NAT is everywhere in today’s networks, so it also VPN deployed in Hub and Spoke manner with many users leveraging on ADVPN’s ability to dynamically create and tear down shortcuts from spoke to spoke to further optimize performance.

For this to happen, EIM-NAT plays an important role when a spoke behind the NAT box needs to negotiate a shortcut with another spoke behind the NAT box.

Endpoint-Independent Mapping Network Address Translation (EIM NAT) – is a NAT device that performs NAT in a way that an endpoint with internal IP address and port (src-ip, src-port) is always SNATed to same translated source IP and translated source port (nat-src-ip, nat-src-port), irrespective of which destination (any External IP and port) the endpoint initiated traffic to.

Illustration:

endpoint (192.168.200.200, 65100) ---> SNATed (200.200.200.200, 65222)  >>>> 8.8.8.8:443

endpoint (192.168.200.200, 65100) ---> SNATed (200.200.200.200, 65222)  >>>> 8.8.8.8:80

endpoint (192.168.200.200, 65100) ---> SNATed (200.200.200.200, 65222)  >>>> 8.8.8.8:53

Note:

The endpoint is a session-specific tuple on the end host. TCP and UDP may have different endpoints on the same end host.

With FortiGate running FortiOS v6.4 and above, the shortcut is possible between two spokes sitting behind the NAT box, but the NAT box needs to perform EIM-NAT.

With FortiGate running FortiOS below v6.4, one of the spokes has to be without NAT (not sitting behind the NAT box) for shortcut negotiation to be successful.

Note: EIM cannot be disabled for kernel CGNAT, it is a default setting for all native FortiOS NAT Pools.

Hyperscale and Kernel CGNAT feature comparison