NAT question

Home Forums Discussions Support NAT question

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #4866
    hoowaycn
    Participant

      When I replace the Client(IP, PORT) of the inner packet with the NAT External(ip, port), what port number should I used for the NAT external? The same with the Client Port or a new one? Is that must be a free number that no one uses it? How do I generate this port number.

      PS: where can I get the code of Checksum Calculation?

      #5603
      Vadim Smirnov
      Keymaster

        When I replace the Client(IP, PORT) of the inner packet with the NAT External(ip, port), what port number should I used for the NAT external? The same with the Client Port or a new one? Is that must be a free number that no one uses it? How do I generate this port number.

        When you substitute inner source IP with external one but don’t substitute inner port this is called static NAT. When you substitute inner source port in addition to IP this is called dynamic NAT. You can use any free port number (an example just take some rarely used port range like 10000-64000 and allocate ports from there).

        PS: where can I get the code of Checksum Calculation?

        That depends from the progarmming environment you use, an example some C and Delhi code is available on this board.

        #5604
        hoowaycn
        Participant

          You can use any free port number (an example just take some rarely used port range like 10000-64000 and allocate ports from there).

          So what about if some application use this port number at the NAT computer? Is there any conflicts if use same port number ( with some application at NAT computer )?

          Another question: how to get binding IP address for each interface adapter, and how to get windows route table?

          Thanks a lot

          #5605
          Vadim Smirnov
          Keymaster

            So what about if some application use this port number at the NAT computer? Is there any conflicts if use same port number ( with some application at NAT computer )?

            The conflict is possible, you will just bypass those applications (they may be not working properly with your NAT application, but it won’t make any problems to NAT). However, you can just reserve required port range by your own application.

            Another question: how to get binding IP address for each interface adapter, and how to get windows route table?

            IP Helper API

            #5606
            Wyatt
            Participant

              I may be able help you out with the NAT port issue, for clarification. For any connection from your host to an external server, your source port number will be something above 1024 and it does not matter what that number is. The only port number that is involved in determining what service is talking is the destination port. For example, if you want to use internet explorer to connect to http://www.cowdance.com (one of my favorites) your original packet sent to http://www.cowdance.com will have a destination port of 80 and a source port number over 1024, say 1025 for example. So, getting back to the question, there is some value added in changing the source port numbers during NAT. It helps hide your internal computer(s), but most users don’t need to do that. I wouldn’t bother changing the source port unless there was a particular reason to be sneaky about your internal network. Also, you don’t have to worry about it breaking connections as long as your “state” table translation is working.

              #5607
              Vadim Smirnov
              Keymaster

                IMHO, in theory (hardly likely that it will ever happen in real life) it is possible that application running on NAT system access the same IP/port as another application running behind the NAT and the same source port used in NAT table and for local application running on NAT system. In this case it is not possible to distinguish if packet should be NAT’ed or not. But even in this rare case you still can use sequence and aknowledgement fields in TCP header to determine wheather the NAT should be applied (it will work for TCP connection only).

                #5608
                Wyatt
                Participant

                  I should be working instead of following this thread, but.. Right on SerpentFly, and there is another way to prevent that rare situation where source/destination ip addresses and source/destination ports are the same and conflicting inside NAT. That would be to keep track of what the source ports were that you assigned when you NAT’d them to the outside world. I think this is how the PIX firewall does it, because the PIX definitely does reorganize/obscure the source ports, though most firewalls that I have seen do not.

                Viewing 7 posts - 1 through 7 (of 7 total)
                • You must be logged in to reply to this topic.