NAT

Per NAT IP, destination IP, port, and protocol

This is the approach that FortiOS uses.

It uses all of the differentiation point of the previous methods, NAT IP, port number and protocol, but the additonal information point of the destination IP is also used. So now the network information points in the packet that the FortiGate keeps in its database to differentiate between sessions is:

  • Public IP address of the FortiGate assigned by NATing
  • Protocol of the traffic
  • Source port assigned by the FortiGate
  • Destination IP address of the packet

The last one is an especially good way to differentiate because as a theortical number, the upper limit on that is the numbers of Public IP addresses on the whole of the Internet. Chances are that while a large number of session from inside the University will be going to a small group of sites such as Google, Youtube, Facebook and some others it is unlikely that they will all be going to them at the same time.

 

Example:

In this example it will be assumed that the FortiGate has only one IP address.Two possible packets will be described. The only difference in the attributes recorded will be the destination of the HTML request.These packets are still considered to be from differnt sessions and any responses will make it back to the correct computer.

 

From Student A

 

Attribute Original Packet Packet after NATing
 

Source IP address or src-ip

 

10.1.1.56

 

u.u.u.1

 

Destination IP address or dst-ip:

 

w.w.w.1

 

w.w.w.1

 

Protocol

 

tcp

 

tcp

 

Source port or src-port:

 

10000

 

46372

 

Destination port or dst-port

 

80

 

80

From Student B

 

Attribute Original Packet Packet after NATing
 

Source IP address or src-ip

 

10.5.1.233

 

u.u.u.1

 

Destination IP address or dst-ip:

 

w.w.w.2

 

w.w.w.2

 

Protocol

 

tcp

 

tcp

 

Source port or src-port:

 

26785

 

46372

 

Destination port or dst-port

 

80

 

80

The reason that these attributes are used to determine defferentiation between traffic is based on how the indexes for the sessions are recorded in the database. When a TCP connection is made through a FortiGate unit, a session is created and two indexes are created for the session. The FortiGate unit uses these indexes to guide matching traffic to the session.

This following could be the session record for the TCP connection in the first example.

 

Attribute Outgoing Traffic Returning Traffic
 

Source IP address

 

10.78.33.97 (internal address)

 

w.w.w.1

 

Destination address

 

w.w.w.1

 

u.u.u.1

 

Protocol

 

tcp

 

tcp

 

 

Source port

 

10000 (from original computer)

 

 

80

  46372 (assigned by NAT)  
 

Destination port

 

80

 

46372 (FortiGate assigned port)

 

Using the FortiGate’s approach for session differentiation, FortiOS only has to ensure that the assigned port, along with the other four attributes is a unique combination to identify the session. So for example, if Student A simultaneously makes a HTTP(port 80) connection and a HTTPS(port 443) connection the same web server this would create another session and the index in the reply direction would be:

 

Attribute Outgoing Traffic Returning Traffic
 

Source IP address

 

10.78.33.97 (internal address)

 

w.w.w.1

 

Destination address

 

w.w.w.1

 

u.u.u.1

 

Protocol

 

tcp

 

tcp

Attribute                               Outgoing Traffic                                         Returning Traffic

Source port

10000 (from original computer)

46372 (assigned by NAT)

443

Destination port                       443                                                                  46372 (FortiGate assigned port)

 

These two sessions are different and acceptable because of the different source port numbers on the returning traffic or the destination port depending on the direction of the traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.