Network Address Translation (NAT) - Page 2

Just what is Network Address Translation? Find out in this NAT tutorial by Neil Briscoe from  PC Network Advisor

A PC/ Server Connection 

Leaving Network Address Translation aside for the moment, let’s consider a connection from your PC to a server. What happens when you type “telnet some.server.com” is that your operating system picks a port above 1023 and assigns it to your session. Let’s assume it picks port 1025 to use. 

It connects to some. server. com on port 23 - because port 23 is the port reserved by IANA for telnet sessions. But the source information in the packets that reach the server tell it that your machine is using port 1025 to service its replies. 

When the packets are returned from the server, therefore, they are aimed at the port number that was indicated in the original packets - in our example, port 1025. 

If you’ve ever wondered how it’s possible to talk to two separate servers at once - especially if you use a dial- up connection to the Internet, which makes the whole procedure appear to take place by magic - it is simply because your operating system assigns, say, port 1025 to the first session, and port 1026, say, to the second one. Each server sends its responses back to your machine, but each using a separate port. So, when received, your computer knows which session they were destined for and doesn’t mix the sessions up. 

Network Address Translation - the Need.

The reason why NAT is so important is that address space under IPv4 (in the current version) is limited. 

There are four octets, totalling 32 bits of address space. We’ve tried classing the address space, we’ve tried using CIDR, but nevertheless address space will eventually run out. Our "stop gap" measures have, however, succeeded in preserving the address space for longer than we all thought possible.

RFC 1918 provides the rules for using a set of reserved numbers guaranteed never to be in use on the Internet. The beauty of it is that every company that connects can pick from the same set of reserved numbers, and it doesn’t matter. 

However, as these numbers are not routed around the Internet at all we have to have a method of transmitting packets around the Internet, and receiving the replies, and then sending the packets inwards to our network to the correct computer on our LAN, and the correct session on that computer. This is where NAT comes in. 

To use NAT, the router which connects your LAN to the Internet will have two addresses. On the LAN side, it will have an address from the particular RFC 1918 address range you chose to use and, on the Internet side, it will have an address assigned to you by your current ISP. 

Now let’s look at that example again. Your machine sends out a packet aimed at some.server.com. The source IP and source port are in the packet, just as before, together with the destination port and IP address. 

When it arrives at the router, the router will de-encapsulate the packet, and rewrite it. The packet it sends out onto the Internet will contain the router’s public IP address, a source port allocated from the router’s list of available ports, and the same destination IP address and port number that your machine generated. 

The router will also add an entry into a table it keeps, which maps the internal address and source port number your machine generated against the port number it allocated to this session. Therefore, when the machine some. server. com sends a reply packet to the router, the router can quickly work out how it needs to rewrite the packet before transmitting it back on the LAN. 

This works well because most LANs have many computers on them - certainly more than one. Even if two separate computers happen to pick port 1025 for their respective stacks to use to start a session (quite likely when everyone fires their computers up in the morning) the router just keeps a mapping for each session it sees. 

The advantages of NAT are that it works, with RFC 1918, to conserve the address space. The disadvantages are that it slows down the process of transmission, and limits the total number of sessions to the router to slightly less than 65, 000 at any one time. That’s not really a disadvantage, however, since unless you had an absolutely vast external pipe you wouldn’t want to be running that many sessions through your router anyway. 

Network Address Translation-  Dynamic vs Static

Finally a quick word on the difference between dynamic NAT and static NAT. What has been defined so far is known as dynamic NAT - all packets leaving your LAN for the Internet contain the same source IP address, which is the public one assigned to your router. 

There is one drawback with this. If the router is the only device with a public address, then there is no way for you to provide information services on any computer on your network. 

Supposing that, despite being a good network citizen and using RFC 1918 addressing, you nevertheless wish to provide a Web server, or an ftp repository, for example. You can’t, because no one on the Internet has any way of specifying that they want to connect to the specific computer containing the server. 

However, static NAT allows this to happen. First, you will need to get your ISP to allocate you a block of public addresses. Using CIDR, most ISPs will allocate you a block of eight addresses. Because of certain rules which we won’t go into here, you will have five of these eight available for use for static mapping. 

The computer on your LAN with the service you wish to make available still gets assigned an RFC1918 address - otherwise, you wouldn’t be able to connect to it from your own computers. Next, you configure the router with a static NAT mapping rule. You tell it the internal number in use on your LAN for the relevant computer, and you tell it the public address from your ISP- assigned address block that relates to it. 

Now that this is properly setup, if someone ftps to the public IP address listed in the static NAT mapping you made, your router will re- write the packets and transmit them inside to the correct machine on your LAN. 

To keep things relatively simple, in describing static Network Address Translation  I have spoken of you providing a computer on your network, or on your LAN, as a server you allow unknown outsiders to connect to via the public Internet. From a security perspective this is a very unwise thing to do. The best advice is to get a router with two Ethernet ports, put all your company private machines on one segment, and put the machines you wish to be public on the other segment. Configure the router with suitable ACLs. 

The Author 

Neil Briscoe is a network consultant and can be contacted as neil_briscoe@ itp-journals.com. 

Network Address Translation Article Page 1

Related Articles

• TCP/IPTutorial

• Understanding the OSI 7 Layer Model

• Understanding DHCP

• Understanding NDS

• Understanding Frame Relay

• IPv6 Tutorial

Did you like this article?

Click here to get hundreds more practical tech support guides just like this one.