Solved

Understanding NAT

Posted on 2010-11-25
7
944 Views
Last Modified: 2012-05-10
I am having trouble understanding how NAT  works when a client with public IP on the internet
 wants to communicate with local private ip.

 am i getting in any way close with  example below ?

internet client  80.0.0.1  needs to talk to  local server 172.0.0.1 on port 80
local router has public ip of 90.0.0.1
internet client targets ip 90.0.0.1 and requests service on port 80
static nat entry on router maps 80.0.0.1 port 80 request  to 172.0.0.2 port 80
local server responds to 172.0.0.2:80 which is translated back by same nat entry to 80.0.0.1:80

I'm getting confused as someone told me that although PAT lets you map many private ip's
to one public ip, its not possible to map two public ip's on same port number to a single private ip
Is that right?  Simple as possible explanation would be  appreciated :)

Thanks


0
Comment
Question by:jly999
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 10

Expert Comment

by:moon_blue69
Comment Utility
the internet client replies to 90.0.0.1 to port 80 but in its header there is a destination port on 90.0.0.1 which is mapped to your 172.0.0.1 on its nat table. So multiple clients can request the same page but requests will be assigned different ports on NAT

ps see the attached image of how a nat table will look like



Hi

How NAT Works

When a computer running NAT receives a packet from an internal client, it replaces the packet header and translates the client's port number and internal IP address to its own port number and external IP address. It then sends the packet to the destination host on the Internet, and keeps track of the mapping information in a table, so that it can route the reply to the appropriate client computer. When the computer running NAT receives a reply from the Internet host, it again replaces te packet header and sends the packet to the client. Both the client computer and the Internet host appear to be communicating directly with each other.

For example, a client computer with the IP address 192.168.10.2 wants to contact a Web server with the IP address 131.110.30.4. The client is configured to use 192.168.1.1 as the default gateway, which is the internal IP address of the computer running NAT. The external IP address of the computer running NAT is 131.110.5.1. In this example, the NAT process occurs as follows:

    * The client computer sends a packet to the computer running NAT. The packet header indicates that the packet originates from port 1074 on the computer with the IP address 192.168.10.2, and has a destination of port 80 on 131.110.30.4.
    * The computer running NAT changes the packet header to indicate that the packet originates from port 1563 on host 131.110.5.1, but does not change the destination. The computer running NAT then sends the packet to the Web server over the Internet.
    * The external Web server receives the packet and sends a reply. The packet header for the reply indicates that the packet originates from port 80 on 131.110.30.4, and has a destination of port 1563 on host 131.110.5.1.
    * The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate a destination of port 1074 on 192.168.10.5, and then sends the packet to the client. The source of the packet remains as port 80 on 131.110.30.4, which is the IP address of the Web server.


courtsey

http://www.tech-faq.com/nat-network-address-translation.html

nat-table.jpg
0
 
LVL 10

Expert Comment

by:Wolfhere
Comment Utility
Try this one on for size, in understanding NAT vs PAT http://www.enterprisenetworkingplanet.com/netsp/article.php/3632496/Networking-101-Understanding-NAT-and-PAT.htm
From my understanding, unless the state already exists, the IP's are different (vs ports or PAT) and the NAT routers do not detect anomalies - you will not be able to establish connection. Because of the nature of NAT routers, one of the NAT routers will be able to detect that a sequence number anomaly has occurred, and can immediately terminate all communication. When the TCP session completes with a FIN, the state is wiped clean.
0
 
LVL 10

Expert Comment

by:Wolfhere
Comment Utility
@moon_blue69
A very good description of NAT, but I do not understand your answer to the question posed by jly999. You are saying that the 2 distinct 'public' addresses going to a single private address (NAT'd also) with distinct ports assigned to each connection itself will be able to establish communication in both directions....like a web server.
DOH! I think I just answered my own question or rather you did :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 3

Expert Comment

by:jfrizzell
Comment Utility
NAT or Network Address Translation works by taking private RFC 1918 address and converts them to globally routable addresses.

RFC 1918 address are:
----------------------------------
10.0.0.0 10.255.255.255 (Class A)

172.16.0.0 172.31.255.255 (Class B)

192.168.0.0 192.168.255.255 (Class C)

Static NAT:
-------------------------------------
Suppose that you have an internal web server that you would like to allow users on the internet to access.  However, your internal web server has a private address of 172.27.10.12.  To do this, you would need to request a public IP address from the ISP.  Let's say that the ISP assigned you the 74.x.x.212 globally routable IP address.

What you would do in this case is establish a "Static NAT" mapping, which is a direct one to one relationship of a private address (RFC1918) to a publicly routable address.  For example, on a Cisco router you would enter the following command:

ip nat inside source static 172.27.10.12 204.15.87.2

How it works:
-------------------------------------
A user surfing the web types in yourwebsite.com and DNS resolves the name to your publicly routable IP address of 204.15.87.2.  The request for yourwebsite.com gets to your router and is converted from the public IP address of 204.15.87.2 to the internal IP address of 172.27.10.12.

When the router received the HTTP header, it made note of the 204.15.87.2 address and realizes that it has a static nat statement to translate the address.  So, the router "translates" the IP address of 204.15.87.2 to the internal address of 172.27.10.12 and sends the packet on to the internal web server.

When the web server responds, the router has the job of "translating" the internal address of 172.27.10.12 to the publicly routable IP address of 204.15.87.2.

NAT Pool:
----------------------------------------
NAT pools are setup to allow a group of publicly available IP addresses to internal private addresses.  For example, lets suppose that your organization has 30 users and you use the RFC 1918 private address block of 192.168.1.0.  Since RFC 1918 address are not routable on the Internet, you would need to obtain some public addresses from an ISP.  Lets say that the ISP allocated you 10 public IP addresses in the range of 84.x.x.12 - 84.x.x.21.

To configure a NAT pool, you would need to configure your private IP addresses to obtain one of the global IP addresses.  On a Cisco router the commands would be as follows:

1) Create an Access Control List (ACL) that allows your internal network address can be translated to a public IP address:

access-list 10 permit 192.168.1.0 0.0.0.255

2) Create the NAT pool that maps to the Global IP addresses assigned by the ISP:

ip nat pool GLOBAL-ADDRESSES 84.x.x12 84.x.x.21 netmask 255.255.255.0

3) Combine the permitted internal translation addresses to the global IP address:

ip nat inside source list 10 pool GLOBAL-ADDRESSES


How NAT Pools Work
---------------------------------------
If a user in your network wanted to access a web server on the Internet, then the router would need to translate the private IP address of the internal network to a public address.  In this case you have 30 users and 10 global IP addresses.  This means that only 10 users could be online at any given time.  If an 11th user attempted to access a host, server, or other resource on the Internet, they would not be translated and the connection would fail.  Only when one of the 10 addresses was returned to the pool would that user be allowed to access the Internet.

User with the internal IP address of 192.168.1.7 is making a request to access a web server at 202.x.x.55.  As the packet is going through the various OSI layers, the transport layer will add a port to your internal IP address to track what application and session is in use.  It will be randomly assigned a port anywhere from 1025 - 65535.  

The users packet of 192.168.1.7 gets a random port of 1033 to track the application and session.  The term utilized in the industry is a socket and a socket is the combination of an IP address and port combined with a colon.  The socket for this session would be 192.168.1.7:1033.

The router would receive the packet with the following information 192.168.1.7:1033 and check for an ACL that allows for a translation.  If there is an ACL permitting the 192.168.1.0 network, then the router will record the following in the translation table:

Internal IP Address           External IP Address
192.168.1.7:1033             84.x.x.12:1033

The 192.168.1.7:1033 addresses will be translated to 84.x.x.12:1033 and sent to the web server on the internet.  The web server will respond back to your request using the IP address of 84.x.x.12:1033.  

The router will receive the response packet with the IP address of 84.x.x.12:1033 and look at the translation table to see where to deliver the packet.  

