NAT - Network Address Translation
What is NAT?
NAT (Network Address Translation) is a method used by routers to translate private IP addresses to a public IP address (and vice versa) for internet communication.
Why is NAT used?
NAT helps conserve public IP addresses and adds a layer of security by hiding internal network structures.
What are the types of NAT?
Common types include Static NAT, Dynamic NAT, and PAT (Port Address Translation, also called NAT Overload).
What is Static NAT?
Maps one private IP address to one public IP address. Used when a device needs to be consistently reachable from the internet.
What is Dynamic NAT?
Maps a private IP to any available public IP from a pool. The mapping changes over time.
Does NAT provide security?
Yes, to some extent. It hides internal IP addresses from external networks, reducing direct attack surfaces.
Is NAT used in IPv6?
Generally no. IPv6 has a vast address space, eliminating the need for NAT.
Where is NAT configured?
NAT is typically configured on routers or firewalls at the network edge.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
Version & RFC Details |
|||
|---|---|---|---|
NAT Type |
RFC Version |
Year |
Core Idea / Contribution |
Basic NAT |
|||
RFC 2663 |
1999 |
Introduced NAT terminology and basic concepts; defined Basic NAT and NAPT (Port Translation). |
|
RFC 3022 |
2001 |
Detailed Traditional NAT operation; clarified address translation and port multiplexing. |
|
NAPT (PAT) |
|||
RFC 2663 |
1999 |
Introduced NAT terminology and basic concepts; defined Basic NAT and NAPT (Port Translation). |
|
RFC 3022 |
2001 |
Detailed Traditional NAT operation; clarified address translation and port multiplexing. |
|
NAT Behavioral Requirements (UDP) |
|||
RFC 4787 |
2007 |
Standardized NAT behavior for UDP to improve application compatibility. |
|
NAT Behavioral Requirements (TCP) |
|||
RFC 5382 |
2008 |
Defined NAT behavior for TCP, including connection tracking and port preservation. |
|
NAT Behavioral Requirements (ICMP) |
|||
RFC 5508 |
2009 |
Extended NAT behavior guidelines to ICMP traffic. |
|
NAT64 |
|||
RFC 6146 |
2011 |
Enables IPv6-only clients to communicate with IPv4 servers. |
|
Carrier-Grade NAT (CGN) |
|||
RFC 6888 |
2013 |
Requirements for large-scale NATs used by ISPs to conserve IPv4 addresses. |
|
NAT Behavioral Updates |
|||
RFC 7857 |
2016 |
Unified and updated NAT behavioral requirements across protocols. |
Setup
Setup
NAT - Use Cases |
||
|---|---|---|
S.no |
Use Case |
Description |
1 |
IP Address Conservation |
Allows multiple devices on a private network to share a single public IP address. |
2 |
Private Network Isolation |
Hides internal IP addresses from external networks, adding a layer of security. |
3 |
Home and Small Office Networking |
Enables internet access for all devices in a home or small office using one public IP. |
4 |
Enterprise Network Management |
Simplifies IP address management by using private IPs internally and NAT at the gateway. |
5 |
Carrier-Grade NAT (CGN) |
Allows ISPs to serve many customers with limited public IPv4 addresses. |
6 |
IPv6 Transition (NAT64) |
Enables IPv6-only clients to communicate with IPv4 servers during the transition to IPv6. |
7 |
Load Balancing |
Distributes incoming traffic to multiple internal servers using NAT with port forwarding. |
8 |
VPN and Remote Access |
Supports secure remote access by translating between internal and external IPs. |
NAT - Basic Features |
||
|---|---|---|
S.no |
Features |
Description |
1 |
IP Address Translation |
Translates private IP addresses to public IP addresses and vice versa. |
2 |
Port Address Translation (PAT) |
Allows multiple devices to share a single public IP using different port numbers. |
3 |
Conserves IPv4 Addresses |
Reduces the need for public IPv4 addresses by enabling address reuse. |
4 |
Enhances Network Security |
Hides internal network structure from external networks, adding a layer of security. |
5 |
Supports Multiple NAT Types |
Includes Static NAT, Dynamic NAT, PAT, NAT64, and Carrier-Grade NAT. |
6 |
Protocol-Aware Behavior |
Can be configured to handle TCP, UDP, and ICMP traffic differently. |
7 |
Enables Internet Access for Private Networks |
Allows devices with private IPs to access the internet. |
IP Address Translation - Testcases
IP Address Translation - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Static NAT Mapping |
Map one private IP to one public IP |
Traffic is translated correctly |
2 |
Dynamic NAT Pool |
Use a pool of public IPs for translation |
