Using NAT for VPN
- Address Translation Method
- Port Translation Method
- Limitations
- VPN and NAT
- NAT/PAT Device Configuration
If, after you read through this document, you are still having problems setting up your NAT device to work with the VPN client, you can file a problem in the problem-tracking database at http://helpdesk.rice.edu.
Address Translation Method
The NAT device has a pool of one or more valid, routable Internet addresses. NAT works by changing the packet header’s source and destination IP addresses in the packet header. This process is like changing the sender’s address and recipient’s address on a postal envelope. To allow this to happen, the NAT device maintains a pool of valid IP addresses that are used on the outside only.
When a computer on the inside network sends a packet to the outside network, we have to hide its real “sender’s address.” The NAT device replaces the inside IP address in the packet header source IP address field with an outside IP that it assigns from its available address pool. The packet is then placed on the outside network. The NAT device keeps a translation table containing all inside/outside address pairs that it assigns. Subsequent packets from the same inside IP address are translated to the same outside IP address.
For packets arriving from the outside, the process operates on the packet header’s “recipient’s address” or destination IP address. First, if the destination IP address of the incoming packet is not found in the translation table, the packet is simply dropped because the NAT device doesn’t know which address the packet should go to. Otherwise, the NAT device replaces the outside IP address in the packet header destination IP field with the corresponding inside IP address from the translation table and the packet is placed on the inside network.
Address translation allows many computers to share a small pool of real IP addresses. The NAT device will periodically delete translations from its table when they no longer appear to be in use. However, if there are no additional outside IP addresses available for assignment, computers on the inside network cannot get to the outside network.
Port Translation Method (PAT)
This second method allows many computers on the inside to share a single IP address on the outside. Both the source and destination for every IP packet contain an IP address and a “port.” For destinations, the port tells the computer receiving it how to process the packet. A destination port of 80 indicates that the packet is retrieving a web page, while a port of 25 is used to move electronic mail between mail servers. Port translation, some times called “PAT” to distinguish it from address translation, relies on the fact that the source port is not important for most protocols. Similar to NAT, port translation makes changes to the “sender’s address” and “recipient’s address” on data packets. However, any IP address change involves the PAT device’s outside IP address rather than a pool of addresses. Port numbers, not IP addresses, are used to designate different computers on the inside network. A PAT device is like a post office that delivers box mail: outgoing envelopes are changed to appear to come from a post office box; incoming envelopes addressed to a valid post office box are changed to have the real street address of the box holder.
When a computer on the inside network sends a packet to the outside network, we still want to hide its “sender’s address.” The PAT device replaces the inside IP address in the packet header’s “source” field (sender’s address) with the PAT device’s outside IP address. It then assigns the connection a port number from a pool of available ports, inserts this port number in the packet header source port field (the “post office box number”), and places the packet on the outside network. The NAT device then makes an entry in its translation table containing the inside IP address, inside source port, and outside port. Subsequent packets from the same connection on the inside IP address are translated to the same outside port number translation.
The computer receiving a data packet will move the source IP address and source port as the corresponding destination fields in any response it sends back. So, for packets arriving from the outside, the process operates on the packet header’s destination port (the “recipient’s post office box number”). First, if the destination port number of the incoming packet is not found as an outside port in the translation table, the packet is simply dropped because the NAT device doesn’t know where to send it. Otherwise, the corresponding inside IP address and inside port number from the translation table replace the destination IP address and the destination port number in the incoming packet header. The packet is then placed on the inside network.
Port translation allows many computers to share a single IP address. The PAT device periodically deletes translations from its table when they no longer appear to be in use. Because the port number field is a 16-bit unsigned number (0-65535), the likelihood of an inside computer not being able to send outside traffic is greatly reduced.
Limitations
NAT and/or PAT will not work for some network protocols that use real network address information and/or port numbers in the user data in the packet (think of the letter inside an envelope). NAT and PAT only make changes to the packet header (the envelope) because the user data could be unreadable due to encryption and because it is a bad idea for the network to change data that isn’t network data.
VPN and NAT
IPSEC, the protocol used between the VPN 5000 Client and the VPN gateway, is an example of a protocol that NAT and PAT break. Network information is included in the user data in some of the initial packets exchanged between Client and gateway.
Because NAT/PAT devices are becoming so common, “NAT Transparency” has been developed to allow the Client to pass the necessary information to the gateway.
If your connection uses NAT or PAT, you must check the “Use NAT Transparency” box in the “Login Properties” setting up the connection. If your connection does not use NAT, do not check the box.
Be sure that “NAT Port:” is set to 80. Some versions of the client (such as the Macintosh version shown) default to 80, while others default to blank. In transparency mode, packets are sent from the client to the gateway with a destination port of 80 and a source port of 500 which tells the gateway to do things in a way that will work through a NAT or PAT device. For this to work, your NAT or PAT device must preserve this information in both directions.
NAT/PAT Device Configuration
This section contains practical information about the NAT and/or PAT devices that we have tested. We’ll add more as we learn it. If you have experience with other devices, we’d like to hear from you.
The SMC Barricade Wireless Broadband Router and similar products (firmware versions 1.88 and 1.91) are PAT devices designed to work with IPSEC. It requires no special router configuration. However, you must take care not to block the required ports (80 and 500) with the Barricade's firewall feature and remember to enable the NAT Transparency feature in the client (see above).
The Apple Airport (firmware version 1.3) requires special configuration if you are using it to share one outside network address from your Internet provider among one or more computers (see Network tab in the Airport Admin Utility). In this mode, the Airport uses PAT, which Apple calls “Port Mapping.”
Using this form of address sharing with the Airport, you will need to configure your computer manually on the inside network with a static IP address from the range of inside, or wireless side, IP addresses defined in the Airport. Let’s say 10.0.1.201. Go to the NETWORK tab in the Airport Admin Utility and click the "Port Mapping..." button. Make entries in the configuration table to map port 80 on the Ethernet side to IP address 10.0.1.201, port 80, on the wireless side. Also, map port 500 on the Ethernet side to IP address 10.0.1.201, port 500, on the wireless side.
Manually configure the computer on which you plan to use NAT to IP address 10.0.1.201. Be sure to enable the NAT Transparency feature in the VPN 5000 Client by checking the "Use NAT Transparency" checkbox in your configuration.
