[ LiB ]

NAT Operation

NAT can be confused with a proxy server, but there are definite differences between the two. NAT is transparent to the source and destination computers, but a proxy server is not. The source computer has to be specifically configured to communicate with a proxy server, whereas the destination computer thinks that the proxy server is the source computer. Proxy servers usually operate at Layer 4 (the transport layer of the OSI Reference Model) or higher, and NAT operates at Layer 3 (the network layer). Because proxy servers are usually an add-on application, they might be slower than NAT, because NAT is accomplished in hardware.

NAT is configured on the device you use to connect to an external network, whether it is a firewall, router, or computer. Before you get too far into the operation of NAT, you need to have a basic understanding of its many forms and the several ways in which it can be used:

• Static NAT Used to map an unregistered IP address, such as a private address, to a registered IP address, usually provided by your Internet service provider (ISP), on a one-to-one basis. Also used to map one external public address to one internal private address.

• Dynamic NAT Used to map an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT is usually accomplished with the assistance of a pool or a range of addresses that you configure on your NAT device.

• Overloading A form of dynamic NAT used to map multiple unregistered IP addresses to a single registered IP address by using different ports. More commonly known as Port Address Translation (PAT) or port-level multiplexed NAT.

• Overlapping Used when the IP address of your internal network is registered for use on another network. Your NAT device must maintain some type of lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. This means that your NAT device must be able to translate the "internal" addresses to registered unique addresses. It also must be able to translate the "external" registered addresses to addresses that are unique to the private network. You can implement this NAT method through the use of static NAT or through the use of a DNS entry and dynamic NAT.

One fact that might need to be mentioned at this point is that your internal network, or LAN, can often be referred to as a stub domain. When used in this manner, a stub domain is a LAN that uses IP addresses internally, with most of the network traffic having a local destination. Although you are allowed to have both registered and unregistered IP addresses in your stub domain, any network device that uses an unregistered IP addresses must use NAT to communicate with the outside world. Figure 12-1 illustrates a NAT operation in which a host on a private network communicates with a host on a public network and a host on the public network communicates with a host on the private network.

Figure 12-1. NAT Operation

[View full size image]

One other benefit of implementing dynamic NAT on your device is that it can automatically create a simple firewall between your internal network and outside networks or the Internet. NAT does this by allowing only connections that originate inside your stub domain. This lets you limit a computer on an external network from reaching your computer unless your computer initiated the contact. Using static NAT allows you to define where a connection initiated by an external device can connect on your computers. For instance, you might want to connect an inside global address to a specific inside local address that is assigned to your web server. Keep in mind that this simple firewall should not be considered a replacement for items such as the Cisco Secure PIX Firewall or the Cisco IOS Firewall Feature Set, because TCP packets may be forged by an unauthorized user to gain access to your "protected" devices.

[ LiB ]