Professional Documents
Culture Documents
Topics
RFCs
1797
Network Address Translation
Static and Dynamic
Port Address Translation
Issues with NAT/PAT
2
IPV4 address shortages and expanding Internet routing tables are still
problems
RFC-1631
A short term solution to the problem of the depletion of IP
addresses
Long term solution is IPv6
CIDR (Classless Interdomain Routing ) has been a short
term solution (RFC 1519)
NAT is another short term solution
NAT is a way to conserve IP addresses
Hide a number of hosts behind a single IP address
Use:
10.0.0.0-10.255.255.255,
172.16.0.0-172.32.255.255 or
192.168.0.0-192.168.255.255 for local networks
NAT
A NAT-enabled
NAT Terms
Inside Local Addresses An IP address assigned to a host
inside a network. This address is likely to be a RFC 1918
private address.
Inside Global Address A legitimate IP address assigned
by the NIC or service provider that represents one or
more inside local IP address to the outside world.
Outside Local Address - The IP address of an outside host
as it is known to the hosts in the inside network.
Outside Global Address - The IP address assigned to a host
on the outside network. The owner of the host assigns
this address.
9 April 2015
NAT Illustration
Destination
Pool of global IP
addresses
Source
G P
Global
Internet
Dg Sg Data
Private
Network
NAT
Dg Sp Data
Translation Modes
Static Translation
Static Translation
pseudo-code:
11
Dynamic Translation
IP Source routing could route back in; but, most firewalls block
incoming source routed packets
NAT only prevents external hosts from making connections to
internal hosts.
Some protocols wont work; protocols that rely on separate
connections back into the local network
Theoretical max of 216 connections, actual is much less
14
Example: NAT rule: dynamically translate all IPs in (class B) network 138.201 to IPs
in (class C) network 178.201.112
Each new connection from the inside gets assigned an IP from the pool of class C
addresses, as long as there are unused addresses left
If a mapping already exists for the internal host this one is used instead
As long as the mapping exists the internal host can be reached via the IP that has
been (temporarily) assigned to it
Masquerading (NAPT)
A very
15
16
Load Balancing
Network Redundancy
NAT Benefits
Eliminates
Some
Must
20
be used with:
Static Translation
offers no protection of internal hosts
State Table Timeout Problem
hacker could hijack a stale connection before it is timed out
very low probability but smart hacker could do it
Source Routing through NAT
if the hacker knows an internal address they can source route a
packet to that host
solution is to not allow source routed packets through the
firewall
Conclusion
NAT can
be static or dynamic
Uses a set of predefined private addresses
Conserves legal IPv4 addresses
NAT plus PAT often used
PAT uses unique source port numbers on the
Provides
24
a level of security