-1

There is a Static NAT rule that achieves the following.

(for the question, let's assume the WAN subnet has a subnet of 1.1.1.1/24)

Inbound traffic to the WAN interface on port X to 1.1.1.6 gets NAT'ted to LAN IP 192.168.0.1.

Now this isn't a 1-1 NAT rule, just a Static NAT for the inbound traffic. When return traffic is sent back to the client, does the firewall know to NAT traffic back to the client with the source IP of 1.1.1.6 ?

I'm assuming it has to? As TCP is a two-way protocol, if the client received traffic back on a different IP to the IP it sent the traffic to, it would drop it?

PnP
  • 3,133
  • 17
  • 62
  • 95

2 Answers2

1

It depends on the type of NAT.

If it's many-to-one NAT, then that's correct. Outbound packets establish a record that is used to know what to do with inbound packets. This is the most common type of NAT and the type used in typical home networks.

It it's one-to-one NAT, then any inbound packet received that is addressed to 1.1.1.6 (in your example) would be NATted to 192.168.0.1.

David Schwartz
  • 179,497
  • 17
  • 214
  • 278
  • So even though there isn't an explicit outbound NAT rule, based on the inbound NAT, returning packets will have the source IP NAT'ted to 1.1.1.6? – PnP Jan 10 '16 at 23:29
  • In the case of one-to-one NAT, yes. If you have a small number of public IP addresses, you might use one in many-to-one for all your normal machines but use a few in one-to-one for machines that perform server functions. For those with one-to-one NAT and a dedicated public IP addresses, clients can initiate inbound connections just like when port forwarding is used -- it's like all ports are forwarded essentially. – David Schwartz Jan 10 '16 at 23:31
  • There is also permissive many-to-one NAT where packets that you might not expect to be forwarded are forwarded anyway. For example, if only one internal client is using a particular port, it might NAT every packet (regardless of source IP address) bound for that port to that client. (See [this answer](http://security.stackexchange.com/a/8773/4295) for more information.) – David Schwartz Jan 10 '16 at 23:32
  • OK - but in my original question, it's not a 1-1 NAT, just a static inbound NAT. So in this case, the return packets wouldn't have their source IP natted to 1.1.1.6, but to whatever outbound NAT rule exists (probably the default for all clients) – PnP Jan 10 '16 at 23:33
  • The return packets would have their source IP NATted to whatever the reflexive rule created by the outbound packet(s) said. With many-to-one NAT, outbound packets create/refresh temporary reflexive rules to permit the replies to be NATted to the correct destination. – David Schwartz Jan 11 '16 at 02:13
1

A static 1:1 NAT defines which inside address translates to which outside address, so there is nothing for the NAT router to figure out; it is already given to the router in the configuration. It merely has to translate the destination address on outside sourced packets, and the source address on inside sourced packets; a simple, static, table lookup.

It gets more complex when the NAT isn't static or 1:1. Then the NAT router then needs to build tables on the fly, and create timeouts for the table entries.

Ron Maupin
  • 6,180
  • 4
  • 29
  • 36
  • The point is - this isn't a 1-1 NAT, but a static NAT, so based on the inbound NAT, will the returning packets source IP be natted to 1.1.1.6? – PnP Jan 10 '16 at 23:30
  • As I wrote, the NAT router will need to create tables on the fly and you will have either configured timeouts, or the router is using its default timeouts for when the table entry is cleared. Some will also monitor for when a TCP session is properly terminated, but still need timeouts for when one side or the other disappears with no notice. The table gets looked up the same way as with 1:1 NAT, but it just isn't pre-configured, and the entries will be cleared at some point. – Ron Maupin Jan 10 '16 at 23:36
  • I'm sorry but in the case of my comment, is that a yes or no? – PnP Jan 10 '16 at 23:39
  • Yes, because the inside host initiated the conversation, the NAT router will have created the NAT table entry. When the outside traffic comes into the router, the table entry will tell the router which inside host initiated the conversation, and it will reset the timeout counter, and the inside host replying will not have a new table entry created, but use the previous table entry that was created when it first contacted the outside host, in the process, resetiing the timeout counter. – Ron Maupin Jan 10 '16 at 23:42
  • Traffic from external has hit the WAN interface on 1.1.1.6 and been NAT'ted to 192.168.0.1. This LAN device then sends a return packet, but there is no static NAT rule for traffic from 192.168.0.1 to be NAT'ted to 1.1.1.6. But does the firewall know to source NAT the traffic to 1.1.1.6 based on the original traffic flow. – PnP Jan 10 '16 at 23:46
  • The original traffic flow will have been originated from the inside. If there is not a 1:1 mapping, how does the NAT router know tho send traffic from a particular outside address to a particular inside address? There has to be a NAT table entry, either statically configured (easy translation because it is pre-configured) or dynamic from the inside. – Ron Maupin Jan 10 '16 at 23:49
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/100324/discussion-between-pnp-and-ron-maupin). – PnP Jan 10 '16 at 23:51