Data Network Resource
       Earn on the Web


Network Address Translator (NAT)



Introduction


This is used when a end user's network only needs to have a few addresses available to access the Global Internet. A table is created on the router that lists 'inside' local addresses to 'inside' global addresses which are the legal IP addresses. This mapping can be done statically or via the use of a dynamic pool of available legal addresses.

Following are a number of different ways to implement NAT:

Static Address Translation


This is where one-to-one mapping is carried out between inside local and outside global addresses.

NAT operation is illustrated in the following diagram:

NAT Operation

Dynamic Source Address Translation


This is where individual addresses within a pool of global addresses are dynamically mapped to local addresses.

For both static and dynamic NAT the process occurs as follows:
  1. An inside station connects to an outside station.
  2. When the first packet arrives from the inside station the router checks the NAT table.
  3. If no static match has been found the router carries out a translation of the inside address to an outside address from the available pool of outside addresses by replacing the address. The resultant mapping is saved as a 'simple entry'.
  4. The outside station receives the packet and replies to the outside address given by the NAT table.
  5. The router carries out a lookup in its table of inside to outside address mappings and forwards the packet to the station with the inside address.
  6. The packet is received and the rest of the conversation uses the NAT table.

Address Overloading


Sometimes called Port Address Translation (PAT), this is where each client uses the same IP address but uses a different port. A good example is access to a web server. Users from a private address, say in the 10.0.0.0 network, have their individual addresses translated to just one legal IP address but separate port numbers between 1024 and 65535. They can all have separate conversations with a web server having just one address and destination port of 80 (HTTP). This applies just as well if one user has several sessions with the same web server, the different port numbers distinguish the sessions.

The process operates as follows:
  1. An inside station connects to an outside station.
  2. When the first packet arrives from the inside station the router checks the NAT table.
  3. If no static match has been found the router carries out a translation of the inside address to an outside address from the available pool of outside addresses by replacing the address. The resultant mapping is saved as an 'extended entry'. If other inside addresses want to connect to outside stations then the same IP address is used but a different TCP port is utilised to distinguish the conversations.
  4. The outside station receives the packet and replies to the outside address given by the NAT table.
  5. The router carries out a lookup in its table of inside to outside address and port mappings and forwards the packet to the station with the inside address.
  6. The packet is received and the rest of the conversation uses the NAT table.

Overlapping Networks


There may be times when addresses in the inside network overlap with addresses in the outside network, see below for an example:

Overlapping addresses

The process operates as follows:
  1. Host A is on the inside network and wants to talk to Host B so it sends a Name-to-address lookup to the DNS server at 162.200.20.1.
  2. The router intercepts the DNS reply that contains the address.
  3. Because the address for Host B overlaps the address scheme used on the internal network the router translates the address to an address from a separate pool of outside addresses, in this case say 20.1.1.2.
  4. The DNS reply is then forwarded to Host A and A thinks that B has the address 20.1.1.2.
  5. Host A opens a connection to 20.1.1.2.
  6. The router receives the packet and replaces the source address of 10.1.1.1 with an inside global address of say 30.1.1.1 and saves the mapping.
  7. In addition, the router replaces the destination address of 20.1.1.2 with Host B's actual outside global address of 10.1.1.2 and saves the mapping.
  8. Host B receives the packet thinking that it came from 30.1.1.1 and replies accordingly.
  9. The conversation continues using the NAT table double lookup.

TCP Load Distribution


This is where a number of machines on the inside deal with a certain connection from the outside world. The Global to Local Mapping scheme is first established and then an access list is set up to determine the address that is allowed to be accessed by the outside world. Next, a rotary group is set up that has a number of server addresses that take the outside connections to this particular IP address on a round robin basis. This spreads the traffic load and is ideal for Web servers.

The process of operation is as follows:
  • An outside user opens a connection to an inside virtual host, say 10.1.1.200.
  • The router translates the address from the virtual address to a real host address, say 10.1.1.1 and forwards the packet.
  • Host 10.1.1.1 receives the packet and responds.
  • The router performs a NAT table lookup and forwards the packet to the outside address.
  • The next connection to the virtual host is translated to another inside address e.g. 10.1.1.2 and the process is repeated for that address.

