Link to home
Start Free TrialLog in
Avatar of jskfan
jskfanFlag for Cyprus

asked on

Where/Why is NAT used ?

If I understand NAT (Network Address Translation) is used on companies internet facing routers to translate internal IP addresses to public IPs and vice versa.

However, I believe nowadays you can purchase a router out of the box is capable of doing the NAT.. I am taking as example the internet routers used at Homes and small offices..

So when and why a company Network Administrator is called to configure NAT ?

Thank you
SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
To answer your question simply...

Company networks use something called private addressing.  This means we don't have to apply for IP addresses from the ISP.  If your company has 4000 devices that would cost a fortune.

In order for devices on the network to access the internet they must use a public IP address, instead of a private one.  Private IP addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255.  These addresses aren't routeable across the internet.

In order to make these addresses accessible we use NAT.  This hides the private IP addresses and substitutes them with public IP addresses.  There are many forms of NAT, but the most common in this scenario is NAT overload.  Basically all devices on your network are translated (or hidden) by one public IP address which your ISP assigns to your internet circuit.  You can have more IP addresses though.

Most off-the-shelf routers will run NAT straight out of the box.  Think of this just the same as your home router from your ISP.  More expensive routers (Cisco, HP, etc) can run NAT but it's not something which is configured to work by default.  To get it working on a Cisco 1921 for example you have to configure it specifically.

If your company just wants to simply provide everyone with internet access, this is simple, but if you want to allow people on the internet to access servers on your network you'd need a network guy to configure PAT (port address translation) on the router.  This is also known as port-forwarding.
Avatar of jskfan

ASKER

<<If your company just wants to simply provide everyone with internet access, this is simple, but if you want to allow people on the internet to access servers on your network you'd need a network guy to configure PAT (port address translation) on the router.>>

That's what I was looking for…….
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…
I'm afraid that there may be some misunderstanding.  If so, perhaps this will help:

- Commodity routers almost all provide NAT without any setup.  It's the normal thing.

- Professional routers often don't provide NAT without some configuration.

If you have the former then there's really nothing to do.  But, if you have the latter then you'd have to perhaps do some small amount of configuring.  But, this is likely no more than a command or two.

NAT is a way to separate the LAN from the internet.  
Consider this:
- a laptop is connected to a modem for internet access and gets a public IP address.  Thus the laptop is directly accessible on the internet (less any firewall features in the modem or on the laptop).  The laptop is addressed directly.
BUT - what about the applications on the laptop that interface with services on the internet?  How are packets returned to these applications?  Who knows how/what to do?
The answer is "ports".  
And ports are, in a simple view, just address extensions like "Apartment 12".
So, with their port numbers, applications can be reached.

But generally one doesn't have enough public addresses and one wants to have private LAN addresses. Thus, NAT is required by almost all of us.
NAT can be described similarly.
A port number is identified for a particular computer / application on the LAN by the NAT process on the router.  So, when return packets arrive, they can be routed appropriately.
This is how a computer's LAN IP address gets "coded".
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…
Assuming that the router does NAT by default, no there is no need to do anything.  The router will just let everyone get to the internet from the LAN, and no-one from the internet will be able to get in.

@fmarshall - I think you just confused it a bit more :-)
NAT is a way to separate the LAN from the internet.
Kind of, but a more accurate example would be a firewall.  A NAT device is primarily designed to translate one address to another.  A firewall separates segments and allows/blocks traffic.
Avatar of skullnobrains
skullnobrains

That's what I was looking for…….
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…

++craigbeck

i'd add that configuring NAT is actually quite trivial on anything that has a gui, and usually not very difficult on command line ones with the noticable exception of cisco boxes which require a lot of training to do the simplest tasks.

typically,

NAT outgoing traffic (when not preconfigured) is either configured using a single generic rule (source=LAN, destination=WAN, nat-to=EXTERNAL_IP, what_to_nat=source), or in each rule that allows outgoing traffic through checking a NAT checkbox and selecting the proper interface.

NAT/PAT incoming traffic is usually not that much more complicated. you'll find rule-based PAT (source=WAN, destination=EXTERNAL_IP/PORT, redirect_to=server_ip/port, what_to_nat=destination/both) or a concept of virtual IP which allows to associate an external IP with an internal one and performs more or less the same task adding a level of abstraction (and actually more complexity) to the setup

there are variations in terminology and way to configure stuff but the concepts are not more complicated and it always boils down to transforming either the source or destination ip (or both) and use the proper ip (rule of thumb : for source nat, use the ip of the box that performs nat on the interface the packet will be leaving, and for destination nat, use your server's)

no need to be a rocket scientist

So when and why a company Network Administrator is called to configure NAT ?

usually they set it up once and for all when they setup the firewall/router

then they are called to add/modify a trivial port redirection when you add a new server or move it because although it is trivial to do, "normal" users are (hopefully ?) not allowed to play with firewall rules.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
But I took NAT at face value...

You can use a chair to climb but that's not what its really for :-)
Avatar of jskfan

ASKER

Actually..it is not about whether the command line configuration is complex or simple….

it is about when NAT has to be configured.
I know that most or all companies have firewall and have access to internet.
So without NAT , company LAN networks still can access internet and be protected with Firewall….I am not sure if NAT has to be configured ONLY when an application from inside LAN needs to get responses back from other Apps on the internet? or ONLY when users from internet need access to the inside LAN?
No, without NAT you can't get to the internet even if you have a firewall, unless your LAN hosts have public IP addresses.

In its simplest form it's like this...

LAN PC: 10.1.1.1 - needs NAT to get internet.
LAN PC: 172.16.5.107 - needs NAT to get internet.
LAN PC: 192.168.200.3 - needs NAT to get internet.
LAN PC: 217.32.8.97 - doesn't need NAT to get to internet.

I am not sure if NAT has to be configured ONLY when an application from inside LAN needs to get responses back from other Apps on the internet?
Many LAN hosts use NAT overload to share a common internet (public) IP.

or ONLY when users from internet need access to the inside LAN?
PAT (port forwarding) is used for this.
++craigbeck

to make it simple, NAT is necessary when you have more computers (firewall included) than public addresses.
But generally one doesn't have enough public addresses and one wants to have private LAN addresses. Thus, NAT is required by almost all of us.
I did try to express this notion earlier....
Avatar of jskfan

ASKER

<<<LAN PC: 10.1.1.1 - needs NAT to get internet.
LAN PC: 172.16.5.107 - needs NAT to get internet.
LAN PC: 192.168.200.3 - needs NAT to get internet.
>>>>


Cannot I create the above VLANs on L3  switch and route them to internet router(just like the one at home ?)  without using NAT ?
Unless if you are saying, the internet router used by people at home has already a built in NAT configured….. If that's the case the same can be applied at the company If I am not wrong ?
No you can't route your LANs straight to the internet without NAT.

Internet routers used at home already do NAT by default, so it looks like you don't need to use NAT, but really you're already using it, just without knowing.
additionally, if you do so, the packets will be dropped AND your ISP might get angry or laugh at you and possibly terminate your connection in the first case. using private address space on the internet is not functional but also forbidden.
Avatar of jskfan

ASKER

Craigbeck:
<<<Internet routers used at home already do NAT by default, so it looks like you don't need to use NAT, but really you're already using it, just without knowing.>>>>>

That 's what I was talking about..If I can use Internet Router at home to get separate LANs reach  internet why not at the office ? without manually configuring NAT?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan

ASKER

Thank you Guys!