< Home

Limitations and Precautions for NAT

Hardware Requirements

The USG6510E/6510E-POE/6530E does not support NAT address pool detection, and 3-tuple NAT.

License Requirements

The NAT function is not license-controlled.

Restrictions of Source NAT

  • IP addresses in an address pool can overlap NAT Server public IP addresses and interface IP addresses. However, when configuring Source NAT, either NAT No-PAT or 3-Tuple NAT, do not add device interface addresses to the NAT address pool. This is because the two types of Source NAT can generate dynamic server-map entries. When receiving packets, the device preferentially matches packets with server-map entries, affecting the access to the device.
  • The FW does not perform NAPT for GRE and AH packets. After receiving a GRE or AH packet, the FW sets the port in the packet to 0 based on the NAPT configuration. However, the packet received by the FW in the reverse direction has not port information. In this case, the forward and return packets have different port information, causing service interruption.
  • For Source NAT in transparent mode (the service interface works in switching mode), the FW can use addresses in the address pool as post-NAT source addresses and does not support the easy-IP mode.
  • The NAT address pool detection function can not be applied only when the address pool is in PCP mode.
  • If the NAT address pool and outgoing interface address are in different network segments, a black-hole route is required. When an Internet host requests an address in a NAT address pool, the FW receives the request packet but cannot match the packet with the session table, and therefore forwards the packet to the router based on the default route. After the router receives the packet, it sends the packet back to the FW according to the routing table. Then, the packet is circularly forwarded between the FW and router, causing a routing loop. To prevent such a routing loop, you must configure a black-hole route. If the NAT address pool and outgoing interface address are in the same network segment, configuring a black-hole route is recommended. The black-hole route helps prevent routing loops. If Internet users initiate a large number of access requests, the FW sends many ARP requests, consuming system resources. If a black-hole route is available in this situation, the FW does not send ARP requests, saving system resources. You can run the ip route-static ip-address NULL 0 command to directly configure a black-hole route or run the route enable command to configure a user network route (UNR). The UNR has the same function as the black-hole route and can be imported to a dynamic routing protocol, such as OSPF, and be advertised. If the NAT address pool is consistent with the outgoing interface address, after the FW receives a packet from the Internet to the FW itself, the security policy between the security zone of the WAN interface and the Local security zone determines how the FW processes the packet. If the policy permits the packet, the FW processes it. If the policy denies the packet, the FW discards it. In this situation, no routing loop occurs, and no black-hole route is required.
  • When you configure 3-Tuple NAT, smart 3-Tuple NAT is recommended so that 3-Tuple NAT is not implemented on the application traffic that is proactively initiated to access the Internet (unidirectional access to Internet websites). In doing so, system resource consumption is reduced.

Restrictions of Destination NAT

  • When the dynamic NAT policy mode is used, if the public network address and the public network interface address are on the same network segment, you need to configure static ARP on the peer device to divert the traffic to the FW. Otherwise, the FW cannot receive traffic.
  • If NAT Server is configured on a FW to map private addresses to the public IP address of a FW WAN interface, you cannot use the web UI or perform Telnet or ping operations on that interface. To remove this restriction, enable port translation and specify a protocol and port number when you configure NAT Server.
  • When you configure destination NAT or bidirectional NAT for a NAT policy, the advertisement of the UNR route is not supported. To prevent a route loop, you need to manually configure a blackhole route to the pre-NAT destination IP address.
  • If NAT Server is configured with a protocol and port and the global address of NAT Server and the WAN interface address are in different network segments, the FW receives the request packet but cannot match the packet with the session table, and therefore forwards the packet to the router based on the default route. After the router receives the packet, it sends the packet back to the FW according to the routing table. Then, the packet is circularly forwarded between the FW and router, causing a routing loop. To prevent such a routing loop, you must configure a black-hole route.
  • If NAT Server is configured with a protocol and port and the global address of NAT Server and the WAN interface address are in the same network segment, configuring a black-hole route is recommended. The black-hole route helps prevent routing loops. If Internet users initiate a large number of access requests, the FW sends many ARP requests, consuming system resources. If a black-hole route is available in this situation, the FW does not send ARP requests, saving system resources.
  • When the global address of NAT Server is consistent with the WAN interface address, after the FW receives a packet from the Internet, if the packet matches a server-map entry, the FW translates the packet's address and forwards the packet to the specified private network; if the packet does not match any server-map entries, the FW considers the packet destined for the FW itself. In this case, the security policy between the security zone of the WAN interface and the Local security zone determines how the FW processes the packet. If the policy permits the packet, the FW processes it. If the policy denies the packet, the FW discards it. In this situation, no routing loop occurs, and no black-hole route is required.
  • If an intranet server uses ephemeral ports to connect to intranet and Internet hosts, configure the port mapping function on the FW to map the packets on the ephemeral ports to the packets that can be transmitted using well-known ports.
  • When configuring NAT Server in the scenario where an internal server advertises multiple public IP addresses for external network access and if links to these public IP addresses are planned in the same security zone, you must configure NAT Server with the no-reverse parameter. In addition, after you specify the no-reverse parameter, the internal server cannot access external networks proactively.
  • Ensure that a public IP address is not used by both a NAT address pool and NAT Server. If this situation cannot be avoided, configure both a public IP address and port number in NAT Server and exclude the port number from the NAT address pool. Otherwise, server mapping entries may conflict, causing address translation failures.