Private IPs are mapped dynamically |
3 |
PAT Configuration |
Map multiple private IPs to one public IP using ports |
All sessions are uniquely translated |
4 |
NAT Overload |
Exceed available public IPs in dynamic NAT |
New sessions are dropped |
5 |
NAT Entry Timeout |
Wait for NAT session timeout |
Entry is removed from NAT table |
6 |
NAT Table Verification |
Check NAT table after traffic |
Correct mappings are listed |
7 |
NAT with TCP |
Translate TCP traffic |
TCP sessions are translated correctly |
8 |
NAT with UDP |
Translate UDP traffic |
UDP sessions are translated correctly |
9 |
NAT with ICMP |
Translate ICMP traffic |
ICMP identifiers are translated |
10 |
NAT with FTP |
Translate active FTP session |
Control and data channels are translated |
11 |
NAT with Passive FTP |
Translate passive FTP session |
Translation works for both channels |
12 |
NAT with SIP |
Translate SIP traffic |
SIP headers are translated |
13 |
NAT with DNS |
Translate DNS queries |
DNS traffic is translated correctly |
14 |
NAT with HTTP |
Translate HTTP traffic |
HTTP sessions are translated |
15 |
NAT with HTTPS |
Translate HTTPS traffic |
Encrypted traffic is translated |
16 |
NAT with VPN |
Translate VPN traffic |
VPN tunnels are established |
17 |
NAT with IPsec |
Translate IPsec traffic |
NAT-T is used if required |
18 |
NAT with GRE |
Translate GRE traffic |
GRE sessions are translated |
19 |
NAT with Multicast |
Send multicast traffic |
Multicast is not translated |
20 |
NAT with Broadcast |
Send broadcast traffic |
Broadcast is not translated |
21 |
NAT with Fragmented Packets |
Send fragmented IP packets |
All fragments are translated |
22 |
NAT with Large Packets |
Send jumbo frames |
Frames are translated correctly |
23 |
NAT with Port Range |
Use port range in PAT |
Ports are allocated from range |
24 |
NAT with Port Exhaustion |
Exhaust available ports |
New sessions are dropped |
25 |
NAT with Static Port Mapping |
Map specific port to internal host |
Port is translated as configured |
26 |
NAT with Overlapping Subnets |
Use overlapping private IPs |
NAT resolves conflict |
27 |
NAT with Dual Stack |
Translate IPv4 in dual-stack network |
IPv4 traffic is translated |
28 |
NAT with IPv6 |
Attempt to translate IPv6 |
NAT not applied (NAT66 not supported) |
29 |
NAT with Hairpinning |
Internal host accesses another via public IP |
Traffic is looped back correctly |
30 |
NAT with Loopback |
Access own public IP from inside |
Traffic is translated and routed |
31 |
NAT with ACL |
Apply ACL to NAT traffic |
Only permitted traffic is translated |
32 |
NAT with QoS |
Apply QoS to NAT traffic |
QoS markings are preserved |
33 |
NAT with Logging |
Enable NAT logging |
Translations are logged |
34 |
NAT with SNMP |
Monitor NAT stats via SNMP |
NAT counters are visible |
35 |
NAT with Failover |
Failover to backup NAT device |
Sessions are re-established |
36 |
NAT with Load Balancing |
Distribute traffic across NAT pool |
Load is balanced |
37 |
NAT with Redundant Links |
Use redundant WAN links |
NAT works across links |
38 |
NAT with VRF |
Use NAT in VRF context |
NAT operates per VRF |
39 |
NAT with Static Route |
Use static route for NAT traffic |
Traffic is routed and translated |
40 |
NAT with Dynamic Routing |
Use OSPF/BGP for NAT traffic |
Routing and NAT coexist |
41 |
NAT with DNS Rewrite |
Rewrite DNS responses |
Internal IPs are hidden |
42 |
NAT with Application Layer Gateway |
Use ALG for SIP/FTP |
Application headers are translated |
43 |
NAT with NAT64 |
Translate IPv6 to IPv4 |
IPv6 clients access IPv4 servers |
44 |
NAT with NAT46 |
Translate IPv4 to IPv6 |
IPv4 clients access IPv6 servers |
45 |
NAT with Static NAT and PAT |
Combine static NAT and PAT |
Both mappings work correctly |
46 |
NAT with Interface Overload |
Use interface IP for PAT |
All sessions use interface IP |
47 |
NAT with Multiple Interfaces |
Use NAT on multiple interfaces |
NAT works per interface |
48 |
NAT with Asymmetric Routing |
Use different paths for in/out |
NAT handles return traffic |
49 |
NAT with Connection Tracking |
Track NAT sessions |
Sessions are correctly tracked |
50 |
NAT with High Availability |
Use NAT in HA setup |
Sessions persist across failover |
Port Address Translation (PAT) - Testcases
Port Address Translation (PAT) - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Basic PAT Functionality |
Translate multiple private IPs to one public IP using ports |
All sessions are uniquely translated |
2 |
PAT with TCP Traffic |
Send TCP traffic from multiple hosts |
