Thread: Introduction to TCP/IP networks
View Single Post
  #10   (View Single Post)  
Old 27th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,983
Default Chapter 9: Network Address Translation
Network Address Translation (NAT) is very useful.
  • It allows us to have private networks that can participate on the Internet.
  • It provides a simple firewall; unsolicited packets are dropped.
  • It greatly expands the number of devices that can reach the Internet.
  • It permits organizations in partnership to link their private networks together without remapping their IP addresses to manage IP address conflicts or subnet overlaps.
NAT is a function which occurs within a router device. Individual network devices need no configuration or awareness to participate in NAT. That's because all a NAT router does is:
  1. receive a packet for forwarding
  2. depending on packet direction, change either the source or destination IP address
  3. send the altered packet
----

An example:

  • My private network uses the 10.0.0.0/24 subnet.
  • My NAT router may connect this subnet to the Internet at address 1.2.3.4.
If I have a connection from my workstation at 10.0.0.5 with a server on the Internet, the NAT router translates my workstation address from 10.0.0.5 to 1.2.3.4 when it sends my traffic outbound, and it translates the inbound packets destined to my workstation from 1.2.3.4 to 10.0.0.5 before sending them to the workstation.

  • There are lots of workstations on my subnet. How did the NAT router "know" to change the incoming packet destination address from 1.2.3.4 to 10.0.0.5?

NAT routers monitor state. This is known as stateful tracking. NAT routers may also translate the source port numbers, to simplify stateful tracking, as is shown in this diagram from Microsoft:



TCP states are easy to monitor. Stateless protocols (like UDP) are tracked using timers.

---

NOTE: NAT routers can't route unsolicited traffic. If a packet arrives at my example router at IP address 1.2.3.4, and there is no assocated state for this traffic ... the NAT router cannot forward the packet. This is why when you have a NAT router and you wish to offer a network service, you must pre-configure port forwarding.
If I tell the router to forward incoming TCP packets with destination port 80 to my web server at 10.0.0.9, when an incoming packet arrives with no pre-established state, and it is for destination port 80, the router will translate 1.2.3.4 to 10.0.0.9 and forward the packet to my web server.
NAT cannot route uninvited inbound traffic. Those packets are dropped, and either reflect an error via ICMP or not, depending on router configuration.

-----

Through a NAT router, many devices on a LAN may share a single IP address on the Internet. This has allowed the Internet to permit more devices to connect to it than the available IP addresses would allow. A number of address ranges have been defined for private networks. These are address ranges that are only used privately -- never on the Internet directly. To route packets in and out of networks that use these ranges, NAT must be used. These network ranges are used over and over in millions of private networks:
  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255
You and I might both have devices at address 192.168.1.10 on our private networks. They can communicate with each other, as long as both of us are using NAT routers as our gateways to the Internet. Our private addresses are translated to Internet addresses when our packets transit our routers.
Last edited by jggimi; 27th March 2013 at 03:32 PM. Reason: typo
Reply With Quote