- Internet Security - this has become the most important goal of network administrators. The first step of any security plan, is to make users anonymous.
- Internet Addresses - these are limited, and have become a very valuable commodity.
NAT enhances security by changing the IP address and port of each user, so that the outside world (the Internet) sees them as someone else (much like the Government's witness protection program). Their identities are changed, and they become anonymous. PAT allows groups of users to share one common IP address, which is a Godsend to corporations, small businesses, and the Internet itself, which is running out of available IP addresses. NAT and PAT are very simple, yet extremely powerful concepts.
Cisco defines these terms as:
- Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
- Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
- Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
- Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
NAT (1 to 1 translation) - utilizes Source IP addresses and maps them to outside Internet IP addreses. As shown in the following NAT example, it takes a network address 10.0.0.1, and “translates” it to another network address 220.127.116.11. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.
PAT (Many to 1 translation - overload) - utilizes Source Port IP addresses and ports to uniquely identify user workstations by their socket. A socket is simply an IP address and a port number. This allows mapping of up to 65,536 inside "socket" addresses to 1 outside address (hence the term 'overload').
In the above PAT example, suppose local private hosts 10.6.1.2 and 10.6.1.6 both send packets from source port 2000. A PAT device might translate these to a single public IP address 18.104.22.168 but two different source ports, say 2031 and 1506. Response traffic received for port 2031 is routed to 10.6.1.2 while port 1506 traffic is routed to 10.6.1.6.
The following image shows how 3 users can all communicate on the Internet with just one IP address. The router shown must be capable of performing NAT:
NAT Overloading Example
For this example, you have four users (each using non-routable internal network addresses ) behind a router with NAT capability. The router has one legal IP address, 22.214.171.124, that it advertises to the Internet, but four unique ports. A remote server may communicate with multiple workstations on this LAN by also using it's one IP address but four unique ports
Here's how the overloading works. They key is an "address translation table" set up and stored by the router:
- An internal network (stub domain) has been set up with non-routable IP addresses that were not specifically allocated to that company by IANA.
- The company sets up a router with NAT enabled. The router has a unique IP address given to the company by IANA.
- A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server with ip address 175.56.28.03.
- The router receives the packet from the computer on the stub domain.
- The router saves the computer's non-routable IP address and port number to an address translation table. The router replaces the sending computer's non-routable IP address with the router's IP address. The router also replaces the sending computer's source port - it is simplest to use the row number of that entry in the address translation table. For example, the first entry is for computer A, and that computer's source port (400) is stored, along with the translated port number ( 1 ). The translation table now has a mapping of the computer's non-routable IP address and port numbers along with the router's IP address. NOTE1: so now, anyone in the outside world communicating with computer A, will believe that Computer A's address and port is 126.96.36.199, port 1 (the router's address, with port 1). The router receives the data, translates it to 192.168.32.10, port 400, and delivers it to Computer A via the Ethernet segment.NOTE2: the port numbers 1,2,3, and 4 are reserved "well-known" port numbers (Well-Known ports are those in the range from 1 to 1023). It is unclear how they can instead be used for the purpose of address translation, but apparently it does not cause problems.
- When a packet comes back from the destination computer, the router checks the destination port on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address and destination port to the one saved in the address translation table and sends it to that computer.
- The computer receives the packet from the router and the process repeats as long as the computer is communicating with the external system.
- Since the NAT router now has the computer's source address and source port saved to the address translation table, it will continue to use that same port number for the duration of the connection. A timer is reset each time the router accesses an entry in the table. If the entry is not accessed again before the timer expires, the entry is removed from the table.
As you can see, the NAT router stores the IP address and port number of each computer in the address translation table. It then replaces the IP address with its own registered IP address and the port number corresponding to the location of the entry for that packet's source computer in the table. So any external network sees the NAT Router's IP address and the port number assigned by the router as the source computer information on each packet.
You can still have some computers on the stub domain that use dedicated IP addresses. You can create an access list of IP addresses that tells the router which computers on the network require NAT. All other IP addresses will pass through untranslated.
The number of simultaneous translations that a router will support is determined mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a typical entry in the address translation table only takes about 160 bytes, a router with 4 MB of DRAM could theoretically process 26,214 simultaneous translations! Which is more than enough for most applications.
On the cisco routers, the NAT and PAT translation table can be viewed with the command "show ip nat translations", the command "clear ip nat translation" clears all dynamic address translation entries from the NAT translation table.
ICND1 and ICND2 break down