Each session uses a unique port |
3 |
PAT with UDP Traffic |
Send UDP traffic from multiple hosts |
Each session uses a unique port |
4 |
PAT with ICMP Traffic |
Send ICMP traffic |
PAT assigns unique identifiers |
5 |
PAT Port Range Allocation |
Configure specific port range |
PAT uses ports within the range |
6 |
PAT Port Exhaustion |
Exhaust available ports |
New sessions are dropped |
7 |
PAT with Static NAT |
Combine PAT with static NAT |
Both mappings work correctly |
8 |
PAT with Dynamic NAT |
Combine PAT with dynamic NAT |
PAT handles overflow sessions |
9 |
PAT with DNS |
Translate DNS queries |
PAT assigns unique ports |
10 |
PAT with HTTP |
Translate HTTP sessions |
Each session is uniquely translated |
11 |
PAT with HTTPS |
Translate HTTPS sessions |
Secure sessions are translated |
12 |
PAT with FTP |
Translate FTP sessions |
Control and data ports are handled |
13 |
PAT with SIP |
Translate SIP sessions |
SIP headers are translated |
14 |
PAT with GRE |
Send GRE traffic |
PAT does not apply (no ports) |
15 |
PAT with VPN |
Translate VPN traffic |
VPN tunnels are established |
16 |
PAT with IPsec |
Translate IPsec traffic |
NAT-T is used if required |
17 |
PAT with Fragmented Packets |
Send fragmented packets |
All fragments are translated |
18 |
PAT with Large Packets |
Send jumbo frames |
Frames are translated correctly |
19 |
PAT with Port Reuse |
Reuse port after timeout |
Port is reassigned safely |
20 |
PAT with Port Timeout |
Wait for session timeout |
Port is released |
21 |
PAT Table Verification |
Check PAT table |
Correct mappings are listed |
22 |
PAT with Logging Enabled |
Enable logging |
PAT translations are logged |
23 |
PAT with Logging Disabled |
Disable logging |
No logs generated |
24 |
PAT with SNMP Monitoring |
Monitor via SNMP |
PAT stats are visible |
25 |
PAT with CLI Monitoring |
Use CLI to check PAT status |
PAT entries are shown |
26 |
PAT with ACL |
Apply ACL to PAT traffic |
Only permitted traffic is translated |
27 |
PAT with QoS |
Apply QoS policy |
QoS markings are preserved |
28 |
PAT with Load Balancing |
Use PAT with multiple public IPs |
Load is distributed |
29 |
PAT with Redundant Links |
Use PAT across redundant links |
PAT works on both links |
30 |
PAT with Interface Overload |
Use interface IP for PAT |
All sessions use interface IP |
31 |
PAT with Multiple Interfaces |
Use PAT on multiple interfaces |
PAT works per interface |
32 |
PAT with Hairpinning |
Internal host accesses another via public IP |
Traffic is looped back correctly |
33 |
PAT with Loopback |
Access own public IP from inside |
Traffic is translated and routed |
34 |
PAT with NAT Pool |
Use PAT with NAT pool |
PAT selects available IP and port |
35 |
PAT with Overlapping Subnets |
Use overlapping private IPs |
PAT resolves conflict |
36 |
PAT with Dual Stack |
Use PAT in dual-stack network |
IPv4 traffic is translated |
37 |
PAT with IPv6 |
Attempt to use PAT with IPv6 |
Not supported (NAT66 not standard) |
38 |
PAT with Static Port Mapping |
Map specific port to internal host |
Port is translated as configured |
39 |
PAT with Port Forwarding |
Forward specific port to internal host |
Traffic is routed correctly |
40 |
PAT with Application Layer Gateway |
Use ALG for SIP/FTP |
Application headers are translated |
41 |
PAT with DNS Rewrite |
Rewrite DNS responses |
Internal IPs are hidden |
42 |
PAT with High Load |
Simulate high traffic volume |
PAT handles sessions efficiently |
43 |
PAT with Failover |
Failover to backup PAT device |
Sessions are re-established |
44 |
PAT with NAT64 |
Translate IPv6 to IPv4 |
PAT applies to IPv4 side |
45 |
PAT with NAT46 |
Translate IPv4 to IPv6 |
PAT applies to IPv4 side |
46 |
PAT with Connection Tracking |
Track PAT sessions |
Sessions are correctly tracked |
47 |
PAT with Asymmetric Routing |
Use different paths for in/out |
PAT handles return traffic |
48 |
PAT with VRF |
Use PAT in VRF context |
PAT operates per VRF |
49 |
PAT with Static Route |
Use static route for PAT traffic |
Traffic is routed and translated |
50 |
PAT with Dynamic Routing |
Use OSPF/BGP for PAT traffic |
Routing and PAT coexist |
Conserves IPv4 Addresses - Testcases
Conserves IPv4 Addresses - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Single Public IP for Multiple Hosts |
Use one public IP for many private hosts |
All hosts access internet via same public IP |
2 |
PAT with 100 Clients |
100 clients share one public IP |
All sessions are translated using unique ports |
3 |
Dynamic NAT Pool with Limited IPs |
Use a pool of 2 public IPs for 50 clients |