Internal IP Address           External IP Address
192.168.1.7:1033             84.x.x.12:1033

It looks at the translation table and notes that 84.x.x.12:1033 should be translated back to 192.168.1.7:1033 and sent on its way.

Port Address Translation (PAT)
---------------------------------------
The main difference in Static NAT and NAT Pools when compared to PAT is the fact that a single address can be used among a large number of users.  Static NAT and NAT pools do not conserve IPv4 addresses.

PAT takes an internal private network and converts it to a single globally routable IP address.  It does this by utilizing sockets.  For example, let's assume that you are using the internal network of 10.10.10.0 and have been assigned the global IP address from the ISP of 94.x.x.212.

PAT Configuration:
---------------------------------------
To configure PAT on a Cisco router, you would do the following:

1) Create an ACL to allow your private network:

access-list 20 permit 10.10.1.0 0.0.0.255

2) Bind the ACL to the global IP address and enable PAT:

ip nat inside source list 20 interface atm0 overload


How PAT Works:
----------------------------------------

Say that you have two users that would like to connect to the Internet.  The first user 10.10.10.93 is going to Google at IP address 74.125.15.104.  The second user 10.10.10.125 is going to Yahoo! at IP address 72.30.2.43.  

At the transport layer, the 10.10.10.93 user is assigned the port 3525 to create the socket of 10.10.10.93:3525.

At the transport layer, the 10.10.10.125 user is assigned to the port 3525 to create the socket 10.10.10.125:3525.

The first users packet arrives at the router first and is check against the ACL to permit translation from private to public.  The router records the information into the translation table and send the packet on with the routable IP address obtained from the ISP.

Internal IP Address           External IP Address
10.10.10.93:3525             94.x.x.212:3525

The second users packet arrives moments after the first users packet and is checked against the ACL to permit the translation.  The router goes to record the information in the translation table, but notices that the port 3525 has already been used.  So the router increments the port number for the external address until one is available.  However, the important thing to note is that the external port number changes, BUT not the internal.  If the port numbers were different, then the router would simply record the provided port number from the user.

Internal IP Address           External IP Address
10.10.10.93:3525             94.x.x.212:3525
10.10.10.125:3525           94.x.x.212:3526

Now when a packet comes into the router with 94.x.x.212:3525, it forward it off to the first user at 10.10.10.93:3525.  When a packet arrives with 94.x.x.212:3526, it forwards it off to the second user.  When I say forwards it off, the translation is successfully made.

0
 

Author Comment

by:jly999
Comment Utility
thanks,

I cant understand why is it you can have NAT overload going out (many private to one public) but you cant have the same coming back in -

eg  - If i want 2  public ip's to translate to  one internal private ip - this is not possible i think as it needs static mapping - why is that?

0
 
LVL 3

Accepted Solution

by:
jfrizzell earned 500 total points
Comment Utility
You are correct in that static mappings are needed to combine both addresses to one internal IP address on most devices.  However, a Cisco PIX/ASA will allow you to do the exact opposite in which you are describing.  On either of these firewalls, you can have multiple public IP address overloaded to one internal address.  For example:

You have an internal mail server at 172.16.1.177 that needs to be accessed from the outside

interface ethernet0/0
nameif outside
security-level 0
ip address 84.x.x.8 255.255.255.0

interface ethernet0/1
nameif inside
security-level 100
ip add 172.16.1.1 255.255.255.0

access-list OUTSIDE-PAT permit tcp any host 84.x.x.8 eq smtp
access-group OUTSIDE-PAT in interface outside

access-list PAT-IN permit ip any host 84.X.X.8

nat (outside) 1 access-list PAT-IN outside
global (inside) 1 interface

static (inside,outside) interface 172.16.1.177 tcp 25
0
 

Author Comment

by:jly999
Comment Utility
thanks jfrizzell - i didnt know that was possible i'd read that connections initiated from from internet to reach private server needed static nat

But i was trying to understand why that would have to be the case - and i guess it isnt always...

hopefully starting to understand nat a bit more..Cheers

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now