Limitations of NAT

NAT does not work in all cases. The following subsections document some of the instances where NAT will not work as expected.

NAT Is Incompatible with Some Protocols

The main components that NAT changes are the IP addresses in the TCP/IP headers and possibly the TCP or UDP ports. This works for some applications, but many applications embed IP addresses in the data portion of the packet (e.g., Microsoft Networking[5]) or expect packets to come from a particular source port (e.g., IKE negotiations for IPSec). In these cases, NAT has to act somewhat like an application proxy in that it must understand the underlying protocol and make intelligent changes to the packets so that the protocol will work despite undergoing NAT.

[5] ...

Get Essential Check Point™ FireWall-1® NG: An Installation, Configuration, and Troubleshooting Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.