherwise, the 3-tuple NAT mode is used.