Clients are mapped dynamically |
4 |
Static NAT for Critical Hosts |
Assign static NAT to servers |
Only critical hosts consume public IPs |
5 |
PAT with Port Reuse |
Reuse ports after timeout |
Public IP is reused efficiently |
6 |
NAT with DHCP |
Assign private IPs via DHCP |
Public IPs are conserved |
7 |
NAT with Private Subnet |
Use 10.0.0.0/8 for internal network |
No public IPs used internally |
8 |
NAT with Overlapping Subnets |
Handle overlapping private IPs |
NAT resolves conflicts without extra public IPs |
9 |
NAT with VPN Clients |
VPN clients use private IPs |
Only VPN gateway uses public IP |
10 |
NAT with Guest Network |
Guest users share public IP via PAT |
Public IP usage is minimized |
11 |
NAT with IoT Devices |
IoT devices use private IPs |
No public IPs assigned to devices |
12 |
NAT with Mobile Devices |
Mobile clients use PAT |
Public IPs are conserved |
13 |
NAT with Static IP Reservation |
Reserve static private IPs |
Public IPs are not wasted |
14 |
NAT with Port Forwarding |
Forward specific ports to internal hosts |
No need for multiple public IPs |
15 |
NAT with Load Balancer |
Load balancer uses one public IP |
Backend servers use private IPs |
16 |
NAT with DMZ |
DMZ hosts use static NAT |
Only exposed services use public IPs |
17 |
NAT with ACL |
Restrict NAT access via ACL |
Reduces unnecessary public IP usage |
18 |
NAT with QoS |
Prioritize traffic without more IPs |
Efficient use of limited public IPs |
19 |
NAT with DNS Rewrite |
Rewrite DNS to internal IPs |
Avoids exposing public IPs |
20 |
NAT with Hairpinning |
Internal access via public IP |
No extra public IPs needed |
21 |
NAT with Redundant Links |
Use same public IP across links |
IPs are reused efficiently |
22 |
NAT with Failover |
Failover device uses same IP |
No additional IPs required |
23 |
NAT with VRF |
Use NAT per VRF |
Public IPs are shared across VRFs |
24 |
NAT with IPv6 Transition |
Use NAT64 for IPv6 clients |
Conserves IPv4 addresses |
25 |
NAT with NAT46 |
IPv4 clients access IPv6 servers |
No extra IPv4 addresses needed |
26 |
NAT with DNS Proxy |
Proxy DNS queries internally |
Reduces public IP exposure |
27 |
NAT with Application Gateway |
Gateway uses one IP for many apps |
Public IPs are conserved |
28 |
NAT with Cloud Services |
Cloud VMs use private IPs |
NAT gateway uses one public IP |
29 |
NAT with Container Networks |
Containers use private IPs |
Host NATs traffic using one IP |
30 |
NAT with Kubernetes |
Pods use private IPs |
Node IP is used for external access |
31 |
NAT with Static Routing |
Route private IPs via NAT |
No need for public IPs |
32 |
NAT with Dynamic Routing |
Use OSPF/BGP internally |
Public IPs not exposed |
33 |
NAT with SNMP Monitoring |
Monitor NAT usage |
Confirms IP conservation |
34 |
NAT with Logging |
Log NAT translations |
Shows efficient IP usage |
35 |
NAT with Port Exhaustion |
Simulate port exhaustion |
Confirms limits of IP reuse |
36 |
NAT with High Load |
Simulate 1000 clients |
Public IPs are reused efficiently |
37 |
NAT with Low Bandwidth |
Low usage clients share IP |
No need for dedicated IPs |
38 |
NAT with Static Mapping Limits |
Limit static NAT entries |
Forces use of PAT |
39 |
NAT with ACL Logging |
Log denied NAT attempts |
Helps optimize IP usage |
40 |
NAT with DNS Load Balancing |
Use DNS to distribute traffic |
One IP serves multiple services |
41 |
NAT with IPv4 Exhaustion |
Simulate no public IPs left |
PAT still allows access |
42 |
NAT with ISP NAT |
Use carrier-grade NAT |
ISP conserves public IPs |
43 |
NAT with Home Router |
Home devices use private IPs |
One public IP for entire home |
44 |
NAT with Enterprise Gateway |
Enterprise users share IPs |
Public IPs are conserved |
45 |
NAT with Cloud NAT Gateway |
Cloud NAT handles all egress |
One IP per region or zone |
46 |
NAT with Static IP Leak Prevention |
Prevent static IP misuse |
Ensures IPs are not wasted |
47 |
NAT with Port Mapping Limits |
Limit port mappings per host |
Prevents IP exhaustion |
48 |
NAT with Session Tracking |
Track active sessions |
Confirms efficient IP reuse |
49 |
NAT with Idle Timeout |
Remove idle sessions |
Frees up ports and IPs |
50 |
NAT with Connection Limits |
Limit connections per IP |
Prevents overuse of public IPs |
Enhances Network Security - Testcases
Enhances Network Security - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Hide Internal IPs |
Verify internal IPs are not visible externally |
External hosts see only public IP |
2 |
Block Inbound Unsolicited Traffic |
