Understanding Different NAT Types and Hole-Punching
- DxConnect 19.5 and newer
- DxOdyssey 19.5 and newer
- DxEnterprise 19.5 and newer
A brief explanation of Network Address Translation (NAT) types, how they work with hole-punching and can affect the ability to join Gateway Groups and create tunnels.
All NAT definitions below are taken from the Internet Society RFC 3489.
Normal (Full Cone) NAT
A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Restricted Cone NAT
A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
Port Restricted Cone NAT
A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
Using a previously established association to permit an arbitrary external address/port to send data to an internal address/port is referred to as hole-punching. Hole-punching is possible with normal (full-cone), restricted and port-restricted NATs, which map the same internal address/port consistently to an external address/port.
Hole-punching can be used for both TCP and UDP traffic. For hole-punching to work, the association must be created by initiating an outbound connection from an internal system, and then reusing the port on the internal system as a listener. External systems other than the target of the original connection will be able to connect to the internal system through the association.
Hole-punching can be used when both parties of the desired communication path are behind NATs, as long as at least one side is able to determine the dynamic association assigned to the other party by the NAT, and send data through the association.
Click the link below to run the DH2i NAT Test to determine whether your site is behind a Symmetric NAT device.
DH2i NAT Test
NAT Type Support Matrix