Thumbnail: logo

How NAT Overload (PAT) get rid of source port ambiguity

by on under blog

NAT overload saved us plenty of time by hiding all the inside address behind one common (or more) exposed ones. And this is really a great feature. But what happens when two inside host are initiating the same session from the same source port and towards the same outside IP and destination port?

When the returning packet is pointing to the same inside global address,  IOS could be stuck into an ambiguity situation, where it cannot discern between the two different original flows. To solve this, the NAT process is changin the source port number within the “inside global” field, like:

R1#show ip nat translations
Pro Inside global       Inside local    Outside local       Outside global
tcp 192.168.1.1<strong>:1024</strong>    10.0.0.2<strong>:10</strong>     172.16.2.2:80       172.16.2.2:80
tcp 192.168.1.1:10      10.0.0.3:10     172.16.1.1:80       172.16.1.1:80

So original inside local 192.168.1.1:10 has been changed to 192.168.1.1:1024 The new dynamic port can be picked up from three different ranges: 0-511, 512-1023, and 1024-65535 But in this example, these two flows are going to different outside global address, so theoretically NAT should be able to distinguish the flows, looking at the source outside global address. So let’s say IOS could behave considering OG address and not changing source port number on IG like:

R1#show ip nat translations
Pro Inside global       Inside local    Outside local       Outside global
tcp 192.168.1.1<strong>:10</strong>      10.0.0.2:10     172.16.2.2:80       172.16.2.2:80
tcp 192.168.1.1:<strong>10</strong>      10.0.0.3:10     172.16.1.1:80       172.16.1.1:80

We could run into few scalability issues:

  • Potentially it could create more translation rows than needed (with a really bad client OS) For instance, if a new flow appears with :

     tcp 192.168.1.1:?? 10.0.0.2:10 172.16.1.1:80 172.16.1.1:80

in this case NAT must change source port number, that could have been allocated previously

  • Having one (or two) additional look-up is not really helping with the overall CPU utilization (NAT is still a process switching feature)


© 2018 Matteo Malvica. Illustrations by Sergio Kalisiak.