Understanding Different NAT Types and Hole-Punching
A brief explanation of Network Address Translation (NAT) types, how they work with hole-punching and can affect the ability to join cluster members, gateway group members and create tunnels.
All NAT definitions below are taken from the Internet Society RFC 3489.
Normal (Full Cone) NAT
A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Restricted Cone NAT
A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
Port Restricted Cone NAT
A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
Using a previously established association to permit an arbitrary external address/port to send data to an internal address/port is referred to as hole-punching. Hole-punching is possible with normal (full-cone), restricted and port-restricted NATs, which map the same internal address/port consistently to an external address/port.
Hole-punching is not possible with purely symmetric NATs, due to their inconsistent destination-specific port mapping behavior.
Hole-punching can be used for both TCP and UDP traffic. For hole-punching to work, the association must be created by initiating an outbound connection from an internal system, and then reusing the port on the internal system as a listener. External systems other than the target of the original connection will be able to connect to the internal system through the association.
Hole-punching can be used when both parties of the desired communication path are behind NATs, as long as at least one side is able to determine the dynamic association assigned to the other party by the NAT, and send data through the association.
Run the DH2i NAT Test to determine whether your site is behind a Symmetric NAT device.
The DH2i NAT Test does not differentiate between Full Cone, Restricted Cone, and Port Restricted Cone NAT. These three types will all yield a Permissive NAT result, as all three of these NAT types create a one-to-one association between the internal IP/port and external IP/port. Therefore, if one site is behind a Symmetric NAT and the other site is behind a Permissive NAT, a connection may or may not be possible with DH2i software depending upon which type of Permissive NAT is at play. Symmetric NAT in association with Port Restricted NAT is a non-routable combination.