There are several limitations of NAT to be concerned about, and often times, mechanisms to overcome those obstacles.
- SIP does not work with NAT because NAT modifies the IP header but not the SIP header etc.
- Some applications using require end-to-end visibility and do not work well with NAT; digital signatures can be modified due to NAT translations.
- Tunneling protocols often do not work with NAT by default; protocols like IPsec, which fail integrity checks by default with NAT, support NAT-traversal to overcome these obstacles.
Note the following:
- When an interface routes to the outside interface, it is first routed and then translated…
- When an interface routes from the outside interface to the inside, it is translated then routed…
Packets are typically not allowed to hairpin at the outside interface, so if an internal client resolves a DNS record for a public address of a web server, it cannot route to the outside and back again; you’d need something like DNS doctoring to fix that issue.
Stuck-in-Active: Journal of an IT-Network Administrator 