NAT FAQ

Q.     What should I pay attention to when configuring static NAT444?

A.     No ARP replies will be received for ARP requests sent to the public IP addresses used for static NAT444. If the NAT444 address group resides on the same subnet as the output interface IP address, configure a route on the peer device. The route destination address is the address after translation and the next hop is the output interface IP address.

Q.     When I configure the public address of the NAT Server as a loopback interface address, what are the configuration restrictions and guidelines?

A.     Configure a forward route on the last hop. The route destination address is the loopback interface address and the next hop is the IP address of the input interface on the device.

Q.     What are the principles for NAT port allocation?

A.     NAT port allocation varies by protocol type and original port number.

For TCP or UDP, if the original port number is in the range of 1 to 1023, the port number after translation is also in the range of 1 to 1023. If the original port number is equal to or greater than 1024, the port number after translation is also equal to or greater than 1024.

Q.     When testing NAT ALG for FTP, under what circumstances will the device look up the relation table for a match to translate the address in the packet payload when FTP operates in active mode?

A.     The device looks up the relation table for a match to translate the address in the packet payload when the following conditions are met:

·     The output interface on the device is connected to the FTP server.

·     The FTP server resides on the external network.

·     You configure outbound NAT on the output interface of the device.

The reason is that the first packet in the data channel when FTP operates in active mode is sent by the server.

Q.     When testing NAT ALG for FTP, under what circumstances will the device look up the relation table for a match to translate the address in the packet payload when FTP operates in passive mode?

A.     The device looks up the relation table for a match to translate the address in the packet payload when the following conditions are met:

·     The FTP server resides on the internal network.

·     You configure NAT Server on the input interface of the device.

The reason is that the first packet in the data channel when FTP operates in passive mode is sent by the FTP client.

Q.     Can NAT ALG process fragmented packets?

A.     No. NAT ALG resolves packet payloads based on the protocol type, and then translates the address or port information in the payloads. If the protocol packet to be processed by ALG is a non-first fragment, ALG cannot resolve the payload. As a result, non-first fragments are not processed by ALG.

If the protocol packet to be processed by ALG is a first fragment, ALG processing fails when the payload content to be resolved is truncated due to fragmentation.

Q.     Does the outbound NAT configuration take effect on local packets?

A.     No. The IP addresses of interfaces on the local device are exposed to the public through ARP requests. There is no need to protect such IP addresses.

Q.     How to identify whether dynamic NAT444 sends traffic to security engines based on the source IP address?

A.     As shown in the command output, the total number of mappings is 1999, which equals to the number of users.

<Device> display nat port-block dynamic | in "Total mappings found:"

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 1000

Total mappings found: 0

Total mappings found: 999

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0

Total mappings found: 0