< Home

About Bidirectional NAT

Bidirectional NAT translates both source information and destination information in packets. Bidirectional NAT is not an independent function. Instead, it is only a combination of source NAT and destination NAT. Bidirectional NAT applies to the same flow. When receiving the packet, the firewall translates both its source and destination addresses.

Bidirectional NAT applies manly to the following scenarios:

Extranet Users Accessing Intranet Servers

When an extranet user accesses an intranet server, bidirectional NAT can be used to translate both the source and destination addresses of the packet and save the effort of setting the gateway on the intranet server, simplifying configuration.

Figure 1 Mechanism for extranet users accessing intranet servers

As shown in Figure 1, when the host accesses the server, the FW performs as follows:

  1. The FW performs address translation for the packet that matches the bidirectional NAT policy.
  2. The FW selects a private IP address from the destination NAT address pool to replace the destination IP address of the packet and replaces the destination port number with the new port number.
  3. The FW checks whether the packet passes the security policy. If so, the FW replaces the source IP address of the packet with a private IP address picked from the NAT address pool and the source port with a new port, and then forwards the packet to the intranet. At the same time, the FW adds an entry in the session table.
  4. Upon receiving the packet that the server replies to the host, the FW searches the session table and the entry created is matched. Accordingly, the FW changes the source and destination addresses of the packet to its original source and destination addresses and the source and destination ports to its original source and destination ports. Then the FW forwards the packet to the Internet.

Intranet Users Accessing Intranet Servers

Users on the intranet attempt to access the public address of the intranet server on the same subnet in their own security zone.

Figure 2 Mechanism for intranet users accessing intranet servers

As shown in Figure 2, when the host accesses the server, the FW performs as follows:

  1. The FW performs address translation for the packet that matches the bidirectional NAT policy.
  2. The FW selects a private IP address from the destination NAT address pool to replace the destination IP address of the packet and replaces the destination port number with the new port number.
  3. The FW checks whether the packet passes the security policy. If so, the FW replaces the source IP address of the packet with a public IP address picked from the NAT address pool and the source port with a new port, and then forwards the packet to the intranet. At the same time, the FW adds an entry in the session table.
  4. Upon receiving the packet that the server replies to the host, the FW searches the session table and the entry created is matched. Accordingly, the FW changes the source and destination addresses of the packet to its original source and destination addresses and the source and destination ports to its original source and destination ports. Then the FW forwards the packet to the host.

The FW also supports bidirectional NAT that combines source NAT and NAT Server. Source NAT translates the source address of the packet, and NAT Server translates the destination address of the packet, implementing bidirectional NAT. For details about NAT server configuration examples, see Configuration NAT Server.

Parent Topic: Configuring Bidirectional NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >