ch5.pdf

Transcript

JTO PH-II IT RIP

5 NETWORK ADDRESS TRANSLATION

5.1 OBJECTIVE
The objectives of this chapter is to understand
 Concept of NAT
 Types of NAT
 Working of NAT
 NAT Advantage and Disadvantage

5.2 INTRODUCTION TO NAT
Network Address Translation (NAT) is a technology that is useful to many
network
administrator‘s because it saves time and money when dealing with network IP
addresses. NAT allows a single network device, such as a router or firewall, to act as an
agent between the public network space and a private network space. The NAT-enabled
agent makes it possible to use a single IP address to represent an entire group of
networked computers. NAT also helps network administrators manage the private and
public portions of their network because with NAT, administrators can separate the
private and public address spaces. The address separation means that NAT makes the
physical device in the private network independent of the IP address hosts in the public
network. NAT is defined in RFC 3022. With NAT, an enterprise does not need to register
large, expensive IP address blocks from IANA. Since address blocks are a limited
resource, network address space might not even be available.
Although NAT prevents hosts in the public network from seeing any internal IP
addresses, NAT is not a method of securing the private network. At best, NAT can hide,
or obscure, network devices. For a network to be secure, you must at least have a firewall
at the border of your network. Essentially, the available IPv4 address space was on the
verge of being exhausted in the mid 1990s, but organizations still needed address blocks
for their private network spaces. The address blocks listed below are reserved for private
address space and are not routable on the backbone network.
Private Address Blocks

Address Range CIDR Notation
10.0.0.0 - 10.255.255.255 10/8
172.16.0.0 - 172.31.255.255 172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255 192.168/16

The first address block is a 24-bit block, the second block is a 20-bit block, and
the third is a 16-bit block. In pre-CIDR notation, the first block is nothing but a single
class A network number, the second block is a set of 16 contiguous class B network
numbers, and the third block is a set of 256 contiguous class C network numbers.
Any enterprise that uses IP addresses from the address space defined in Private
address range can do so without contacting or paying IANA (Internet assigned numbers
authority) or an Internet service provider. Addresses within the private address space are

JTO-PH-II IT Version Page 54 of 136
For Restricted Circulation
 JTO PH-II IT NAT

only unique within an enterprise or multiple enterprises that choose to cooperate over this
space to communicate with each other in their own private internet.

Note: NAT is not restricted to private-to-public address translation, though that is
the most common application. NAT can also perform public-to-public address
translation, as well as private-to-private address translation.NAT is only a temporarily
solution to the address shortage problem. IPv4 will eventually be replaced with IPv6,
which supports a vast address space. Both Cisco IOS devices and PIX/ASA firewalls
support NAT.

5.3 TYPES OF NAT
NAT can be implemented using one of three methods:
Static NAT – Static NAT (Network Address Translation) is one-to-one mapping
of a private IP address to a public IP address. Static NAT (Network Address Translation)
is useful when a network device inside a private network needs to be accessible from
internet. Static NAT is a potential security risk. If the network security policy is
configured incorrectly, the private network device mapped to the public IP address might
be fully exposed to the public network.

Figure 29: Static NAT

Dynamic NAT – Dynamic NAT can be defined as mapping of a private IP
address to a public IP address from a group of public IP addresses called as NAT pool.
Dynamic NAT establishes a one-to-one mapping between a private IP address to a
public IP address. Here the public IP address is taken from the pool of IP addresses
configured on the end NAT router. The public to private mapping may vary based on the
available public IP address in NAT pool.

JTO PH-II IT Version Page 55 of 136
For Restricted Circulation
 JTO PH-II IT NAT

Figure 30: Dynamic NAT
NAT Overload or Port Address Translation (PAT) – Port Address Translation
(PAT) is another type of dynamic NAT which can map multiple private IP addresses to a
single public IP address by using a technology known as Port Address Translation.
Here when a client from inside network communicate to a host in the internet, the
router changes the source port (TCP or UDP) number with another port number. These
port mappings are kept in a table. When the router receive from internet, it will refer the
table which keep the port mappings and forward the data packet to the original sender.

