Where does the Tcp 3 way handshake happen when nat is involved?

Lets say a web server is in a natted environment and it has a private address. Would I first do a three way handshake with the router(public IP) and then the router does one with the host that is behind its natted interface? Lastly I know there is a Nat translation table is there another table for tcp connections to separate sessions?

1 Like

Hello Justin,

I can tell you for sure that only one TCP handshake occurs, this is between the client and server. Essentially the router does two things in this scenario. It translates packets coming to and from the router and it also decides the best path to the destination for said packets. So basically the router has some sort of NAT statement (static or dynamic) telling it how to NAT traffic that is received on port 80 with X destination IP.

So lets assume we have a basic linksys Wifi router that is being used as the switch, default gateway, NAT device, DHCP etc the client is connected directly to this device. The web server is behind a cisco router and switch with no vlans.

IPs
home devices
linksys 192.168.1.1/24 private 1.1.1.1/30
PC 192.168.1.20/24

web server devices
router 172.16.1.1/24 private 2.2.2.2/29
web server 172.16.1.20/24

  1. Client sends syn packet to 2.2.2.2:80 w/ mac address of default gateway
  2. Gateway NATs packet to change the source address of the packet from 192.168.1.20:xxx to 1.1.1.1:xxx
    (the port specfied is random we don’t know what this will be)
  3. Gateway routes the packet to the ISP
  4. Router in front of web server recieves the packet and sees the destination IP and TCP port is supposed to be NATed to the IP of the webserver.
  5. Router also knows the best path to the destination IP and sends this out of the next hop interface.
  6. Web server gets packet and sends a syn ack packet back to 1.1.1.1:xxx this has a destination mac of the Cisco router.
  7. The router will take this packet and NAT the 172.16.1.20:80 source IP to 2.2.2.2:80
  8. The router also knows the best path to 1.1.1.1 so it sends the syn ack packet out the next hop interface.
  9. This process is repeated for the handshake and all other packets sent between the client and server.

I do not know if there is a table keeping track of TCP connections I would love to know this as well. I hope this makes sense and helps!

Thanks,
Scott

Hello Justin

Scott’s explanation is essentially correct. Every time a communication occurs from the Internet over the NAT router to the web server, a NAT translation occurs. This is the case whether the communication is the first transmission of a three way TCP handshake or the sending of email data or just a ping. The content of the communication doesn’t matter, the translation will occur.

So when the initial communication of the TCP 3 way handshake arrives at the NAT router, the destination address is translated from the outside address to the inside address of the web server. The web server responds with the source address being translated when it traverses the NAT router, and the third part of the handshake once again is translated on its way in again. Each part of the handshake is translated just like any other packet that will traverse the NAT router.

A NAT router will not keep track of TCP connections. It will only keep track of translations.

I hope this has been helpful!

Laz

Thank you for your responses! That does make sense. I mean the router is going to look at the ip and route the packet its not going to look inside the tcp header. I guess nats port numbers where what tripped me up. Anyway thanks for your time!