NAT Operation

by Leon Tufallo.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on protocols  

You are here: Categories » Electronics and communication » Protocols

NAT can be confused with a proxy server, but there are definite differences between the two. NAT is transparent to the source and destination computers, but a proxy server is not. The source computer has to be specifically configured to communicate with a proxy server, whereas the destination computer thinks that the proxy server is the source computer. Proxy servers usually operate at Layer 4 (the transport layer of the OSI Reference Model) or higher, and NAT operates at Layer 3 (the network layer). Because proxy servers are usually an add-on application, they might be slower than NAT, because NAT is accomplished in hardware.

NAT is configured on the device you use to connect to an external network, whether it is a firewall, router, or computer. Before you get too far into the operation of NAT, you need to have a basic understanding of its many forms and the several ways in which it can be used:

  • Static NAT Used to map an unregistered IP address, such as a private address, to a registered IP address, usually provided by your Internet service provider (ISP), on a one-to-one basis. Also used to map one external public address to one internal private address.

  • Dynamic NAT Used to map an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT is usually accomplished with the assistance of a pool or a range of addresses that you configure on your NAT device.

  • Overloading A form of dynamic NAT used to map multiple unregistered IP addresses to a single registered IP address by using different ports. More commonly known as Port Address Translation (PAT) or port-level multiplexed NAT.

  • Overlapping Used when the IP address of your internal network is registered for use on another network. Your NAT device must maintain some type of lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. This means that your NAT device must be able to translate the "internal" addresses to registered unique addresses. It also must be able to translate the "external" registered addresses to addresses that are unique to the private network. You can implement this NAT method through the use of static NAT or through the use of a DNS entry and dynamic NAT.

One fact that might need to be mentioned at this point is that your internal network, or LAN, can often be referred to as a stub domain. When used in this manner, a stub domain is a LAN that uses IP addresses internally, with most of the network traffic having a local destination. Although you are allowed to have both registered and unregistered IP addresses in your stub domain, any network device that uses an unregistered IP addresses must use NAT to communicate with the outside world.

One other benefit of implementing dynamic NAT on your device is that it can automatically create a simple firewall between your internal network and outside networks or the Internet. NAT does this by allowing only connections that originate inside your stub domain. This lets you limit a computer on an external network from reaching your computer unless your computer initiated the contact. Using static NAT allows you to define where a connection initiated by an external device can connect on your computers. For instance, you might want to connect an inside global address to a specific inside local address that is assigned to your web server. Keep in mind that this simple firewall should not be considered a replacement for items such as the Cisco Secure PIX Firewall or the Cisco IOS Firewall Feature Set, because TCP packets may be forged by an unauthorized user to gain access to your "protected" devices.
Share
Leave a comment or ask a question
Total comments: 0

Protocols Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
DNS risks and security - DNS is the Domain Name System. It's a UDP- and TCP-based protocol that listens on port 53. TCP connections are commonly used for zone transfers. The DNS matches IP addresses to hostname (more...)
FTP with IPv6 - FTP has been designed to work over IPv4 supporting 32-bit addresses. With RFC 2428, "FTP Extensions for IPv6 and NATs," a specification was made that allows FTP to work over IPv4 and IPv6. Duri (more...)
DNS in the IPv6 world - DNS is used in the IPv4 world to do name-to-address mappings and vice versa. This is not changing in the IPv6 world. The need for DNS is actually much greater because of the length of IPv6 addr (more...)
RADIUS Vulnerabilities - RADIUS is known to have a set of weaknesses that are either presented in the protocol itself or caused by poor client implementation. The stateless UDP protocol itself allows easier packet forg (more...)
DHCP with IPv6 - DHCP is widely used to configure hosts with their IPv4 addresses and additional information. If you have an IPv6 network, you do not need DHCP to configure your hosts with address information. (more...)
IPSec Protocols Operations and Modes Overview - IPSec was designed by a dedicated working group of the Internet Engineering Task Force (IETF). The goal behind IPSec creation was the development of a single standard providing high-quality, in (more...)
REXEC - REXEC is often confused with the other r services. However, it bears no relationship to them. REXEC runs on TCP port 512. UNIX distributions often ship without an REXEC client program (more...)
Network File System NFS - The Network File System (NFS) protocol defines a way for co-operating systems to share filesystems. Today, everyone seems to refer to NFS mounts as shares. NFS is based on the RPC (Remote (more...)
SMTP - SMTP is the Simple Mail Transfer Protocol (defined in RFC 821). Among other tasks, its job is to receive mail by accepting connections on TCP port 25 from remote mail servers. By default, UNIX (more...)
Basic Structure of the Internet - The best view of the Internet comes with following a packet from your PC. When you log into a web site, you actually send a command to a distant server telling it to download a page of data to y (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.