NAT
The NAT concept is simple: it allows a single device to act as an Internet gateway for internal LAN clients by translating the clients' internal network IP Addresses into the IP Address on the NAT-enabled gateway device.
The NAT concept is simple: it allows a single device to act as an Internet gateway for internal LAN clients by translating the clients' internal network IP Addresses into the IP Address on the NAT-enabled gateway device.
In
other words, NAT runs on the device that's connected to the Internet and hides
the rest of your network from the public, thus making your whole network appear
as one device (or computer, if you like) to the rest of the world.
NAT is
transparent to your network, meaning all internal network devices are not
required to be reconfigured in order to access the Internet. All that's
required is to let your network devices know that the NAT device is the default
gateway to the Internet.
NAT is
secure since it hides your network from the Internet. All communications from
your private network are handled by the NAT device, which will ensure all the
appropriate translations are performed and provide a flawless connection
between your devices and the Internet.
The diagram
below illustrates this:
As you
can see, we have a simple network of 4 hosts (computers) and one router that
connects this network to the Internet. All hosts in our network have a private
Class C IP Address, including the router's private interface (192.168.0.1),
while the public interface that's connected to the Internet has a real IP
Address (203.31.220.134).
HOW NAT WORKS
All
requests the workstations generate are sent to the Internet via the router. The
router will then perform NAT on these packets and send them to their
destination. As each packet arrives into the router's private interface, the
router will strip the source IP Address from the 3rd layer (network layer) e.g
192.168.0.10 and place its own public IP address (203.31.220.134) before
sending it to the Internet.
This is
how the packet then seems to have originated from the router itself. In some
cases, depending on the NAT mode, the source and destination port numbers
(layer 4) will be changed as well but we examine that on the pages that follow.
For now, we'll just look at the simple IP translation within the router.
The
illustration below shows how the router modifies the packets:
THE NAT TABLE
The NAT table is the heart
of the whole NAT operation, which takes place within the router (or any
NAT-enabled device) as packets arrive and leave its interfaces. Each connection
from the internal (private) network to the external (public-Internet) network,
and vice versa, is tracked and a special table is created to help the router
determine what to do with all incoming packets on all of its interfaces
STATIC NAT
Static NAT was mainly
created to allow hosts on your private network to be directly accessible via
the Internet using real public IPs. Static NAT is also considered a bit
dangerous because a misconfiguration to your firewall or other NAT-enabled
device can result in the full exposure of the machine on your private network
to which the public IP Address maps.
Dynamic NAT
The way Dynamic NAT
differentiates from Static NAT is that where Static NAT provides a one-to-one
internal to public static IP mapping, Dynamic NAT does the same but without
making the mapping to the public IP static and usually uses a group of
available public IPs.
NAT Overload
NAT Overload is the most
common NAT method used throughout all networks that connect to the Internet.
This is because of the way it functions and the limitations it can overcome.
NAT
Overload is a mix of Static & Dynamic NAT with a few enhancements thrown in
(PAT- Port Address Translation) to make it work the way we need. By now you
understand how both Static & Dynamic NAT work so we won't get into the
details again. NAT Overload takes a Static or Dynamic IP Address that is bound
to the public interface of the gateway (this could be a PC, router or firewall
appliance) and allows all PCs within the private network to access the
Internet.
If you
find yourself wondering how this is possible with one only IP Address, you will
be happy to find that the answer lies within PAT.
The
diagram below shows you how a single session is handled by a NAT Overload
enabled device:
UNLEASHING THE TRUE POWER OF NAT OVERLOAD
To help
cover all possibilities and questions that might come up from these examples,
we're going to add another two private hosts in our internal network. We'll
assume that:
1) The
2nd host in our private network is trying to telnet to the same server as the
1st host
2) The
3rd host in our private network is trying to telnet to a different server on
the Internet
EOD
No comments:
Post a Comment