Inbound masquerade NAT processing (response and other)

This process, which is the partner of outbound masquerade NAT processing, unfolds the corresponding outbound message to get right source workstation information.

The inbound message in the previous figure is a packet from the Internet to your private LAN. For inbound datagrams, the destination port number is the local port number. (For inbound messages, the source port number is the external port number. For outbound messages, the destination port number is the external port number.)

Response messages returning from the Internet bound for a locally attached machine have a masquerade-assigned logical port number as the destination port number in the transport layer header. The masquerade NAT inbound processing steps are:

  1. Masquerade NAT searches its database for this logical port number (source port). If it is not found, the packet is assumed to be an unsolicited packet, and the packet is returned to the caller unchanged. It is then handled as a normal unknown destination.
  2. If a matching logical port number is found, a further check is made to determine that the source IP address matches the destination IP address of the existing logical port number table entry. If it matches, the original local machine's port number replaces the source port in the IP header. If the check fails, the packet is returned unchanged.
  3. The local matching IP addresses are placed in the packet IP destination.
  4. The packet is then processed, as usual by IP or TCP, and ends up at the correct locally attached machine. Because masquerade NAT requires a logical port number to determine the correct source and destination port addresses, masquerade NAT is incapable of handling unsolicited datagrams from the Internet.
Parent topic: Masquerade NAT