Solved

Where/Why is NAT used ?

Posted on 2014-04-11
19
298 Views
Last Modified: 2014-04-18
If I understand NAT (Network Address Translation) is used on companies internet facing routers to translate internal IP addresses to public IPs and vice versa.

However, I believe nowadays you can purchase a router out of the box is capable of doing the NAT.. I am taking as example the internet routers used at Homes and small offices..

So when and why a company Network Administrator is called to configure NAT ?

Thank you
0
Comment
Question by:jskfan
  • 6
  • 5
  • 4
  • +2
19 Comments
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 50 total points
Comment Utility
Configuring NAT requires a bit of knowledge about internet/networks/routing. If a user reads up and studies a bit, and has basic understanding of networking, he can solve it himself (in home and small business situations). Usually in home situations, no configuring is needed anyway, as there's just no need for it. It only comes into play when a "server" needs to be accessed from the internet.
In an Enterprise environment, a common user probably can't escape intensive Sonicwall/Juniper/Cisco courses before he can solve NAT problems.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
To answer your question simply...

Company networks use something called private addressing.  This means we don't have to apply for IP addresses from the ISP.  If your company has 4000 devices that would cost a fortune.

In order for devices on the network to access the internet they must use a public IP address, instead of a private one.  Private IP addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255.  These addresses aren't routeable across the internet.

In order to make these addresses accessible we use NAT.  This hides the private IP addresses and substitutes them with public IP addresses.  There are many forms of NAT, but the most common in this scenario is NAT overload.  Basically all devices on your network are translated (or hidden) by one public IP address which your ISP assigns to your internet circuit.  You can have more IP addresses though.

Most off-the-shelf routers will run NAT straight out of the box.  Think of this just the same as your home router from your ISP.  More expensive routers (Cisco, HP, etc) can run NAT but it's not something which is configured to work by default.  To get it working on a Cisco 1921 for example you have to configure it specifically.

If your company just wants to simply provide everyone with internet access, this is simple, but if you want to allow people on the internet to access servers on your network you'd need a network guy to configure PAT (port address translation) on the router.  This is also known as port-forwarding.
0
 

Author Comment

by:jskfan
Comment Utility
<<If your company just wants to simply provide everyone with internet access, this is simple, but if you want to allow people on the internet to access servers on your network you'd need a network guy to configure PAT (port address translation) on the router.>>

That's what I was looking for…….
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
I'm afraid that there may be some misunderstanding.  If so, perhaps this will help:

- Commodity routers almost all provide NAT without any setup.  It's the normal thing.

- Professional routers often don't provide NAT without some configuration.

If you have the former then there's really nothing to do.  But, if you have the latter then you'd have to perhaps do some small amount of configuring.  But, this is likely no more than a command or two.

NAT is a way to separate the LAN from the internet.  
Consider this:
- a laptop is connected to a modem for internet access and gets a public IP address.  Thus the laptop is directly accessible on the internet (less any firewall features in the modem or on the laptop).  The laptop is addressed directly.
BUT - what about the applications on the laptop that interface with services on the internet?  How are packets returned to these applications?  Who knows how/what to do?
The answer is "ports".  
And ports are, in a simple view, just address extensions like "Apartment 12".
So, with their port numbers, applications can be reached.

But generally one doesn't have enough public addresses and one wants to have private LAN addresses. Thus, NAT is required by almost all of us.
NAT can be described similarly.
A port number is identified for a particular computer / application on the LAN by the NAT process on the router.  So, when return packets arrive, they can be routed appropriately.
This is how a computer's LAN IP address gets "coded".
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…
Assuming that the router does NAT by default, no there is no need to do anything.  The router will just let everyone get to the internet from the LAN, and no-one from the internet will be able to get in.

@fmarshall - I think you just confused it a bit more :-)
NAT is a way to separate the LAN from the internet.
Kind of, but a more accurate example would be a firewall.  A NAT device is primarily designed to translate one address to another.  A firewall separates segments and allows/blocks traffic.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
That's what I was looking for…….
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…

++craigbeck

i'd add that configuring NAT is actually quite trivial on anything that has a gui, and usually not very difficult on command line ones with the noticable exception of cisco boxes which require a lot of training to do the simplest tasks.

typically,

NAT outgoing traffic (when not preconfigured) is either configured using a single generic rule (source=LAN, destination=WAN, nat-to=EXTERNAL_IP, what_to_nat=source), or in each rule that allows outgoing traffic through checking a NAT checkbox and selecting the proper interface.

