The biggest problem with all NAT technologies is interoperability with other
network technologies, especially those that contain or derive information from
host network addressing in the packet. Some of these technologies include:

- BootP and DHCP
- DNS and WINS
- SNMP
- Tunneling and encryption protocols
BootP and DHCP
Both protocols are used to manage the
automatic assignment of IP addresses to clients. Recall that the first packet
that a new client sends is a DHCP-Request broadcast IP packet. The DHCP-Request
packet has a source IP address of 0.0.0.0. Because NAT requires both a valid
destination and source IP address, BootP and DHCP can have difficulty operating
over a router running either static or dynamic NAT.

DNS and WINS
Because a router running dynamic NAT will be
changing the relationship between inside and outside addresses regularly (as
table entries expire and are re-created as required), a DNS or WINS server
outside the NAT router does not have an accurate representation of the network
inside the router.

Additionally, DNS and WINS reply packets contain IP address information in
the data payload of the packet. A DNS or WINS server on the network inside a
NAT router resolves the hostname to a network address on the inside network.
When the NAT router processes the reply packet, the NAT process translates the
address in the packet header appropriately, but is not able to alter the
contents of the data payload. The outside host is given the inside address of
the inside host. Because the inside network is hidden by the router, the
outside network cannot route packets directly to or from it.
SNMP
Similar to DNS packets, NAT is not able to alter the
addressing information stored in the data payload of the packet. Because of
this, an SNMP management station on one side of a NAT router may not be able to
contact SNMP agents on the other side of the NAT router.

Tunneling and Encryption Protocols
Not all encryption protocols
have problems with NAT. Encryption services operating at the application layer
such as Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG) are not impacted
by NAT routers. Encryption and tunneling protocols at OSI model layers 2 to 4
however, will not usually operate through a NAT router.

Encryption
and tunneling protocols often require that traffic be sourced from a specific
UDP or TCP port, or use a protocol at the transport layer that cannot be
processed by NAT. Some examples of this are:
- Internet Key Exchange (IKE) requires that UDP packets be sent to and
received from UDP port 500.
- IPSec tunnels use Encapsulating Security Payload (ESP) at the transport
layer, and Generic Routing Encapsulation (GRE) tunnels use GRE at the transport
layer. Neither ESP nor GRE protocols can be processed by NAT.
If encryption or tunneling protocols must be run through a NAT router,
the network administrator can create a static NAT entry for the required port
for a single IP address on the inside of the NAT router.
Common NAT
Misconfigurations
One of the more common misconfigurations of NAT is
forgetting that it affects both inbound and outbound traffic. An inexperienced
network administrator might configure a static NAT entry to redirect inbound
traffic to a specific inside ‘backup’ host. In the event of a failure on the
primary system, traffic could be automatically re-directed to the backup system
without the administrator having to do anything. This static NAT statement will
also change the source address of traffic from that host, possibly resulting in
an undesirable (and unexpected) set of behaviors. At best, this is likely to
result in sub-optimal operation.
Misconfigured timers can also result in
unexpected network behavior and suboptimal operation of dynamic NAT. If NAT
timers are too short, entries in the NAT table may expire before replies are
received and packets will be discarded. This means the intended traffic did not
get through and the loss of the packets generates retransmissions, consuming
more bandwidth. The NAT router log will also be filled with errors about closed
ports.

If timers
are too long, entries may stay in the NAT table longer than necessary,
consuming the available connection pool. In busy networks this may lead to
memory problems on the router and hosts may be unable to establish connections
if the dynamic NAT table is full.