Send unsolicited traffic to NAT IP |
Traffic is dropped |
3 |
Allow Established Sessions |
Allow return traffic for established sessions |
Return traffic is allowed |
4 |
Prevent Direct Access to Internal Hosts |
Try accessing internal IP from outside |
Access is denied |
5 |
NAT with Port Forwarding |
Allow specific inbound ports |
Only allowed ports are accessible |
6 |
NAT with ACL |
Apply ACL to restrict NAT traffic |
Only permitted traffic is allowed |
7 |
NAT with Logging |
Enable logging of NAT translations |
Logs show source/destination mappings |
8 |
NAT with DoS Protection |
Simulate DoS attack |
NAT drops excessive connections |
9 |
NAT with IP Spoofing |
Send spoofed IP packets |
NAT drops invalid packets |
10 |
NAT with SYN Flood |
Simulate SYN flood |
NAT limits half-open connections |
11 |
NAT with Session Timeout |
Idle sessions are removed |
Reduces attack surface |
12 |
NAT with Port Randomization |
Use random source ports |
Makes tracking harder for attackers |
13 |
NAT with Static Mapping |
Limit static NAT to known hosts |
Reduces exposure |
14 |
NAT with PAT |
Share one IP among many users |
Minimizes public IP exposure |
15 |
NAT with VPN |
Securely tunnel traffic through NAT |
Traffic is encrypted |
16 |
NAT with IPsec |
Use NAT-T for IPsec |
Secure tunnels are maintained |
17 |
NAT with DNS Rewrite |
Rewrite DNS responses |
Prevents IP leakage |
18 |
NAT with Application Gateway |
Inspect and secure application traffic |
Prevents protocol abuse |
19 |
NAT with IDS/IPS |
Integrate with intrusion detection |
Malicious traffic is blocked |
20 |
NAT with Firewall |
Combine NAT with firewall |
Enhances perimeter security |
21 |
NAT with DMZ |
Isolate public-facing services |
Internal network is protected |
22 |
NAT with VLAN Segmentation |
Segment internal network |
Limits lateral movement |
23 |
NAT with Logging Alerts |
Generate alerts on suspicious activity |
Admins are notified |
24 |
NAT with SNMP Monitoring |
Monitor NAT activity |
Detect anomalies in real time |
25 |
NAT with Rate Limiting |
Limit connections per IP |
Prevents abuse |
26 |
NAT with Port Filtering |
Block unused ports |
Reduces attack surface |
27 |
NAT with Geo-IP Filtering |
Block traffic from specific regions |
Enhances security posture |
28 |
NAT with MAC Binding |
Bind NAT to MAC addresses |
Prevents spoofing |
29 |
NAT with Static ARP |
Use static ARP entries |
Prevents ARP spoofing |
30 |
NAT with DHCP Snooping |
Validate DHCP messages |
Prevents rogue DHCP servers |
31 |
NAT with IP Blacklisting |
Block known malicious IPs |
Enhances threat prevention |
32 |
NAT with Connection Limits |
Limit concurrent sessions |
Prevents resource exhaustion |
33 |
NAT with Session Tracking |
Track active sessions |
Detect unusual patterns |
34 |
NAT with High Availability |
Failover without exposing internal IPs |
Maintains security during failover |
35 |
NAT with Redundant Links |
Secure traffic across multiple links |
No exposure of internal IPs |
36 |
NAT with DNS Proxy |
Proxy DNS queries |
Prevents DNS-based attacks |
37 |
NAT with DNSSEC |
Secure DNS responses |
Prevents spoofing |
38 |
NAT with IPv6 Disabled |
Disable IPv6 if not used |
Prevents bypassing NAT |
39 |
NAT with IPv6 Tunneling |
Secure IPv6 over IPv4 NAT |
Maintains encryption |
40 |
NAT with Logging Retention |
Retain logs for audit |
Supports forensic analysis |
41 |
NAT with Time-Based Rules |
Allow NAT only during business hours |
Reduces risk during off-hours |
42 |
NAT with User Authentication |
Authenticate users before NAT |
Prevents unauthorized access |
43 |
NAT with Device Fingerprinting |
Identify devices behind NAT |
Detect rogue devices |
44 |
NAT with Anomaly Detection |
Detect unusual NAT behavior |
Alerts on suspicious activity |
45 |
NAT with Cloud Integration |
Secure cloud-bound traffic |
Prevents data leakage |
46 |
NAT with Container Isolation |
Isolate containers using NAT |
Prevents cross-container attacks |
47 |
NAT with Zero Trust Architecture |
Enforce least privilege |
NAT supports micro-segmentation |
48 |
NAT with Endpoint Protection |
Combine with endpoint security |
Enhances overall defense |
49 |
NAT with Threat Intelligence |
Block traffic from known threats |
Uses real-time threat feeds |
50 |
NAT with Compliance Logging |
Log for compliance (e.g., GDPR) |
Ensures auditability and traceability |
Supports Multiple NAT Types - Testcases
Supports Multiple NAT Types - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Static NAT Mapping |
Map one private IP to one public IP |
