[fw-wiz] NAPT - NAT Port selection

Date: 08/20/04

  • Next message: Greg Padden: "Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 20 Aug 2004 09:05:37 +0530 (IST)

    NAPT devices allow access to internet by internal machines having
    private IP addresses using one or more public IP addresses.

    We are vendors of security devices and these have NAPT feature
    and we allow upto 63K TCP connections from internal machines at any
    time. 63K limit comes from number of unique source ports that can be
    assigned as NAT ports.

    Our customer, who is one of small ISPs, wanted to use these devices. This
    ISP gives private IP addresses to their customers and using NAPT provides
    internet access to its customers. The ISP has limited number of public IP
    addresses and it wants us to increase the number of TCP connection for each
    public IP address to go from 63K to very high number.

    Internally, among developers, we discussed this issue and we came out with
    one suggestion - Reusage of NAT port in multiple sessions, as long as
    atleast one of 5 tuples is different - Since source IP is same (public IP
    address), destination IP or destination port has to be different.

    It means that, on the Internet side, it is possible to have following
     Source_IP Destination_IP Protocol Source_Port Destination_Port TCP 2000 80 TCP 2000 80

    One of our Engineers points out that, port forwarders on the receiving end
     might be assuming that for a given source IP, source port would always
    be different. His point is that, if both and belong to
    same webhosting server and if a port-forwarder forwards traffic from
    these two IP addresses to the same internal server, then internal server
    might drop one connection.

    Some of us feel that, this would be very rare condition and if it happens,
    port forwarders are intelligent enough detect this and forward the
    connection to next server and gracefullty shutdown second connection.

    I solicit your feedback on this.
         - Is it good for NAPT device to use same NAT port for different
    sessions, if they are going to different destination (based on
    Destination IP and Port)? Do you see any problems associated with
    this apart one mentioned above?
         - Any experiences?

    Thanks in advance

    firewall-wizards mailing list

  • Next message: Greg Padden: "Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode"

    Relevant Pages

    • Re: Using Remote Desktop From an SBS Domain
      ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
    • Re: Using Remote Desktop From an SBS Domain
      ... I don't have much experience with this type of Internet access (at least not ... allows all "outbound" traffic from your private network to flow freely to ... UDP port (synchronize time with an external Network Time ... Hopefully next week I can attempt a connection while my ISP watches the ...
    • Re: Yet another thread on the legality of port scanning
      ... Yet another thread on the legality of port scanning ... >> information transfer on the internet. ... >> is an acceptable connection in the absence of explicit permission? ... > pen testing experience in our state of the art hacking lab. ...
    • Re: 45 days STUCK LIKE CHUCK. DNS / Mx record cant recieve emails
      ... cable from the Comcast router and plug it into that machine, ... Yes router is connected directly into the internet nic / other nic ... You can test the connection from within the LAN, ... I'm thinking that leaves the NAT device blocking port 25. ...
    • Re: Using Remote Desktop From an SBS Domain
      ... between me and the Internet and that is as much as I know. ... computer that is on a remote network now. ... Internet connection, bypassing my SBS/ISA network all together. ... the port number you connect to from 80 to a port of your ...