The NAT Concept
NAT (also known as network masquerading, native address translation or IP masquerading) is a technique of transceiving network traffic through a router that involves re-writing the source and/or destination IP addresses.
The NAT concept is simple: it allows a single device to act as an Internet gateway for internal LAN clients by translating the clients' internal network IP Addresses (the RFC 1918 Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x - using CIDR notation) into the IP Address on the NAT-enabled gateway device.
In other words, NAT runs on the device that's connected to the Internet and hides the rest of your network from the public, thus making your whole network appear as one device to the rest of the world.
Benefits
a) It prevents malicious activity initiated by outside hosts from reaching those local hosts.
b) The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space.
c) NAT is secure since it hides your network from the Internet.
We have a simple network of 4 hosts (computers) and one router that connect this network to the Internet. All hosts in our network have a private Class C IP Address, including the router's private interface (192.168.0.1), while the public interface that's connected to the Internet has a real IP Address (203.31.220.134).
How does NAT works?
The trick to understanding how NAT works is to realize that only the device (router, firewall or pc) that connects directly to the Internet performs NAT.
1. All requests the workstations generate are sent to the Internet via the router
2. The router will then perform NAT on these packets and send them to their destination.
3. As each packet arrives into the router's private interface, the router will strip the source IP Address from the 3rd layer (network layer) e.g 192.168.0.10 and place its own public IP address (203.31.220.134) before sending it to the Internet.
4. This is how the packet then seems to have originated from the router itself.
1. In this illustration, a workstation from our network has generated a packet with a destination IP Address 135.250.24.10.
2. Logically, this packet is first sent to the gateway, which performs NAT on this packet and then sends it to the Internet
3. During the initial NAT operation, the original packet's Source IP is changed from 192.168.0.12 to that of the router's public interface, which is 203.31.220.134
4. The router stores this information in a special address within its memory (also called NAT Table)
5. When the expected reply arrives it will know to which workstation within its network it needs to forward it.
The NAT Table
The NAT table is the heart of the whole NAT operation, which takes place within the router (or any NAT-enabled device) as packets arrive and leave its interfaces. Each connection from the internal (private) network to the external (public-Internet) network, and vice versa, is tracked and a special table is created to help the router determine what to do with all incoming packets on all of its interfaces.
Static NAT
Static NAT allows the mapping of public IP Addresses to hosts inside the internal network.
In this mode each private host has a single public IP Address mapped to it, e.g private host 192.168.0.1 has the public IP Address 203.31.218.208 mapped to it. Therefore any packets
generated by 192.168.0.1 that need to be routed to the Internet will have their source IP field replaced with IP Address 203.31.218.208.
Dynamic NAT
With Dynamic NAT, we map our internal IP Addresses to real public IP Addresses, but the mapping is not static, meaning that for each session the internal hosts communicate with
the Internet, the public IP Addresses remain the same, but are likely to change. These IPs are taken from a pool of public IP Addresses that have been reserved by our ISP for our public network.
The router is configured with a special NAT timeout and, after this timeout is reached (no traffic sent/received during that time), the router will expire the particular mapping and reuse it for a different internal host.
Finding a practical implementation for Dynamic NAT is perhaps more difficult than any other NAT mode.
No comments:
Post a Comment