Traffic is translated 1:1 |
2 |
Dynamic NAT Pool |
Use a pool of public IPs for translation |
Private IPs are mapped dynamically |
3 |
PAT with Single Public IP |
Map multiple private IPs to one public IP using ports |
All sessions are uniquely translated |
4 |
PAT with Port Range |
Use specific port range for PAT |
Ports are allocated from the range |
5 |
NAT64 Translation |
Translate IPv6 to IPv4 |
IPv6 clients access IPv4 servers |
6 |
NAT46 Translation |
Translate IPv4 to IPv6 |
IPv4 clients access IPv6 servers |
7 |
Static NAT with Port Forwarding |
Forward specific port to internal host |
Port is translated as configured |
8 |
Dynamic NAT with ACL |
Apply ACL to dynamic NAT |
Only permitted traffic is translated |
9 |
PAT with TCP |
Translate TCP traffic using PAT |
Each session uses a unique port |
10 |
PAT with UDP |
Translate UDP traffic using PAT |
Each session uses a unique port |
11 |
PAT with ICMP |
Translate ICMP traffic using PAT |
ICMP identifiers are translated |
12 |
Static NAT with DNS |
Use static NAT with DNS |
DNS resolves to public IP |
13 |
NAT64 with DNS64 |
Use DNS64 with NAT64 |
IPv6 clients resolve IPv4 addresses |
14 |
NAT with FTP |
Translate FTP control and data channels |
Both channels are translated |
15 |
NAT with SIP |
Translate SIP headers and media ports |
SIP sessions are translated |
16 |
NAT with GRE |
Translate GRE traffic |
GRE sessions are translated |
17 |
NAT with IPsec |
Use NAT-T for IPsec |
IPsec tunnels are established |
18 |
NAT with VPN |
Translate VPN traffic |
VPN tunnels are maintained |
19 |
NAT with Hairpinning |
Internal host accesses another via public IP |
Traffic is looped back correctly |
20 |
NAT with Loopback |
Access own public IP from inside |
Traffic is translated and routed |
21 |
NAT with Overlapping Subnets |
Handle overlapping private IPs |
NAT resolves conflicts |
22 |
NAT with Dual Stack |
Use NAT in dual-stack network |
IPv4 traffic is translated |
23 |
NAT with IPv6 Only |
Attempt NAT on IPv6-only traffic |
NAT not applied (unless NAT64) |
24 |
NAT with Static Mapping Limits |
Limit static NAT entries |
Forces use of dynamic NAT or PAT |
25 |
NAT with Port Exhaustion |
Exhaust available ports in PAT |
New sessions are dropped |
26 |
NAT with NAT Pool Exhaustion |
Exhaust public IP pool in dynamic NAT |
New sessions are dropped |
27 |
NAT with Interface Overload |
Use interface IP for PAT |
All sessions use interface IP |
28 |
NAT with Multiple Interfaces |
Use NAT on multiple interfaces |
NAT works per interface |
29 |
NAT with Redundant Links |
Use NAT across redundant links |
NAT works on both links |
30 |
NAT with Failover |
Failover to backup NAT device |
Sessions are re-established |
31 |
NAT with Load Balancing |
Distribute traffic across NAT pool |
Load is balanced |
32 |
NAT with VRF |
Use NAT in VRF context |
NAT operates per VRF |
33 |
NAT with Static Route |
Use static route for NAT traffic |
Traffic is routed and translated |
34 |
NAT with Dynamic Routing |
Use OSPF/BGP for NAT traffic |
Routing and NAT coexist |
35 |
NAT with ACL Logging |
Log NAT traffic based on ACL |
Logs show permitted/denied translations |
36 |
NAT with SNMP Monitoring |
Monitor NAT stats via SNMP |
NAT counters are visible |
37 |
NAT with CLI Monitoring |
Use CLI to check NAT status |
NAT entries are shown |
38 |
NAT with Logging Enabled |
Enable NAT logging |
Translations are logged |
39 |
NAT with Logging Disabled |
Disable logging |
No logs generated |
40 |
NAT with DNS Rewrite |
Rewrite DNS responses |
Internal IPs are hidden |
41 |
NAT with Application Gateway |
Use ALG for SIP/FTP |
Application headers are translated |
42 |
NAT with High Load |
Simulate high traffic volume |
NAT handles sessions efficiently |
43 |
NAT with Low Bandwidth |
Low usage clients share IP |
No need for dedicated IPs |
44 |
NAT with Static IP Reservation |
Reserve static private IPs |
Public IPs are not wasted |
45 |
NAT with Port Mapping Limits |
Limit port mappings per host |
Prevents IP exhaustion |
46 |
NAT with Connection Tracking |
Track NAT sessions |
Sessions are correctly tracked |
47 |
NAT with Session Timeout |
Idle sessions are removed |
Frees up ports and IPs |
48 |
NAT with Connection Limits |
Limit connections per IP |
Prevents overuse of public IPs |
49 |
NAT with DNSSEC |
Secure DNS responses |
Prevents spoofing in NAT64 |
50 |
NAT with Compliance Logging |
Log for compliance (e.g., GDPR) |
Ensures auditability and traceability |
Protocol-Aware Behavior - Testcases
Protocol-Aware Behavior - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
