Solved

Disabling NAT on router

Posted on 2004-10-03
5
743 Views
Last Modified: 2013-11-29
hello
I was looking at my router config earlier and came across something i dont really understand about NAT.
Say i was to diable NAT on the router, would each of the PC's on my network get a 'real world' ip address from my ISP?

This is what it said in the manual:
"The PCs on your LAN must have real, registered IP addresses, not private, nonroutable IP addresses such as 192.168.0.x."

what does it mean that they must have a real registered ip address?

if someone could explain about what happens when you disable NAT i would appreciate it

Thanks
Kane
0
Comment
Question by:Kane2002
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:plemieux72
ID: 12211508
It is not recommended to assign real routable public IP addresses due to security.  Companies usually use private addresses stated in RFC 1918.  So, the only public IP (or pool of IP's) you should have is the outside one(s) on the router facing the Internet.  This prevents Internet hosts from reaching your inside network but does not prevent inside hosts from connecting to Internet hosts (that's what NAT/PAT is for).  NAT and PAT is a big subject, even if you are not running Cisco, the following link explains it much better than anyone could in this forum: http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:NAT

Now, if you need to put a web server or something else on the Internet, you still can use private IP addresses (this is the recommended way) and map a public to a private IP on your router and let the router handle the connections.  This way, the outside world does not know what internal IP you have for that server.

If you still decided you need to assign public IP's to your internal hosts, make sure you have a firewall.  Hosts directly reachable from the Internet are vulnerable to worms and many other threats.
0
 
LVL 2

Accepted Solution

by:
dramatix01 earned 250 total points
ID: 12211633
Real registered IP addresses are blocks of addresses that have been purchased by companies, individuals, or government entities and regulated by the Internet Assigned Numbers Authority (IANA.)  There are private, non-routable address blocks that cannot be registered such as 10.x.x.x (Class A), 127.x.x.x (Loop back), 169.254.x.x (DHCP auto configuration), 172.16.x.x (Class B), and 192.168.x.x (Class C.)

Use this document as a reference to private IP addresses: http://www.more.net/technical/netserv/tcpip/private.html
Check this website for info about IANA: http://www.iana.org/
Look here for registered address ranges: http://arin.net/

I would not recommend disabling NAT for several reasons:

1. No security - NAT very effectively hides the LAN side of your network.  An attacker can only see one address on the public side so they have no idea if you have only one machine or 10,000 machines on the LAN side.  They also can't see your private IP addressing scheme so spoofing will be more difficult.  Bottom line - the average "script kiddie" will just move on because you require too much work to hack.

2. Unless you are actually paying an ISP to use a range of registered IP addresses that they own or you own them yourself, you'd be "stealing" someone's property.

3. You could possibly run the risk of using duplicate IP addresses on the internet which would throw all kinds of things into disarray.

I hope this helps.  If you have any other questions let us know.

Regards,
Dave L.
0
 

Author Comment

by:Kane2002
ID: 12211650
hey
thanks for the reply.

Im not wanting to assign public ip's ...it was just something that i wanted to know how it worked.

so let me get this right...

if i disabled NAT (not that im going to) for the computers inside the network to access the internet .. they would each have to be assigned a public ip?

Kane
0
 
LVL 10

Expert Comment

by:plemieux72
ID: 12211697
yes, you got that right.
0
 
LVL 2

Expert Comment

by:dramatix01
ID: 12211768
That is very correct, yes.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now