NAT/PAT incoming traffic is usually not that much more complicated. you'll find rule-based PAT (source=WAN, destination=EXTERNAL_IP/PORT, redirect_to=server_ip/port, what_to_nat=destination/both) or a concept of virtual IP which allows to associate an external IP with an internal one and performs more or less the same task adding a level of abstraction (and actually more complexity) to the setup

there are variations in terminology and way to configure stuff but the concepts are not more complicated and it always boils down to transforming either the source or destination ip (or both) and use the proper ip (rule of thumb : for source nat, use the ip of the box that performs nat on the interface the packet will be leaving, and for destination nat, use your server's)

no need to be a rocket scientist

So when and why a company Network Administrator is called to configure NAT ?

usually they set it up once and for all when they setup the firewall/router

then they are called to add/modify a trivial port redirection when you add a new server or move it because although it is trivial to do, "normal" users are (hopefully ?) not allowed to play with firewall rules.
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 100 total points
Comment Utility
craigbeck: I guess it depends on how you'd like to define "separate".  I don't have any problem with the original usage.  But you can find fault if you define it another way I suppose.  

The question was about NAT and not about firewalls.... but one might imply the need.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
But I took NAT at face value...

You can use a chair to climb but that's not what its really for :-)
0
 

Author Comment

by:jskfan
Comment Utility
Actually..it is not about whether the command line configuration is complex or simple….

it is about when NAT has to be configured.
I know that most or all companies have firewall and have access to internet.
So without NAT , company LAN networks still can access internet and be protected with Firewall….I am not sure if NAT has to be configured ONLY when an application from inside LAN needs to get responses back from other Apps on the internet? or ONLY when users from internet need access to the inside LAN?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
No, without NAT you can't get to the internet even if you have a firewall, unless your LAN hosts have public IP addresses.

In its simplest form it's like this...

LAN PC: 10.1.1.1 - needs NAT to get internet.
LAN PC: 172.16.5.107 - needs NAT to get internet.
LAN PC: 192.168.200.3 - needs NAT to get internet.
LAN PC: 217.32.8.97 - doesn't need NAT to get to internet.

I am not sure if NAT has to be configured ONLY when an application from inside LAN needs to get responses back from other Apps on the internet?
Many LAN hosts use NAT overload to share a common internet (public) IP.

or ONLY when users from internet need access to the inside LAN?
PAT (port forwarding) is used for this.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
++craigbeck

to make it simple, NAT is necessary when you have more computers (firewall included) than public addresses.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
But generally one doesn't have enough public addresses and one wants to have private LAN addresses. Thus, NAT is required by almost all of us.
I did try to express this notion earlier....
0
 

Author Comment

by:jskfan
Comment Utility
<<<LAN PC: 10.1.1.1 - needs NAT to get internet.
LAN PC: 172.16.5.107 - needs NAT to get internet.
LAN PC: 192.168.200.3 - needs NAT to get internet.
>>>>


Cannot I create the above VLANs on L3  switch and route them to internet router(just like the one at home ?)  without using NAT ?
Unless if you are saying, the internet router used by people at home has already a built in NAT configured….. If that's the case the same can be applied at the company If I am not wrong ?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
No you can't route your LANs straight to the internet without NAT.

Internet routers used at home already do NAT by default, so it looks like you don't need to use NAT, but really you're already using it, just without knowing.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
additionally, if you do so, the packets will be dropped AND your ISP might get angry or laugh at you and possibly terminate your connection in the first case. using private address space on the internet is not functional but also forbidden.
0
 

Author Comment

by:jskfan
Comment Utility
Craigbeck:
<<<Internet routers used at home already do NAT by default, so it looks like you don't need to use NAT, but really you're already using it, just without knowing.>>>>>

That 's what I was talking about..If I can use Internet Router at home to get separate LANs reach  internet why not at the office ? without manually configuring NAT?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 175 total points
Comment Utility
That 's what I was talking about..If I can use Internet Router at home to get separate LANs reach  internet why not at the office ? without manually configuring NAT?
You can do this without configuring NAT, as long as it's enabled by default.  That's not what you said though...
Cannot I create the above VLANs on L3  switch and route them to internet router(just like the one at home ?)  without using NAT ?
You said "without using NAT".  You can't do it without using NAT.  It is required and you are using it even if you don't configure it if it's enabled by default on the router.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 175 total points
Comment Utility
office connections are not always the same as home connections. in most cases, at least external IPs and gateways need to be configured, and professional hardware comes with little preconfiguration even NAT-wise, so you'll have to do some work.

then if you use an aDSL link at your office, or have a provider that gives you an ethernet endpoint and provides addresses over dhcp, most likely any home router will just work with no extra configuration
0
 

Author Closing Comment

by:jskfan
Comment Utility
Thank you Guys!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now