NAT Loopback

Let assume the network diagram is like this:

Network Diagram

What will happen when the External Client try to connect to the Internal Server?

There is a DNAT (Destination Network Address Translation) rule on the Firewall.

-----------------------------------
| 1.1.1.1:8000 --> 192.168.168.3:80 |
 -----------------------------------

When there is a Client try to access Server A from the Internet, let assume the IP is 1.1.1.2. Its packet will be like this before entering the Firewall.

| Source Address | Destination Address |    ...    |
---------------------------------------------------
|  1.1.1.2:1234  |     1.1.1.1:8000    |    ...    |
---------------------------------------------------

The Firewall checks the destination address (ip : port) and finds that it is 1.1.1.1:8000, it changes the address in header to 192.168.168.3:80 and send it to the local network.

| Source Address | Destination Address |    ...    |
---------------------------------------------------
|  1.1.1.2:1234  |   192.168.168.3:80  |    ...    |
---------------------------------------------------

After Server A recieved the packet, it replies a packet back to Client.

|  Source Address  | Destination Address |  ...    | 
---------------------------------------------------
| 192.168.168.3:80 |     1.1.1.2:1234    |  ...    |
---------------------------------------------------

The Router received the packet from local network, it also changes the source address inside the header and send out.

|  Source Address  | Destination Address |  ...    | 
---------------------------------------------------
|   1.1.1.1:8000   |     1.1.1.2:1234    |  ...    |
---------------------------------------------------

Therefore, the connection between external Client and internal Server A is established. And this is known as

Port Forwarding

What if the internal Client connects to the internal Server through the same Procedure?

The Client B wants to access Server A through outside network rather than internal local lan. It means that the destination address of B is 1.1.1.1 instead of 192.168.168.3.

|    Source Address    | Destination Address |    ...    |
----------------------------------------------------------
|  192.168.168.2:1234  |     1.1.1.1:8000    |    ...    |
----------------------------------------------------------

When Firewall finds the destination address is 1.1.1.1:8000, address is changed to 192.168.168.3:80 by DNAT.

|    Source Address    | Destination Address |    ...    |
----------------------------------------------------------
|  192.168.168.2:1234  |   192.168.168.3:80  |    ...    |
----------------------------------------------------------

After Server A recieved the packet, A finds that B is also within the same subnet, so it replies a packet to Client B directly (Layer 2) without through Firewall.

|    Source Address    | Destination Address |    ...    |
----------------------------------------------------------
|   192.168.168.3:80   |  192.168.168.2:1234 |    ...    |
----------------------------------------------------------

Client B recieves the packet above and finds it different from what B expected. Client B expects the source address in reply packet header is 1.1.1.1, so it drops the packet.

As the B doesn’t recieve the SYN+ACK packet from A through Firewall (1.1.1.1:8000),

The Three-way Handshake failed.

Here is the Solution [NAT Loopback]:

Firewall changes the Source IP to 1.1.1.1 from 192.168.168.2 (SNAT).

Firewall NAT rules: