Cone NAT Introduction
PeterSu
SW2
ZyXEL Confidential
What is Cone NAT
RFC 3489
A strict restriction for the mapping of
internal IP address / port, external IP
address / port, and destination IP
address / port
ZyXEL Confidential
Cone NAT Type
Full Cone
•
All requests from the same internal IP address and port are mapped to the s
ame external IP address and port. Furthermore, any external host can send
a packet to the internal host, by sending a packet to the mapped external ad
dress.
(IP) Restricted Cone
•
All requests from the same internal IP address and port are mapped to the s
ame external IP address and port. Unlike a full cone NAT, an external host
(with IP address X) can send a packet to the internal host only if the internal
host had previously sent a packet to IP address X
Port Restricted Cone
•
Like a restricted cone NAT, but the restriction includes port numbers. Specifi
cally, an external host can send a packet, with source IP address X and sour
ce port P, to the internal host only if the internal host had previously sent a p
acket to IP address X and port P
Symmetric
•
All requests from the same internal IP address and port, to a specific destina
tion IP address and port, are mapped to the same external IP address and p
ort. If the same host sends a packet with the same source address and port,
but to a different destination, a different mapping is used. Furthermore, only
the external host that receives a packet can send a UDP packet back to the i
nternal host
ZyXEL Confidential
Full Cone
NAT
Client
IP: 10.0.0.1
Port: 8000
ComputerA
IP: 222.111.99.1
Port: 20202
ComputerB
IP: 222.111.88.2
Port: 10101
Source
IP: 202.123.211.25
Port: 12345
Full Cone
All requests from the same internal IP address and port are mapped to the
same external IP address and port. Furthermore, any external host can
send a packet to the internal host, by sending a packet to the mapped
external address.
ZyXEL Confidential
Restricted Cone
NAT
Client
IP: 10.0.0.1
Port: 8000
ComputerA
IP: 222.111.99.1
Port: 20202
ComputerA
IP: 222.111.99.1
Port: 10101
Source
IP: 202.123.211.25
Port: 12345
ComputerB
IP: 222.111.88.2
Port: 10101
Restricted Cone
All requests from the same internal IP address and port are mapped to the
same external IP address and port. Unlike a full cone NAT, an external
host (with IP address X) can send a packet to the internal host only if the
internal host had previously sent a packet to IP address X