post

Policy NAT and Twice NAT

This article is a part of a series on Network Address Translation (NAT). Use the navigation boxes to view the rest of the articles.
 
Network Address Translation

Every type of NAT we have discussed so far have two things in common. The first is that only the source of the packet is used to make a NAT decision. The second is that only the source of the outbound packet is translated. Policy NAT and Twice NAT are two ways of performing any type of NAT that expand beyond these two facts.

Summary of the types of NAT

First, let’s quickly recap what we learned in the previous articles:

NAT vs PAT – these terms define whether just the IP address portion of the packet, or the IP address and Port number are being translated

Static vs Dynamic – these terms define whether the post-translation attributes are explicitly defined by the administrator, or ephemerally determined by the router.

When combined, this provides four possible variations of Network Address Translation:

  • Static NAT – Translation of just the IP address where the administrator explicitly defines the IP address after translation
  • Static PAT – Translation of the IP address and Port, where the administrator explicitly defines the IP address and Port after translation
  • Dynamic PAT – Translation of the IP address and Port, where the router determines the new IP address and Port after translation
  • Dynamic NAT – Translation of just the IP address, where the router determines the new IP address after translation

 

Decision Criteria

To configure each type of NAT above, we must define for the router exactly what traffic should be translated, and what it should be translated to.

If we review the configuration applied in the Static NAT or Dynamic PAT articles, we essentially instructed the Router to perform the following translations:

Notice in both cases we are making a decision to perform address translation based solely upon matching the source IP address of the packet – the destination address was not considered.

This is fine if you want all traffic from the Inside servers translated the same way for every destination they may speak to. However, there are times when you want to translate traffic to a certain destination one way, then translate traffic to a different destination a completely different way.

In such cases, when you need to conditionally translate traffic based upon the destination of the packet, you will need to use what is known as a Policy NAT.

 

Policy NAT

The following example is the same illustration as we used in the Dynamic PAT article, except we’ve added one additional, conditional translation to the configuration:

Policy NAT - Dynamic Policy PAT

There are two parts to the Router’s configuration. The first part of the configuration produces this behavior:

  • If the source IP address is 10.6.6.0/24 and the destination IP address is 45.5.4.9, translate the source IP using Dynamic PAT to the address 32.8.2.77

The additional configuration tells the router to translate a packet based upon the criteria of matching both the Source and Destination of the packet. In the industry, this is referred to as a Policy NAT.

A Policy NAT is simply any of the four NAT types we discussed prior in this article series, except the NAT decision requires matching both the Source and Destination of a packet.

By contrast, every example of address translation thus far made a NAT decision based upon only the source of the packet.

The specific illustration immediately above was an example of a Policy Dynamic PAT – A translation decision based upon matching the source and destination of the packet (Policy), with the router determining the attributes after translation (Dynamic), which translated the source IP address and port (PAT).

The second part of the configuration produces this behavior:

  • If the source IP address is 10.6.6.0/24, and the destination IP address is <anything>, translate the source IP using Dynamic PAT to the address 32.8.2.66

The second configuration item in the illustration above is simply a regular, Dynamic PAT.

Every traditional Dynamic PAT implies matching for any destination. Whereas the Policy Dynamic PAT in the first example would only match for specific destinations.

Twice NAT

In each example of the traditional four types of NAT we’ve discussed in this article series, only one “side” of the packet was being modified: the Source of the outbound packet or the Destination of the inbound packet.

Moreover, in the prior section we discussed Policy NAT: making a NAT decision based upon matching both the source and destination of traffic. However, even in a Policy NAT, once the decision was made, only one side of the packet was being modified.

If you refer back to the Policy Dynamic PAT example, when Host A (10.6.6.61) was speaking to the Server, we translated 10.6.6.61 using a Dynamic PAT into 32.8.2.77. Notice the Server’s IP address (45.5.4.9) was never translated, only the client’s – only one side of the packet was changed (the source of the outbound packet).

There are occasions where you need to translate both sides of the packet – this type of translation is referred to as a Twice NAT. The term comes from the fact that you are performing NAT twice: once on the source of the packet and another time on the destination of the packet.

There are many use cases for Twice NAT, we will provide one examples below. Another example will be illustrated in a separate article.

Changing the Destination with Twice NAT

At the core of it, a Twice NAT is a type of NAT where both the Source and Destination of the packet will be translated. Take this scenario as an example.

You are in charge of a Router with hosts on a private network (10.6.6.0/24) that have chosen to use Google’s Public DNS Resolving Server (8.8.8.8). However, company policy states DNS requests must be made using the Corporate DNS server (32.9.1.8). One option is to manually verify every user’s DNS configuration, but that does not scale. Instead, another option would be to translate any outbound requests to 8.8.8.8 into a request for 32.9.1.8.

Twice NAT - Rewriting DNS entries

Notice the configuration is making a decision based upon matching a Source of 10.6.6.0/24 and a Destination of 8.8.8.8 – this makes the configuration a Policy NAT. Furthermore, the configuration is translating the source using a Dynamic PAT, and the destination using a Static NAT – this makes the configuration a Twice NAT, since we are doing two instances of address translation.

The packet sent by the host is sourced from a private IP address and destined to Google’s DNS servers. But after crossing the router, the packet is now sourced from a public IP address and destined to the Corporate DNS servers.

The internal host is still configured to use Google’s DNS servers, but their traffic is automatically being redirected to the corporate DNS servers. The internal host will not know that anything is different, and unless they go out of their way to validate the DNS responses, they will have no idea that the response is coming from the corporate DNS server and not Google’s DNS server.

 

Summary of New Terms

In this article, we unpacked and compared the ideas of a Policy NAT and a Twice NAT. As a quick summary:

  • A Policy NAT is any translation that occurs based upon matching both the Source and Destination of traffic.
  • A Twice NAT is any translation that involves translating both the Source and Destination of traffic.

These two terms can be combined, giving us a Policy Twice NAT. Which is a type of NAT which makes a decision based upon the Source and Destination of a packet (Policy NAT), and translates both the Source and Destination of a packet (Twice NAT).

Series Navigation<< Dynamic NATNAT Terminology Disambiguation >>

Speak Your Mind

*