Network Address Translation (NAT)

NAT was developed to address a couple of concerns. First, the number of public IP addresses available on the Internet was becoming depleted
Nội dung trích xuất từ tài liệu:
Network Address Translation (NAT)Network Address Translation (NAT)NAT was developed to address a couple of concerns. First, the number of public IPaddresses available on the Internet was becoming depleted. Second, because of theinterconnectivity of networks, it was possible for an administrator to assign a set of IPaddresses to a network that someone else might be using. This is a common situationwhen two companies and their respective networks are combined. NAT addresses thesetwo concerns by providing a mechanism by which any number of IP addresses can betranslated to a different range of IP addresses, or in some cases a single or smaller rangeof IP addresses.To address the limitation of available IP addresses NAT can be used to translate hundredsor even thousands of IP addresses to just a couple of IP addresses or even a single IPaddress, thereby allowing a company to provide Internet access to their hosts withoutneeding to allocate thousands of IP addresses on the Internet to do so. To address theissue of invalid networks, or in many cases duplicate networks, NAT can be used toallow each network to appear as a completely different network. Figure 3-13 illustratesthe process of NAT and Internet connectivity. Figure 3-13. Example of NAT and Internet AccessIn this example, when Host A attempts to access the Internet, the firewall translates therequest from having a source address of 10.1.1.100 to having a source address of209.165.201.10 and transmits the data across the Internet. The firewall then stores thistranslation in its translation table so that it knows how to deal with the return traffic.When host B receives the data, it thinks it is communicating with 209.165.201.10 andaddresses the return traffic accordingly. When the firewall receives the return traffic, itrefers back to its translation table and determines that the traffic should be delivered to10.1.1.100. The firewall repackages the packet, this time changing the destination IPaddress to be 10.1.1.100 and transmits it accordingly. In doing so, hosts A and B cancommunicate with each other, for all intents and purposes completely unaware that NATis occurring.Because NAT effectively hides the actual IP addresses that are in use, many networkshave elected to use it in conjunction with private IP addresses. Private IP addresses aredefined in RFC 1918 and are a predefined set of IP addresses that cannot be used on theInternet and therefore are referred to as being nonroutable. Because NAT preventsInternet-connected hosts from being able to ascertain what IP address is being usedbehind a NAT router, organizations have elected to implement the private IP addresses sothat they can pretty much do whatever they want with them without concern with howthey may interact with the Internet or other networks. The RFC 1918 IP addresses are asfollows: • 10.0.0.0/8 • 176.16.0.0/12 • 192.168.0.0/16NoteRFC 3022 and RFC 2663 define NAT.NAT ImplementationsThere are four primary NAT implementations. They all accomplish the same function,the translating of traffic from one IP address to another, but they go about the translationprocess in different manners. They are as follows: • Static NAT Static NAT is sometimes referred to as traditional NAT, and refers to the mapping of one IP address to another IP address. Consequently, static NAT implementations require the same number of IP addresses as need to be translated. For this reason, static NAT is not an effective method of saving the number of IP addresses required for access to a network or the Internet. • Dynamic NAT Dynamic NAT functions in a similar fashion to static NAT, but instead of each IP address having a one-to-one translation, a dynamic pool of IP address can be used for the translation. Doing so enables you to reduce the number of IP addresses in use because the pool of addresses can be smaller than the total number of IP addresses that must be translated. • Port Address Translation Whereas static and dynamic NAT perform a translation from IP address to another, Port Address Translation (PAT) allows for the translation of a number of IP addresses to a single IP address. This is done by translating requests by TCP or UDP port. The translating router or firewall builds a NAT table, but instead of assigning an IP address for the outbound communications, it assigns a port number. When the response comes back to that port number, the translating router or firewall reverses the process. • Bidirectional NAT In most cases, NAT is used to translate data in a single direction, typically from an internal or protected network to an external or unprotected network. Bidirectional NAT provides for the use of NAT regardless of the direction of the traffic flow.NAT and IPsec: The Issues and the SolutionsAlthough NAT works in most cases, not all traffic can be successfully translated (inparticular, when the original data cannot be manipulated, such as the case with IPsec).The reason for this is that the NAT process actually changes the data packet while it isbeing translated. Because of the nature of IPsec, when the data packet is rebuilt usingNAT, the receiving router detects that the data has been changed (the source IP address isno longer the correct source IP address) and discards the packet. To address this, aprocess known as NAT traversal (NAT-T) has been developed.NAT-T encapsulates the complete IPsec packet into either a TCP or UDP packet, whichis then translated accordingly. By doing this, the traffic can be translated as requiredwithout the original IPsec data being changed. Figure 3-14 illustrates the encapsulationprocess and subsequent NAT. Figure 3-14. NAT-T Encapsulation ...