Restrictions of ESP NAT

  • When you configure ESP NAT for NAT, you are advised to configure a security policy to block the access initiated from the Internet. When you configure ESP NAT for NAT Server, you are advised to configure a security policy to block the access initiated from the internal network. If such a policy is not configured, the two ends in the internal network and Internet initiate access requests at the same time. As the forward and reverse packets use the same SPI value as the port number, the FW considers a port conflict. Consequently, services are interrupted.
  • In the ESP NAT scenario, when there are sufficient public network addresses, configure the device not to translate the private network IP addresses of different ESP packets into different public network IP addresses, preventing connection conflicts.
  • In ESP NAT scenarios, if the two ends of the IPSec tunnel do not support the keepalive function, run the firewall session aging-time command on the intermediate NAT device to set the session aging time to a value that is larger than the tunnel renegotiation time. Otherwise, after sessions age, the ports of the renegotiation packets are translated to other ports, causing the negotiation to fail.
  • In the ESP NAT scenario, if firewall esp nat enable is not used to enable the ESP NAT function on an intermediate NAT device and the device already has ESP sessions, you must run the reset firewall session table protocol esp command to clear ESP forward sessions and then enable the ESP NAT function. Session information is restored after the original reverse ESP sessions are aged. If you run the firewall esp nat enable command to enable the ESP NAT function when the intermediate NAT device has ESP sessions, services are interrupted due to mismatched ports for forward and reverse sessions. Therefore, in the ESP NAT scenario, you are advised to first run the firewall esp nat enable command to enable the ESP NAT function.

Restrictions of NAT66

  • When configuring NPTv6, set the following items in the matching condition to 64 or a small value: prefix length of the source address for source NAT, prefix length of the destination address for destination NAT, and prefix length of the source and destination addresses for bidirectional NAT.
  • When configuring static NAT66, ensure that the length of the address prefix in the matching condition is the same as the length of the post-NAT address prefix. Only one address prefix can be configured for the source address matching condition of the NAT66 policy, and it is also true for the destination address matching condition.
  • Destination NAT is not available when the pre-NAT public IP address and interface IP address are on the same network segment. This is because the firewall does not support ND response to the pre-NAT public IP address, which leads to a failure to access the firewall from the peer end.
  • When configuring static NAT66, do not configure the same source NAT action if the protocol, destination address, and destination security zone in the matching conditions are the same. (For example, when the protocol, destination address, and destination security zone in the matching conditions of two NAT policies are the same but the source IP addresses of users belong to different network segments, if the same source NAT action is configured, the source addresses of packets will be translated into the same address, causing access conflicts). If the source address, source security zone, and protocol in the matching conditions are the same, do not configure the same destination NAT action. (For example, when the source address, destination security zone, and protocol in the matching conditions of two NAT policies are the same but users access different destination addresses, if the same destination NAT action is configured, the destination addresses of packets will be translated into the same address, causing access conflicts.)
  • NAT66 prefixes cannot overlap with the IP prefixes of NAT traffic's inbound and outbound interfaces on the device. Otherwise, services in this scenario become unavailable because the device does not support NA packet sending based on post-NAT66 IP address of the packets.