FTP Active Mode |
Translate FTP control and data channels |
Both channels are translated correctly |
2 |
FTP Passive Mode |
Translate passive FTP session |
NAT handles dynamic port negotiation |
3 |
SIP with NAT |
Translate SIP signaling and media |
SIP headers and RTP ports are translated |
4 |
H.323 with NAT |
Translate H.323 protocol |
NAT handles embedded IPs and ports |
5 |
PPTP with NAT |
Translate PPTP control and GRE data |
NAT supports GRE and control channel |
6 |
IPsec with NAT-T |
Translate IPsec traffic |
NAT-T encapsulation is used |
7 |
DNS with NAT |
Translate DNS queries and responses |
NAT handles DNS traffic normally |
8 |
TFTP with NAT |
Translate TFTP sessions |
NAT handles dynamic UDP ports |
9 |
RTSP with NAT |
Translate RTSP control and media |
NAT handles embedded IPs in RTSP |
10 |
SNMP with NAT |
Translate SNMP traffic |
NAT handles UDP ports correctly |
11 |
LDAP with NAT |
Translate LDAP queries |
NAT handles TCP/UDP ports |
12 |
SMTP with NAT |
Translate SMTP traffic |
NAT handles TCP port 25 correctly |
13 |
POP3 with NAT |
Translate POP3 traffic |
NAT handles TCP port 110 |
14 |
IMAP with NAT |
Translate IMAP traffic |
NAT handles TCP port 143 |
15 |
HTTP with NAT |
Translate HTTP traffic |
NAT handles TCP port 80 |
16 |
HTTPS with NAT |
Translate HTTPS traffic |
NAT handles TCP port 443 |
17 |
SSH with NAT |
Translate SSH sessions |
NAT handles TCP port 22 |
18 |
Telnet with NAT |
Translate Telnet sessions |
NAT handles TCP port 23 |
19 |
RDP with NAT |
Translate RDP sessions |
NAT handles TCP port 3389 |
20 |
SMB with NAT |
Translate SMB traffic |
NAT handles TCP ports 445/139 |
21 |
NFS with NAT |
Translate NFS traffic |
NAT handles dynamic ports via portmapper |
22 |
DHCP with NAT |
Handle DHCP relay |
NAT does not interfere with DHCP |
23 |
ICMP with NAT |
Translate ICMP echo requests/replies |
NAT tracks ICMP identifiers |
24 |
GRE with NAT |
Translate GRE tunnels |
NAT handles GRE protocol (47) |
25 |
L2TP with NAT |
Translate L2TP sessions |
NAT handles UDP port 1701 |
26 |
ALG for FTP |
Enable FTP ALG |
FTP sessions are translated correctly |
27 |
ALG for SIP |
Enable SIP ALG |
SIP headers and ports are rewritten |
28 |
ALG for H.323 |
Enable H.323 ALG |
H.323 sessions are translated |
29 |
ALG for RTSP |
Enable RTSP ALG |
RTSP control and media are handled |
30 |
ALG Disabled |
Disable ALG for FTP |
FTP fails due to incorrect port translation |
31 |
NAT with Embedded IPs |
Translate protocols with embedded IPs |
NAT rewrites payload IPs |
32 |
NAT with Encrypted Protocols |
Translate HTTPS traffic |
NAT does not inspect encrypted payloads |
33 |
NAT with Custom Protocol |
Use custom protocol with embedded IP |
NAT does not translate payload |
34 |
NAT with DNSSEC |
Translate DNSSEC traffic |
NAT handles UDP/TCP 53 without inspection |
35 |
NAT with SIP over TLS |
Translate SIP over TLS |
NAT cannot inspect encrypted SIP |
36 |
NAT with RTP |
Translate RTP media streams |
NAT rewrites IP/port in SDP |
37 |
NAT with RTCP |
Translate RTCP control packets |
NAT handles RTP/RTCP pair correctly |
38 |
NAT with WebRTC |
Translate WebRTC traffic |
NAT handles STUN/TURN/ICE negotiation |
39 |
NAT with STUN |
Translate STUN messages |
NAT allows STUN discovery |
40 |
NAT with TURN |
Translate TURN relay traffic |
NAT allows relay via TURN server |
41 |
NAT with ICE |
Handle ICE negotiation |
NAT supports candidate exchange |
42 |
NAT with SIP Reinvite |
Handle SIP reinvite with new media IP |
NAT updates translation |
43 |
NAT with SIP Registration |
Handle SIP REGISTER messages |
NAT rewrites contact IP |
44 |
NAT with FTP File Transfer |
Transfer file via FTP |
NAT handles data channel correctly |
45 |
NAT with TFTP File Transfer |
Transfer file via TFTP |
NAT handles dynamic UDP ports |
46 |
NAT with SNMP Traps |
Receive SNMP traps |
NAT allows inbound UDP 162 |
47 |
NAT with Syslog |
Send syslog messages |
NAT handles UDP 514 |
48 |
NAT with NTP |
Send NTP requests |
NAT handles UDP 123 |
49 |
NAT with BGP |
Translate BGP sessions |
NAT handles TCP 179 |
50 |
NAT with Custom ALG |
Implement custom ALG for proprietary protocol |
NAT rewrites embedded IPs and ports |
Enables Internet Access for Private Networks - Testcases
Enables Internet Access for Private Networks - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Basic Internet Access |
Private host accesses public website |
NAT translates IP and allows access |
2 |
Multiple Hosts Access Internet |
Multiple private hosts browse internet |
NAT handles all translations |