This round robin approach means that a number of hosts can take the strain rather than just one host.

RFC 1631 describes NAT.

Port Forwarding


Port forwarding is really an extension of static NATting of addresses by adding port mapping within the IP header. Commonly client devices are 'hidden' behind routers or firewalls that NAT the client private addresses to public addresses. Normally these inside client devices initiate communication with the Internet and NATting happens dynamically on the router. Although these client devices are inside devices they can sometimes provide services to devices ouside of the firewall, that is, these client devices can act as servers that require to be accessed from outside.

If an outside device wishes to access a TCP or UDP port on an inside device e.g. a protected web server, then the port that the outside device is attempting to access e.g. port 80, needs to be forwarded in the traffic destined for the inside device. The IP header needs to be modified in order to achieve this. Take the following example where an outside device with IP address 222.22.22.1 using port 1234 i.e. 222.22.22.1:1234, is accessing a web server address given as the router WAN interface 233.33.33.1:80. The web server actually sits on the inside of the router and the router NATs the internal IP address of the server to the WAN interface. The HTTP port 80 however, is forwarded to the inside web server. The packet headers will look like the following sequence:

Location Source IP Source Port Destination IP Destination Port
From outside device to WAN interface 222.22.22.1 1234 233.33.33.1 80
From WAN interface to inside web server 222.22.22.1 1234 192.168.1.10 80
From inside web server to WAN interface 192.168.1.10 80 222.22.22.1 1234
From WAN interface to outside device 233.33.33.1 80 222.22.22.1 1234

Outside devices that initiate communication to these inside 'servers' are a security risk so it is important to configure the port forwarding carefully so that you do not let more traffic in than necessary. If you have a number of inside devices that are acting as servers then you can set up the port forwarding specifically for each service.

Typical application ports that require port forwarding to a server on the inside are as follows:

Application Incoming Port
HTTP 80
SSL 443
FTP 21
Telnet 23
IMAP 143
SIMAP (IMAP over SSL) 933
SSL/POP2 (POP3 over SSL) 995
SMTP 25
SSH 22
Finger 79
NNTP 119
GOPHER 70
NTP 123
PPTP 1723
Carbon Copy 32 1023-1680
Citrix 1494
Laplink 1547
Lotus Notes 1352
Netmeeting 1720, 1503
PC Anywhere 22, 5631-5632

Typical game ports that require port forwarding to a server on the inside are as follows:

Game Incoming Port
Alien vs Predator 80, 2300-2400, 8000-8999
Dark Reign 2 3100, 3568, 3999
Dune 2000 1140-1234, 4000
Elite Force 26000, 27500, 27910, 27960
Everquest 1024-6000, 7000
F-22 Lightning 3 4533-4660
Half Life 27015
Hexen II 26900 (add '1' for each player)
Heritic II 28910
MSN Gaming Zone 6667, 28800-29000
MSN Gaming Zone - DX 2300-2400, 47624
Myth 3453
Need for Speed 9442
Need for Speed 3 1030
Quake II 27910
Quake III 27960 (add '1' for each player)
Tiberian Sun 1140-1234, 4000

Having any ports open to the Internet is risky bearing in mind the continuous port probing that goes on. Some of the games and applications require a great many ports to be open and this can create an insecure environment.

Configuration of Port Forwarding may seem complex. It does not help that different routers and firewalls use different terminology for the same thing. A commercial level router will have comprehensive facilities for defining rules of access. These are often called IP filters or Access Lists. The domestic routers operate a web menu approach to configuration and may already have a predefined list of applications or firewall rules that you are able to select from. The more sophisticated domestic routers will allow you to add services where you can customise the IP address ranges and ports for which you are allowing access. Some routers may even use the term Port Forwarding within the menu structure.

Valid HTML 4.01 Transitional




Utility Warehouse     Earn on the Web     Free book on how to make money    


All rights reserved. All trademarks, logos, and copyrights are property of their respective owners.