Restrictions for the Use with Hot Standby

  • Hot standby networking does not support NAT address pool detection.
  • In hot standby deployment in load balancing mode, if NAT is in NAPT mode, you must run the hrp nat resource primary-group command on one FW and run the hrp nat resource secondary-group command on the other FW to divide the ports for the addresses in the address pool into two segments to prevent port conflicts.
  • In hot standby networking in load balancing mode, if NAT is in NAT NO-PAT mode, you must run the nat resource load-balance enable command to enable one device to perform both address and port allocation so that the addresses and ports allocated to the two devices are not in conflict with each other. After you run this command, the heartbeat interface traffic will increase (the increased traffic volume is subject to the size of live network services, generally the size of the first packet). You need to check whether the heartbeat interface bandwidth is sufficient.
  • In hot standby scenarios, no interface IP address of the active and standby device is allowed in NAT address pool. If the NAT address pool contains interface IP addresses, both the active and standby devices will respond to the ARP request sent by the upstream device for addresses in the address pool, causing an ARP conflict.
  • In a hot standby scenario, the source or destination IP addresses in the NAT policy cannot contain the IP address of the heartbeat interface. Otherwise, NAT is performed for heartbeat packets, causing a heartbeat link communication exception.
  • In hot standby networking in load balancing mode, the address pool mode can be PAT (including port pre-allocation) or No-PAT and cannot be 3-tuple (including static mapping).
  • The non-mirroring hot standby scenario does not support easy-IP. As easy-IP directly uses the public IP address of an interface as the post-NAT address, in non-mirroring hot standby scenario, if you use easy-IP, the post-NAT address if the active device's interface address. Because the standby device does not have the active device's interface address, sessions backed up from the active device to the standby device are unavailable. In addition, when upstream devices learn ARP entries, they learn the active device's MAC address but fail to learn the standby device's MAC address. Therefore, do not use easy-IP in non-mirroring hot standby scenarios.

Restrictions for the Use with Virtual Systems

  • The global address of NAT Server in the root system cannot conflict with the public IP addresses allocated to virtual systems.
  • The NAT address pool in the root system cannot conflict with the public IP addresses allocated to virtual systems.
  • nat port-block syslog-related commands can be used only in the root system and take effect on all virtual systems.

Restrictions on the Use with IPSec

If destination NAT is configured on an interface where an IPSec policy group applies, the IPSec configuration may not take effect because the device performs NAT first.

  • If the interface implements IPSec but not NAT, the action of the ACL rule referenced by destination NAT needs to be set to deny, and the destination IP address of the rule needs to be set to that of the ACL rule referenced by the IPSec policy.
  • If the interface implements NAT but not IPSec, the destination IP address of the ACL rule referenced by the IPSec policy cannot be a NATed IP address.
  • If the interface implements both NAT and IPSec, the destination IP address of the ACL rule referenced by the IPSec policy must be a NATed IP address.

Restrictions on the Use with Clusters

  • The cluster function supports only PAT and NAT Server. Other NAT functions are not supported.
  • A NAT address pool can be advertised only through one business group.
  • In cluster scenarios, no interface IP address of the master and standby business device is allowed in NAT address pool. If the NAT address pool contains interface IP addresses, both the master and standby business devices will respond to the ARP request sent by the upstream device for addresses in the address pool, causing an ARP conflict.
  • In a cluster, if the NAT address pool and the interface address are on the same network segment, one of the following conditions must be met. Otherwise, multiple devices in the cluster will reply to an ARP request, resulting in conflicts.
    • Configure VRRP. If the NAT address pool and the VRRP address are on the same network segment, only the VRRP master device sends gratuitous ARP packets and responds to ARP requests. If the NAT address pool and the VRRP address are on different network segments, run the vrrp command in the address pool view to ensure that only one member of the cluster responds to ARP requests.
    • Configure traffic diversion for the cluster service and advertise the NAT address pool address in UNR mode.

Other Restrictions

  • RAW IP packets without the UDP/TCP header cannot match any NAT policy for address translation.
  • When using both a VPN and NAT, specify proper matching NAT policy conditions to avoid NAT being performed on data flows that are to be encapsulated on the VPN.
  • After the nat statistics enable command is used to enable NAT address pool statistics, performance reduces by 5% in the measurement period. During NAT address pool statistics (about 10 seconds), the CPU usage increases a little bit (about 5%). The CPU usage will be restored after statistics are complete.
  • After the ip-detect healthcheck command is used to enable NAT address pool detection, the FW periodically sends detection packets to remote servers. The source address of each detection packet is an address in the address pool. The more addresses the address pool has, the more detection packets the FW sends. The detection function occupies certain system resources and affects device performance.
  • After NAT configurations are modified, ACL-based destination NAT sessions are not updated. Sessions related to the NAT policy and NAT Server are updated. However, address pool changes in the NAT policy does not cause sessions to be immediately updated. For the configurations to immediately take effect, run the reset firewall session table command to reset relevant session table information. Before you clear a session table, run the reset firewall session table command with parameters specified to clear information in a small range. Otherwise, services will be interrupted.
  • If a source IP address needs to be specified for a NAT policy, the source IP address should be a private IP address before NAT. If NAT Server is used together with Source NAT and a destination IP address must be specified for a NAT policy, the destination IP address should be the private IP address of NAT Server.
  • The IP address and port number used to log in to the SSL VPN virtual gateway and device web UI cannot conflict with the public IP address and port number configured for NAT Server. Otherwise, login to the virtual gateway or device web UI will fail.
  • When NAT Server and DNS ALG are used together, you are advised not to specify both the port and protocol in the NAT Server configuration simultaneously. Otherwise, DNS ALG address translation fails.
Parent Topic: NAT
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >