Why the multiple NATs would cause the connectivity issue for network Application

夜游神

I was troublshooting on one extremely tricky network issue around the DMZ area.
Inside that DMZ, if an application needs to get out heading to Internet, it will be NATed at the DMZ Internal firewall (From inside heading into the DMZ)
Then the outbound traffic will be NATed again at the DMZ external firewall (From DMZ heading into the Internet cloud)

While the client iniciated the session request, I am able to capture the real time interesting traffic on both the Internal & External firewall.
However, the application client still getting a timeout error or a distination unreachable error.

The final work around to fix the issue is diable the NAT on the DMZ internal firewall and only running NAT on external firewall for only one time.

So here is my question, why sometimes the multiple NATs would cause connectivity issue for some of TCP based network application?

woody

Double NATs在同一网络也常见，特别是某些公司钱财多而被IT公司忽悠的时候，骗子一堆。

对于一般的数据，多个NAT，特别是多个Static NAT的时候，应该没有技术问题（包括不同vendors+VPN的环境），问题估计还是在你的Firewall policy+NAT配置上。或者就是某些特殊协议，比如VOIP方面的SIP，H323，几年前NAT不支持，但新的version都修复了。

在确保Firewall policy，路由肯定正确的情况下：
1， 你可以用telnet，SSH，HTTP等常用端口做测试，看看多个NAT下网络的连通性。多个NAT不会影响这些普通端口应用，现实很多例子。你可以先尝试将所有端口打开。

2，考虑是否firewall policy是否正确，比如destination你指向的是那个地址和端口，源地址还是NATed地址等等，难免专家有时候被这个弄昏头的。这个容易troubleshooting，多个厂家的Firewall都有packet Trace功能，simulator一下traffic flow。

3， 最后估计得看你的application有多复杂了，到底用了一个端口，还是多个端口？比如走语音的例子。但单个External 的firewall既然能通，说明这个厂家的产品或者version不存在这方面支持的缺陷。我觉得。

大佬用的是什么产品，产品的version，配置都贴出来让咱们见识见识先

另外如果能连上，只是timeout的话，比如突然把你ISDN call给断了，你的SSH session突然断了，这个有session 参数设置，好解决。

[ 本帖最后由 woody 于 2011-10-21 13:19 编辑 ]

夜游神

Confirmed this is nothing to do with the either routing setup or firewall policy setting, otherwise I will not be able to capture the live intertesting traffic flows on those two appliances

During that troubleshooting session, I did utilize the telnet utility to test the port status, which is not working either.
I've highly suspect that inside the package somewhere, the client end inject the TCP stateful information into the packet and then server end will making some intelligence decision based the real packet header information and the TCP stateful infromation storaged inside the packet payload. This is just a guess.

The only thing I knew so far is this application is a commerical low related data warehouse. So it could have some sort of layer 7 security intelligence policy invovled in terms of application networking behavior.

I think this is more to do with the layer 7 rather than any other layers 3 4 5 6~~~

Back Ground:
4 1G Internet uplinks heading into Telstra Internet cloud
Juniper SRX 3600 HA-AA goups for both external & internal setup

Limitless

interesting

superblue

Something might to do with hashing, the application is picky about the integrity of the packets.

my 2cents.