Figure 31: PAT

5.4 HOW DOES NAT WORK
As Figure shows, the private network uses private addresses. The router that
connects the network to the global address uses one private address and one global

JTO PH-II IT Version Page 56 of 136
For Restricted Circulation
 JTO PH-II IT NAT

address. The private network is transparent to the rest of the Internet; the rest of the
Internet sees only the NAT router with the address 200.24.5.8.

Figure 32: NAT Implementation

Address Translation
All the outgoing packets go through the NAT router, which replaces the source
address
in the packet with the global NAT address. All incoming packets also pass through
the
NAT router, which replaces the destination address in the packet (the NAT router
global
address) with the appropriate private address. Figure shows an example of address
translation.

Figure 33: Addresses in NAT

Translation Table
Translating the source addresses for outgoing packets is straightforward. But how
does the NAT router know the destination address for a packet coming from the Internet?
There may be tens or hundreds of private IP addresses, each belonging to one specific
host. The problem is solved if the NAT router has a translation table.

Using One IP Address -- In its simplest form, a translation table has only two
columns:
the private' address and the external address (destination address of the packet).
When
the router translates the source address of the outgoing packet, it also makes note
of the
destination address-where the packet is going. When the response comes back
from

JTO PH-II IT Version Page 57 of 136
For Restricted Circulation
 JTO PH-II IT NAT

the destination, the router uses the source address of the packet (as the external
address)
to find the private address of the packet. Figure 19.12 shows the idea. Note that the
addresses that are changed (translated) are shown in color.

In this strategy, communication must always be initiated by the private network.
The NAT mechanism described requires that the private network start the
communication.
NAT is used mostly by ISPs which assign one single address to a customer. The
customer, however, may be a member of a private network that has many private
addresses. In this case, communication with the Internet is always initiated from the
customer site, using a client program such as HTTP, TELNET, or FTP to access the
corresponding server program. For example, when e-mail that originates from a
noncustomer site is received by the ISP e-mail server, the e-mail is stored in the mailbox
of the customer until retrieved. A private network cannot run a server program for clients
outside of its network if it is using NAT technology.

Using a Pool of IP Addresses
Since the NAT router has only one global address, only one private network host
can access the same external host. To remove this restriction, the NAT router uses a pool
of global addresses. For example, instead of using only one global address (200.24.5.8),
the NAT router can use four addresses (200.24.5.8, 200.24.5.9,200.24.5.10, and
200.24.5.11). In this case, four private network hosts can communicate with the same
external host at the same time because each pair of addresses defines a connection.

JTO PH-II IT Version Page 58 of 136
For Restricted Circulation
 JTO PH-II IT NAT

However, there are still some drawbacks. In this example, no more than four connections
can be made to the same destination. Also, no private-network host can access two
external server programs (e.g., HTTP and FfP) at the same time.

Using Both IP Addresses and Port Numbers
To allow a many-to-many relationship between private-network hosts and external
server programs, we need more information in the translation table. For example, suppose
two hosts with addresses 172.18.3.1 and 172.18.3.2 inside a private network need to
access the HTTP server on external host 25.8.3.2. If the translation table has five columns,
instead of two, that include the source and destination port numbers of the transport layer
protocol, the ambiguity is eliminated.

Figure 34: Five Column Translation Table

Note that when the response from HTTP comes back, the combination of source
address (25.8.3.2) and destination port number (1400) defines the-private network
host
to which the response should be directed. Note also that for this translation to
work, the
temporary port numbers (1400 and 1401) must be unique.

5.5 NAT TERMINOLOGY
Specific terms are used to identify the various NAT addresses:

Inside Local – the specific IP address assigned to an inside host behind a NAT-
enabled device (usually a private address).

