9.3. Behaviors#

9.3.1. Mapping Behavior#

digraph { bgcolor="transparent"; node [shape=box, color="#000000", fontcolor="#000000"]; edge [color="#000000", fontcolor="#000000"]; rankdir = LR; nodesep = 0.5; Subscriber -> NAT [taillabel = "X:x" labeldistance = 2 minlen = 2]; NAT -> "Server 1" [taillabel = "X1:x1" headlabel = "Y1:y1" labelangle = 30 labeldistance = 3 minlen = 3]; NAT -> "Server 2" [taillabel = "X2:x2" headlabel = "Y2:y2" labelangle = -30 labeldistance = 3 minlen = 3]; }
digraph { bgcolor="transparent"; node [shape=box, color="white", fontcolor="white"]; edge [color="white", fontcolor="white"]; rankdir = LR; nodesep = 0.5; Subscriber -> NAT [taillabel = "X:x" labeldistance = 2 minlen = 2]; NAT -> "Server 1" [taillabel = "X1:x1" headlabel = "Y1:y1" labelangle = 30 labeldistance = 3 minlen = 3]; NAT -> "Server 2" [taillabel = "X2:x2" headlabel = "Y2:y2" labelangle = -30 labeldistance = 3 minlen = 3]; }

When a subscriber initiates a connection from a private IP address and port X:x to some server Y1:y1, NAT allocates a public IP address and port for that connection, for example, X1:x1. Mapping mode controls how NAT reuses this public IP and port for subsequent connections of this subscriber, for example, a connection to server Y2:y2.

There are three possible mapping modes defined in RFC 4787:

Endpoint-Independent

NAT always uses the same public IP address and port for all connections initiated from the same private IP address and port. According to the figure above, X1:x1 always equals X2:x2.

Address-Dependent

NAT uses the same public IP address and port for connections initiated from the same private IP address and port only when these connections go to the same destination IP address. According to the figure above, X1:x1 equals X2:x2 only when Y2 equals Y1.

Address-and-Port-Dependent

NAT never uses the same public IP address and port for more than one connection. According to the figure above, X1:x1 equals X2:x2 only when Y2:y2 equals Y1:y1, meaning it is the same connection.

According to REQ-1 of RFC 4787, NAT works only in Endpoint-Independent mode.

9.3.2. Filtering Behavior#

digraph { bgcolor="transparent"; node [shape=box, color="#000000", fontcolor="#000000"]; edge [color="#000000", fontcolor="#000000"]; rankdir = LR; nodesep = 0.5; Subscriber -> NAT [taillabel = "X:x" labeldistance = 2 minlen = 2]; NAT -> "Server 1" [taillabel = "X1:x1" headlabel = "Y1:y1" labelangle = 30 labeldistance = 3 minlen = 3]; "Server 2" -> NAT [taillabel = "Y2:y2" labelangle = -30 labeldistance = 3 minlen = 3]; subgraph { rank=same; "Server 1"; "Server 2"; } }
digraph { bgcolor="transparent"; node [shape=box, color="white", fontcolor="white"]; edge [color="white", fontcolor="white"]; rankdir = LR; nodesep = 0.5; Subscriber -> NAT [taillabel = "X:x" labeldistance = 2 minlen = 2]; NAT -> "Server 1" [taillabel = "X1:x1" headlabel = "Y1:y1" labelangle = 30 labeldistance = 3 minlen = 3]; "Server 2" -> NAT [taillabel = "Y2:y2" labelangle = -30 labeldistance = 3 minlen = 3]; subgraph { rank=same; "Server 1"; "Server 2"; } }

When a subscriber initiates a connection from a private IP address and port X:x to some server Y1:y1, NAT allocates a public IP address and port for that connection, for example, X1:x1. Filtering mode controls how NAT processes inbound connections to the allocated public IP address and port, for example, a connection coming from server Y2:y2.

There are three possible filtering modes defined in RFC 4787:

Endpoint-Independent

NAT allows all inbound connections to the allocated public IP address and port. According to the figure above, NAT allows all connections coming to X1:x1.

Address-Dependent

NAT allows inbound connections only from the servers that already have active connections from the subscriber. According to the figure above, NAT allows connections to X1:x1 only when Y2 equals Y1.

Address-and-Port-Dependent

NAT never allows new inbound connections. According to the figure above, NAT allows connections to X1:x1 only when Y2:y2 equals Y1:y1, meaning it is an existing connection.

According to the REQ-8 of RFC 4787, NAT supports all three Filtering modes. The default mode is Endpoint-Independent. To configure a different mode, use the following command:

<nat|nat64> filtering <endpoint-independent|address-dependent|address-and-port-dependent> [vrf NAME]#

9.3.3. Hairpinning Behavior#

digraph { bgcolor="transparent"; node [shape=box, color="#000000", fontcolor="#000000"]; edge [color="#000000", fontcolor="#000000"]; rankdir = LR; "Subscriber 1" -> NAT [taillabel = "X:x" labelangle = 30 labeldistance = 3 minlen = 3]; NAT:e -> NAT:e [taillabel = "X1:x1" headlabel = "Y1:y1" labelangle = 0 labeldistance = 4]; NAT -> "Subscriber 2" [headlabel = "Y:y" labelangle = 30 labeldistance = 3 minlen = 3]; subgraph { rank=same; "Subscriber 1"; "Subscriber 2"; } }
digraph { bgcolor="transparent"; node [shape=box, color="white", fontcolor="white"]; edge [color="white", fontcolor="white"]; rankdir = LR; "Subscriber 1" -> NAT [taillabel = "X:x" labelangle = 30 labeldistance = 3 minlen = 3]; NAT:e -> NAT:e [taillabel = "X1:x1" headlabel = "Y1:y1" labelangle = 0 labeldistance = 4]; NAT -> "Subscriber 2" [headlabel = "Y:y" labelangle = 30 labeldistance = 3 minlen = 3]; subgraph { rank=same; "Subscriber 1"; "Subscriber 2"; } }

Imagine there are two subscribers X and Y behind the same NAT. The second subscriber Y has a public IP address and port Y1:y1 allocated by the NAT. Now the first client X tries to connect to this public address and port. When the NAT receives the connection, it has to determine that Y1:y1 belongs to the second subscriber and relay the traffic back to the internal side. This behavior is called hairpinning.

According to the REQ-9 of RFC 4787, NAT supports hairpinning. However, it is disabled by default, and subscribers' traffic to the public IP addresses of the NAT is silently dropped. To enable hairpinning, use the following command:

<nat|nat64> service hairpinning enable [vrf NAME]#