Got it

What is NAT and how it works - episode 1 REPRINT

760 0 0 0 0

Authorized reprint by author zhushigeng (Vinsoney)


1. Overview of NAT


093003tgqyhqegoj3qgg9g.png

 

Network address translation (NAT) is an important contribution to alleviating IPv4 address exhaustion. After NAT is deployed on network devices, network devices can translate IP addresses and port numbers carried in packets.

There are two types of IP addresses: public and private. The private IP address can be used only on a local network (LAN) but cannot be used to access a public network (Internet). This means that a LAN PC must be assigned a public IP address when accessing a public network. However, the public IP address resources are scarce, the private IPv4 address space needs to be deployed on the LAN, and the intranet users need to be allowed to access the Internet.

NAT technology translates the source or destination address in an IP packet. When a packet with a private source IP address reaches a network egress, a NAT device translates the private IP address into a valid public IP address and forwards the packet to the public network. When a returned data packet arrives, the NAT device translates the destination IP address to the previous private IP address.

Table 1-1Advantages and disadvantages of NAT

Advantage

Disadvantage

It alleviates the shortage of public network addresses.

The forwarding delay exists.

It prevents the problem that IP addresses conflict or overlap.

E2E addressing becomes difficult.

Higher network scalability and easier local control are supported.

Some applications do not support NAT.

The internal network structure and related operations become invisible.

Entries generated by NAT consume memory resources of a device.

Security is enhanced.

Device performance problems occur.

 

2. NAT Types

NAT is classified into two types:

l Source IP address-based NAT:

-  No-port address translation (no-PAT)

-  Network address port translation (NAPT)

l Destination IP address-based NAT:

-  NAT internal server function

-  Destination NAT


2.1 NAT Type 1: Source IP Address Translation — No-PAT

No-PAT is called one-to-one address translation. During address translation, the source IP address of a packet is translated from a private IP address to a public IP address, but the port number (TCP or UDP port number) is not translated. The device maps all ports to IP addresses before and after the IP address conversion. The advantage of this application is that all ports mapped to the private network addresses are not translated. The disadvantage is that the public network addresses cannot be assigned to map to other private network addresses. A private IP address exclusively consumes a public IP address.

For example, an address pool contains only two public IP addresses. A host on a private network uses one public IP address to access the public network. In this case, only two hosts on the private network can access the public network at the same time. However, a device on another private network can access the public network only after one host does not access the public network and the public IP address is released.

http://3ms.huawei.com/km/static/blog/images/gif/grey.gif093004e5li5ma3in7kicdm.png093004abx08mr0m046memu.png

 

The preceding figure is used as an example. Assume that a network administrator applies for a public IP address (200.1.1.100) and deploys no-PAT on a firewall. A PC at 192.168.1.1 is to access 8.8.8.8 on the public network. The source and destination IP addresses of data packets are shown in the following figure. After the packet reaches the firewall, the firewall converts the source IP address 192.168.1.1 to 200.1.1.100 (the port number is not translated) based on a NAT mapping entry and forwards the packet to 8.8.8.8 over the Internet. Now, the host at 8.8.8.8 needs to reply to the packet. The destination IP address of the packet is 200.1.1.100. Note that the public network is unaware of 192.168.1.1. After the packet reaches the firewall, the firewall converts the destination IP address to 192.168.1.1 and forwards the packet based on the NAT mapping entry to 192.168.1.1. This is the mechanism of one-to-one NAT mapping. According to the preceding description, no-PAT NAT does not relieve IP address exhaustion. If 10 intranet PCs attempt to access the public network, 10 public IP addresses must be available.

In actual deployment, IP address pool-based no-PAT is used. One or more public IP addresses are placed in an IP address pool, and the address pool is used for source address conversion. If NAT is required for packets sent by an intranet device, the firewall selects an idle address from the address pool, creates a NAT mapping entry, and translates the private source IP address of the packet to a public IP address. When another device needs to access the Internet, the firewall selects another available public IP address from the address pool. In this mode, each private IP address is mapped to a single public IP address.


2.2 NAT Type 2: NAPT


093004zomtum7lduoz67a6.png

 

NAPT enables multiple private network users to share a public IP address when NAT translates IP addresses and port numbers. NAPT is also called address multiplexing. NAPT enables a network device to map multiple private IP addresses to the same public IP address and different port numbers, which implements many-to-one or many-to-many address translation. This solution greatly alleviates IPv4 address shortage. You only need to purchase one or more public IP addresses to meet the requirements for a large number of PCs to access the public network at the same time.

As shown in the preceding figure, the internal IP addresses 192.168.1.1 and 192.168.1.2 share the public IP address 200.1.1.100 when accessing the external network. When 192.168.1.1 uses TCP source port 1023 to send packets to the external network over a NAT session, the firewall creates a NAT mapping entry that maps 192.168.1.1:1023 to 200.1.1.100:39612, and uses the entry to convert the source IP address and source TCP port number of the packet. Then the converted packet is sent out. When receiving a return packet, the firewall converts the destination address and port number based on the NAT mapping entry. When the internal IP address 192.168.1.2 uses TCP source port 1569 to access the external network over the other NAT session, the firewall maps the private IP address to a public IP address 200.1.1.100 and port number 39613. In this way, the two sessions are distinguished based on port numbers.


2.3 NAT Type 3: NAT Internal Server


093004u2bannuuebzrz9mc.png

 

The NAT internal server function is the most commonly used method for destination address translation. A server, for example, a web server that is assigned a private IP address is deployed on the intranet. If the server needs to provide services for the external network, users on the Internet cannot access the server using the actual private IP address of the server. In this case, the NAT internal server function can be used to map the private IP address of the intranet to a specific public IP address so that public network users can access the intranet server by accessing the public IP address.

The NAT internal server function allows internal servers to access external networks. When a user on an external network accesses an internal server, a NAT device converts the destination IP address in the request packet into the private IP address of the internal server. After receiving a response packet from the internal server, the NAT device automatically converts the private source IP address in the response packet into a public IP address.

As shown in the preceding figure, the internal server at 192.168.1.10 needs to provide external access. The NAT internal server function can be deployed on a firewall to map a private IP address 192.168.1.10 and its TCP port 80 to a public IP address 200.1.1.100 and its TCP port 8080, respectively. In this way, when a public network user accesses 200.1.1.100:8080, the use can access the web service of the intranet server.

 

Learn more: what is NAT and how it works episode 2 REPRINT


Learn more: what is NAT and how it works episode 3 REPRINT


  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.