Inside Global – the address that identifies an inside host to the outside world
(usually a public address). Essentially, this is the dynamically or statically-assigned public
address assigned to a private host.

Outside Global – the address assigned to an outside host (usually a public
address).

Outside Local – the address that identifies an outside host to the inside network.
Often, this is the same address as the Outside Global.

Let‘s explain these NAT terms with an example

JTO PH-II IT Version Page 59 of 136
For Restricted Circulation
 JTO PH-II IT NAT

Here, we will explain NAT terms from host A‘s perspective. Host A will reach
Server C and Host B over internet. And on Router A, NAT is enabled. Host A has a
private ip address, 10.1.1.10 and this is our Inside Local Address. With this address Host
A cannot reach to Internet. So, it uses Router A‘s public ip address, 55.1.1.1 and this is
our Inside Global Address.

Figure 35: NAT Terms

There is a Router B and Server C on the above screen. The interface ip addresses
of these devices are Outside Global Addresses. These addresses
are 88.1.1.1 and 99.1.1.1. Host B has a private ip address that is used in its local network.
But Host A sees its global ip address as Outside Local Address. So, our outside local
address is also 99.1.1.1.
As a summary our NAT terms will be like below:

 Inside Local Address– 10.1.1.10
 Inside Global Address– 55.1.1.1
 Outside Global Address– 88.1.1.1, 99.1.1.1
 Outside Local Address– 99.1.1.1

However, it is occasionally necessary to translate an outside (usually public)
address to an inside (usually private) address. For simplicity sake, it is generally
acceptable to associate global addresses with public addresses, and local addresses with
private addresses.
However, remember that public-to-public and private-to-private translation is still
possible. Inside hosts are within the local network, while outside hosts are external to the
local network.

JTO PH-II IT Version Page 60 of 136
For Restricted Circulation
 JTO PH-II IT NAT

5.6 NAT ADVANTAGES AND DISADVANTAGE
Network Address Translation (NAT) technology has many advantages and
disadvantages. Main advantages and disadvantages of NAT (Network Address
Translation) are listed below.
Advantages of NAT
 The main advantage of NAT (Network Address Translation) is that it can prevent the
depletion of IPv4 addresses.
 NAT (Network Address Translation) can provide an additional layer of security by making
the oringinal source and destination addresses hidden.
 NAT (Network Address Translation) provides increased flexibility when connecting to the
public Internet
 NAT (Network Address Translation) allows to use your own private IPv4
addressing system and prevent the internal address changes if you change the
service provider.

DISADVANTAGES OF NAT
 NAT (Network Address Translation) is a processor and memory resource
consuming technology, since NAT (Network Address Translation) need to
translate IPv4 addresses for all incoming and outgoing IPv4 datagrams and to
keep the translation details in memory.
 NAT (Network Address Translation) may cause delay in IPv4 communication.
 NAT (Network Address Translation) cause loss of end-device to end-device IP
traceability
 Some technologies and network applications will not function as expected in
a NAT (Network Address Translation) configured network.
5.7 CONCLUSION:
The rapid growth of the Internet resulted in a shortage of available IPv4 addresses.
In response, a specific subset of the IPv4 address space was designated as private, to
temporarily alleviate this problem. A public address can be routed on the Internet. Thus,
devices that must be Internet-accessible must be configured with (or reachable by) public
addresses. A private address is intended for internal use within a home or organization,
and can be freely used by anyone. However, private addresses can never be routed on the
Internet. In fact, Internet routers are configured to immediately drop traffic with private
addresses. It is possible to translate between private and public addresses, using Network
Address Translation (NAT). NAT allows a host configured with a private address to be
stamped with a public address, thus allowing that host to communicate across the Internet.
It is also possible to translate multiple privately-addressed hosts to a single public address,
which conserves the public address space.NAT provides an additional benefit – hiding the
specific addresses and addressing structure of the internal (or private) network.

JTO PH-II IT Version Page 61 of 136
For Restricted Circulation