Tcp – NAT Translation Table Port Number

icmpnat;protocol-theorytcpudp

I had a practice question about a NAT-enabled router with outside address 24.34.112.235 and inside network 192.168.1/24 and three inside hosts .1, .2 and .3. The three hosts all open two connections to 128.119.40.86 port 80.

The NAT table of the router was given as

    NAT Translation Table
      WAN Side                      LAN Side
    24.34.112.235, 4000          192.168.1.1, 3345
    24.34.112.235, 4001          192.168.1.1, 3346
    24.34.112.235, 4002          192.168.1.2, 3445
    24.34.112.235, 4003          192.168.1.2, 3446
    24.34.112.235, 4004          192.168.1.3, 3545
    24.34.112.235, 4005          192.168.1.3, 3546

My question is regarding the answer. I understand the IP addresses. However, are the port numbers randomly chosen or does the order of 3345, 3346, 3445, etc. have a sort of logic given behind them?

What are the requirements on hosts and routers choosing port numbers for this situation?

Is there any reason the WAN-side port numbers couldn't be 6000 to 6005, for example? Or the LAN-side port numbers be 1234 to 1239?

Best Answer

Outgoing port numbers in general are basically extremely unpredictable. Port numbers are only strictly applicable to TCP and UDP, but ICMP "identifier" fields can work in the same way as regards NAT.

There are a few protocols where the outgoing call has to come from a particular port number, but the most common operating systems's mplementations choose ports from a range for this purpose.

RFC 6335 covers this:

the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA), the User Ports, also known as the Registered Ports, from 1024-49151 (assigned by IANA), the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned)

Some operating systems choose the ports randomly from a range, some choose them in linear order (like you see in your example). Some choose lowest available number from a range. It's entirely up to the operating system. Some operating systems let you choose the ranges. (A system with a great deal of outgoing connections, perhaps a web proxy, a mail gateway, or a NAT device, might run out of port numbers if the range is too small.)

In common speaking, many people just say some random high port number.

In your case, the WAN-side port numbers are chosen by the NAT devices. The LAN-side port numbers are chosen by the three hosts .1, .2 and .3, but note that it would be extraordinarily unusually for three hosts to choose the idential two port numbers for outgoing connections without something enforcing it. (Running in sync is unlikely to do it -- a transient failure with a retry, for example, will "use up" a port number in whatever sequence the OS is using.)

As Eddie says:

A lot of Cisco router's will choose Source Ports sequentially. A lot of F5 devices choose Source ports randomly. Every vendor is free to do it their own way.

A point to notice is that if you are planning access control on port numbers, you might have to accomodate whatever your operating systems use.

If for some reason you need to control particular port numbers for outgoing NAT, you need "static PAT" in your NAT device.

Related Solutions

UDP Hole Punching – NAT Port Distinction for Outgoing Connections

The NAT device will keep a table with currently open connections so that it can send return packets to the internal host that opened the connection. An entry in the state table could look something like this:

Internal Source IP | Internal S-Port | External S-Port | Destination IP | D-Port
192.168.1.12         10123             10123             203.0.113.1      5555

When a packet is received (from the external side) the NAT device will check the Source IP, Source Port and Destination Port of the packet and compare it to the Destination IP, D-Port and External S-Port fields in its connection table. When it finds a match it will forward the packet to Internal Source IP on Internal S-Port.

UDP hole punching depends on the fact that Internal and External Source Ports are the same. This is normally the case unless you have a second internal host that uses the same Source port to connect to the same external Destination/D-Port combination.

When we assume that Internal and External S-Port are the same then both clients A,B can communicate their source port to the rendezvous server which will then relay the information back to the other client respectively.

NAT based on destination port number

From a support forum static-pat-pix

Note: You cannot use the same real or mapped address in multiple static commands between the same two interfaces. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface.

Thus it seems we have two options:

NAT on the router; not recommended as it would be difficult to get through the PIX.
Change the IP address (private) on the host, and have a PIX rule for each private IP address.

As you did not give any real IP addresses, I will create a example.

On the hosts, use 10.0.0.1-10.0.0.15/28.

On the PIX, NAT to 196.0.0.1 - 196.0.0.1

global (outside) 1 196.0.0.1-196.0.0.15 netmask 255.255.255.240
nat (inside) 1  10.0.0.0  255.255.255.240  0  0

Or you can NAT, one by one, with:

static (inside,outside) 10.0.0.1 196.0.0.1 netmask  255.255.255.255
static (inside,outside) 10.0.0.2 196.0.0.2 netmask  255.255.255.255

etc.

Now, every time you need to change your external IP address, just change the internal source IP address.

Best Answer

Related Solutions

UDP Hole Punching – NAT Port Distinction for Outgoing Connections

NAT based on destination port number

Related Topic