3 |
PAT with Single Public IP |
Multiple hosts share one public IP |
All sessions are uniquely translated |
4 |
Dynamic NAT Pool |
Use pool of public IPs for internet access |
Hosts are dynamically assigned IPs |
5 |
Static NAT for Server |
Internal server accesses internet |
Static mapping allows access |
6 |
DNS Resolution |
Private host resolves domain name |
DNS query and response are translated |
7 |
HTTP Access |
Access HTTP website from private host |
NAT translates TCP port 80 traffic |
8 |
HTTPS Access |
Access HTTPS website from private host |
NAT translates TCP port 443 traffic |
9 |
FTP Access |
Access FTP server from private host |
NAT handles control and data channels |
10 |
Email Access |
Send/receive email via SMTP/IMAP |
NAT translates email protocol ports |
11 |
Streaming Access |
Stream video from public service |
NAT handles continuous media flow |
12 |
Gaming Access |
Connect to online game server |
NAT translates game-specific ports |
13 |
VPN Access |
Establish VPN tunnel from private host |
NAT-T encapsulation used if needed |
14 |
IPsec Tunnel |
Create IPsec tunnel from private host |
NAT-T allows tunnel establishment |
15 |
NAT with DHCP |
Assign private IP via DHCP |
NAT translates traffic for DHCP clients |
16 |
NAT with Static IP |
Use static private IP |
NAT translates traffic normally |
17 |
NAT with IPv4 |
Access internet using IPv4 |
NAT translates IPv4 traffic |
18 |
NAT with IPv6 |
Access IPv6 internet via NAT64 |
IPv6 translated to IPv4 |
19 |
NAT with DNS Proxy |
Use DNS proxy for resolution |
NAT handles DNS traffic |
20 |
NAT with Web Proxy |
Use web proxy for browsing |
NAT translates proxy traffic |
21 |
NAT with ACL |
Restrict internet access via ACL |
Only allowed traffic is translated |
22 |
NAT with QoS |
Apply QoS to internet-bound traffic |
QoS markings are preserved |
23 |
NAT with Logging |
Log internet access via NAT |
Logs show translated sessions |
24 |
NAT with SNMP Monitoring |
Monitor NAT usage via SNMP |
Internet access stats are visible |
25 |
NAT with CLI Monitoring |
Use CLI to check NAT status |
Internet-bound sessions are listed |
26 |
NAT with Port Forwarding |
Allow inbound traffic to internal host |
Specific ports are forwarded |
27 |
NAT with Hairpinning |
Internal host accesses public IP of peer |
Traffic is looped back correctly |
28 |
NAT with Loopback |
Access own public IP from inside |
Traffic is translated and routed |
29 |
NAT with Redundant Links |
Use multiple WAN links |
Internet access works across links |
30 |
NAT with Failover |
Failover to backup NAT device |
Internet access resumes automatically |
31 |
NAT with Load Balancing |
Distribute internet traffic |
Load is balanced across public IPs |
32 |
NAT with VRF |
Internet access per VRF |
NAT operates per routing instance |
33 |
NAT with Static Route |
Route internet traffic via NAT |
Traffic is routed and translated |
34 |
NAT with Dynamic Routing |
Use OSPF/BGP for internet traffic |
Routing and NAT coexist |
35 |
NAT with DNSSEC |
Access DNSSEC-enabled domains |
NAT handles secure DNS traffic |
36 |
NAT with WebRTC |
Use WebRTC for video calls |
NAT handles STUN/TURN/ICE protocols |
37 |
NAT with STUN |
Discover public IP via STUN |
NAT allows STUN messages |
38 |
NAT with TURN |
Relay media via TURN server |
NAT allows relay traffic |
39 |
NAT with ICE |
Negotiate media path via ICE |
NAT supports candidate exchange |
40 |
NAT with Cloud Services |
Access cloud APIs from private host |
NAT translates traffic to cloud endpoints |
41 |
NAT with Container Networks |
Containers access internet |
Host NATs container traffic |
42 |
NAT with Kubernetes |
Pods access internet via node IP |
NAT translates pod traffic |
43 |
NAT with IoT Devices |
IoT devices access cloud services |
NAT translates traffic securely |
44 |
NAT with Mobile Devices |
Mobile clients access internet |
NAT handles dynamic sessions |
45 |
NAT with Guest Network |
Guest users browse internet |
NAT isolates and translates traffic |
46 |
NAT with Endpoint Protection |
Secure internet access |
NAT works with endpoint security tools |
47 |
NAT with Threat Intelligence |
Block malicious destinations |
NAT enforces security policies |
48 |
NAT with Compliance Logging |
Log internet access for audit |
Logs meet compliance standards |
49 |
NAT with Time-Based Rules |
Allow internet access during specific hours |
NAT enforces schedule |
50 |
NAT with User Authentication |
Authenticate users before access |
NAT translates traffic post-authentication |
Reference links