Sunday, February 24, 2008

SNAT and DNAT on same connection?

One small office network administrator asked me this question on why both source NAT and destination NAT required on the same TCP/IP connection. My answer: It is not required in many deployments, but some deployment do require this. Read on... Let me give a small brief on source NAT and destination NAT first.

In many deployments 'source NAT' is used when number of public IP addresses given by ISP are less than the number of machines that require internet connectivity. In many small office deployments in Asia and Latin America typically get only one dynamic public IP address. In few cases, upon request, few static public IP address are given for a fee. Source NAT in NAT routers is used with NAPT (Port translation) to provide internet connectivity for many PCs with one or more public IP addresses. Source NAT is used for outbound connections - Connection originated by internal PCs to resource in public network (Internet). In source NAT mode, source IP and port values are changed on client to server packets. Destination IP address and port values are changed on server to client packets so that the packets go to the PCs that initiated the connection.

Note that 'source NAT' does not mean that only Source IP and port values are changed in all packets. The term 'source' or 'destination' in SNAT and DNAT is used to represent the translation points on first packet of connection i.e client to server packets. Note that reverse translation happens on server to client side packets, that is if source IP is changed in client to server packets, then destination IP is changed in server to client packets of the connection. But the term 'source NAT' is used to represent this kind of NAT.

Destination NAT is typically done for inbound connections. When Enterprise have many servers inside (for providing services for users in public network) and if the Enterprise has less number of public IP addresses than the number of servers , then destination NAT is required on routers (NAT routers). Let us say that a small Enterprise have two servers - One Web server and one email sever. If that enterprise have one public IP address, then all HTTP and SMTP/POP3 connections land on this IP address. The NAT router having this public IP address must have DNAT facility to redirect the traffic to internal HTTP Server and Email Servers, by changing the destination IP address and possibly port on the incoming packets (client to server packets).

SNAT and DNAT on the same connection: So far we have discussed that outbound connections from Enterprise use SNAT and inbound connections to Enterprise use DNAT. SNAT and DNAT combination means that both source and destination IP addresses of the packets are changed at the same time. SNAT+DNAT is typically required for inbound connections when the Enterprise has more than one WAN connection being serviced by different NAT routers. These NAT routers are assigned with appropriate public IP addresses or they get IP addresses dynamically from ISP either via DHCP or PPP. If inbound connections undergo network translation by a router, it is imperative that reverse traffic on the connection also go through the same router for reverse address translation. Inbound connections can land on any of the routers (based on the IP address used by clients in public network) and get redirected to internal server. Internal servers are not intelligent enough to route the packets to appropriate router. Typically they use same default route for all outbound packets. In theses cases, all packets go to one of two routers. This router may not be able to service connections which were redirected by other routers. To overcome this, routers need to apply SNAT on the connections. This will ensure that reverse traffic from servers go to right routers.

No comments: