Problems with NAT and possible causes
There are several possible causes and solutions for problems with NAT.
Consider the following when troubleshooting NAT issues:
- A Dynamic NAT operation can be applied to most types of traffic. For TCP and UDP connections, dynamic (many-to-one) NAT is done by assigning different hosts the same IP address but different ports, so that the subsequent replies can be recognized and forwarded correctly. For ICMP connections, different hosts are also assigned the same IP address. The ICMP ID in the packets is used to recognize the replies and to forward them to the correct recipients. Only the TCP and UDP transport protocols use ports. See the TCP and UDP branches in the Services tree in the Management Client to check which protocols are transported over TCP or UDP. Dynamic NAT is suitable when different internal hosts communicate with different external hosts. If a single internal host communicates with a single external host, we recommend the use of static NAT, especially if the number of simultaneous connections is high.
- Dynamic NAT can run out of ports if there are too many simultaneous connections in relation to the IP addresses and the port range you have configured for dynamic NAT. You can increase the available ports for translation by adding a new IP address for your dynamic NAT rule. If the rule does not currently use the whole range of high ports, you can also expand the port range. The number of simultaneous NATed connections equals the number of IP addresses multiplied by the number of ports.
- Check the NAT rules for configurations that overlap with the following NAT configurations:
- Address translation configured in an Outbound Multi-Link or Server Pool element
- A NAT pool defined for VPN clients in the Firewall element’s properties
- Element-based NAT
Errors can occur when one of the listed elements is used and the same connection matches an overlapping NAT rule, because the elements also use NAT. Only one address translation operation can be done for each packet and overlapping configurations can cause conflicts. Overlap within the NAT rules is allowed because the rules are resolved based on their order (first matching rule is applied). If you use element-based NAT, a more specific manually created NAT rule can prevent traffic from matching the automatically generated NAT rules.
- Check that the NAT configurations do not overlap with an IP address that is used by some physical host in the network. This configuration error is most common with source address translation for a DMZ or external IP address. Overlapping NAT configurations can create conflicts between IP addresses and other hosts in the network.