RE: [fw-wiz] NAPT - NAT Port selection

From: Bill Royds (broyds_at_rogers.com)
Date: 08/20/04

  • Next message: R. DuFresne: "RE: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?" 
    To: <ravivsn@www.rocsys.com>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 20 Aug 2004 11:33:14 -0400

    If the destination IP address is different, a port forwarder on the receiving
    end has your problem in reverse. It needs to translate the destination port on
    one IP to a different port on the actual web server. As long as the combination
    source_IP:Source_Port,Destination_IP:Destination_Port is unique, then you have a
    unique TCP (or UDP) connection.
    So (from your example)
    Source_IP Destination_IP Protocol Source_Port Destination_Port
     66.10.5.10 70.1.2.5 TCP 2000 80
     66.10.5.10 70.1.5.6 TCP 2000 80
    A port forwarding load balance on destination IP 70.1.2.5 and destination
    70.1.2.6 could translate incoming traffic by changing your source ports as it
    goes through their load balancer's NAT. Internally their servers would see

    Source_IP Destination_IP Protocol Source_Port Destination_Port
     66.10.5.10 192.168.20.5 TCP 32001 80
     66.10.5.10 192.168.20.5 TCP 32002 80

    Which leaves the sockets still unique. Their load balancer has the
    responsibility of ensuring uniqueness within their internal network, not you.

    The limit of 64K is for source ports per sourceaddress:destination IP:port
    triplet, not just per source address. How do you think AOL supports millions of
    customers on a fairly limited IP source address space?

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
    ravivsn@www.rocsys.com
    Sent: Thursday, August 19, 2004 11:36 PM
    To: firewall-wizards@honor.icsalabs.com
    Cc: ravivsn@rocsys.com
    Subject: [fw-wiz] NAPT - NAT Port selection

    Hi,
    NAPT devices allow access to internet by internal machines having
    private IP addresses using one or more public IP addresses.

    We are vendors of security devices and these have NAPT feature
    and we allow upto 63K TCP connections from internal machines at any
    time. 63K limit comes from number of unique source ports that can be
    assigned as NAT ports.

    Our customer, who is one of small ISPs, wanted to use these devices. This
    ISP gives private IP addresses to their customers and using NAPT provides
    internet access to its customers. The ISP has limited number of public IP
    addresses and it wants us to increase the number of TCP connection for each
    public IP address to go from 63K to very high number.

    Internally, among developers, we discussed this issue and we came out with
    one suggestion - Reusage of NAT port in multiple sessions, as long as
    atleast one of 5 tuples is different - Since source IP is same (public IP
    address), destination IP or destination port has to be different.

    It means that, on the Internet side, it is possible to have following
    (example):
     Source_IP Destination_IP Protocol Source_Port Destination_Port
     66.10.5.10 70.1.2.5 TCP 2000 80
     66.10.5.10 70.1.5.6 TCP 2000 80

    One of our Engineers points out that, port forwarders on the receiving end
     might be assuming that for a given source IP, source port would always
    be different. His point is that, if both 70.1.2.5 and 70.1.5.6 belong to
    same webhosting server and if a port-forwarder forwards traffic from
    these two IP addresses to the same internal server, then internal server
    might drop one connection.

    Some of us feel that, this would be very rare condition and if it happens,
    port forwarders are intelligent enough detect this and forward the
    connection to next server and gracefullty shutdown second connection.

    I solicit your feedback on this.
         - Is it good for NAPT device to use same NAT port for different
    sessions, if they are going to different destination (based on
    Destination IP and Port)? Do you see any problems associated with
    this apart one mentioned above?
         - Any experiences?

    Thanks in advance
    Ravi

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: R. DuFresne: "RE: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?"

    Relevant Pages

    • Re: [Firewalls] Checkpoint FW-1 - Static NAT
      ... These services perform port mapping. ... destination port and IP address of a connection can be changed. ... After installing the new policy on the target Firewall Module, ... One to the internet, and the other to ...
      (comp.security.firewalls)
    • Re: Problem sending E-mail to 1 server
      ... If I try the same thing (telnet to port ... Source IP: 64.208.166.12, Destination IP: 66.133.129.70 ... PROTOCOL: ICMP ... Header checksum: 0xEE82 ...
      (microsoft.public.exchange.admin)
    • Re: Win2K, IPsec, and allowing outbound HTTP/FTP traffic
      ... I have set up several ipsec filter policies that worked. ... outbound to internet web servers if you want to access the internet from it. ... A mirrored inbound port 80 alone would not allow you to access the internet, ... > Destination address: My IP Address ...
      (microsoft.public.win2000.security)
    • Re: windows explorer
      ... It is trying to access remote port 1027 and local port ... No destination IP address or host name are listed. ... >> Ever since I began cable-modem internet access I get a ...
      (microsoft.public.security)
    • LAG - Which algorithm?
      ... I am new at using LAG and would like your opinion on which algorithm ... Destination IP Address ... the port is selected based on a hash of the ... destination IP address uses the same port in the link aggregation ...
      (Tru64-UNIX-Managers)