Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Where/Why is NAT used ?

Posted on 2014-04-11
19
Medium Priority
?
317 Views
Last Modified: 2014-04-18
If I understand NAT (Network Address Translation) is used on companies internet facing routers to translate internal IP addresses to public IPs and vice versa.

However, I believe nowadays you can purchase a router out of the box is capable of doing the NAT.. I am taking as example the internet routers used at Homes and small offices..

So when and why a company Network Administrator is called to configure NAT ?

Thank you
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +2
19 Comments
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 200 total points
ID: 39993742
Configuring NAT requires a bit of knowledge about internet/networks/routing. If a user reads up and studies a bit, and has basic understanding of networking, he can solve it himself (in home and small business situations). Usually in home situations, no configuring is needed anyway, as there's just no need for it. It only comes into play when a "server" needs to be accessed from the internet.
In an Enterprise environment, a common user probably can't escape intensive Sonicwall/Juniper/Cisco courses before he can solve NAT problems.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39993804
To answer your question simply...

Company networks use something called private addressing.  This means we don't have to apply for IP addresses from the ISP.  If your company has 4000 devices that would cost a fortune.

In order for devices on the network to access the internet they must use a public IP address, instead of a private one.  Private IP addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255.  These addresses aren't routeable across the internet.

In order to make these addresses accessible we use NAT.  This hides the private IP addresses and substitutes them with public IP addresses.  There are many forms of NAT, but the most common in this scenario is NAT overload.  Basically all devices on your network are translated (or hidden) by one public IP address which your ISP assigns to your internet circuit.  You can have more IP addresses though.

Most off-the-shelf routers will run NAT straight out of the box.  Think of this just the same as your home router from your ISP.  More expensive routers (Cisco, HP, etc) can run NAT but it's not something which is configured to work by default.  To get it working on a Cisco 1921 for example you have to configure it specifically.

If your company just wants to simply provide everyone with internet access, this is simple, but if you want to allow people on the internet to access servers on your network you'd need a network guy to configure PAT (port address translation) on the router.  This is also known as port-forwarding.
0
 

Author Comment

by:jskfan
ID: 39994068
<<If your company just wants to simply provide everyone with internet access, this is simple, but if you want to allow people on the internet to access servers on your network you'd need a network guy to configure PAT (port address translation) on the router.>>

That's what I was looking for…….
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39994232
I'm afraid that there may be some misunderstanding.  If so, perhaps this will help:

- Commodity routers almost all provide NAT without any setup.  It's the normal thing.

- Professional routers often don't provide NAT without some configuration.

If you have the former then there's really nothing to do.  But, if you have the latter then you'd have to perhaps do some small amount of configuring.  But, this is likely no more than a command or two.

NAT is a way to separate the LAN from the internet.  
Consider this:
- a laptop is connected to a modem for internet access and gets a public IP address.  Thus the laptop is directly accessible on the internet (less any firewall features in the modem or on the laptop).  The laptop is addressed directly.
BUT - what about the applications on the laptop that interface with services on the internet?  How are packets returned to these applications?  Who knows how/what to do?
The answer is "ports".  
And ports are, in a simple view, just address extensions like "Apartment 12".
So, with their port numbers, applications can be reached.

But generally one doesn't have enough public addresses and one wants to have private LAN addresses. Thus, NAT is required by almost all of us.
NAT can be described similarly.
A port number is identified for a particular computer / application on the LAN by the NAT process on the router.  So, when return packets arrive, they can be routed appropriately.
This is how a computer's LAN IP address gets "coded".
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39994262
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…
Assuming that the router does NAT by default, no there is no need to do anything.  The router will just let everyone get to the internet from the LAN, and no-one from the internet will be able to get in.

@fmarshall - I think you just confused it a bit more :-)
NAT is a way to separate the LAN from the internet.
Kind of, but a more accurate example would be a firewall.  A NAT device is primarily designed to translate one address to another.  A firewall separates segments and allows/blocks traffic.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39996012
That's what I was looking for…….
So if Noone from internet is accessing my local Network, then there is no need to configure NAT? assuming only the inside network users  need access to internet…

++craigbeck

i'd add that configuring NAT is actually quite trivial on anything that has a gui, and usually not very difficult on command line ones with the noticable exception of cisco boxes which require a lot of training to do the simplest tasks.

typically,

NAT outgoing traffic (when not preconfigured) is either configured using a single generic rule (source=LAN, destination=WAN, nat-to=EXTERNAL_IP, what_to_nat=source), or in each rule that allows outgoing traffic through checking a NAT checkbox and selecting the proper interface.

NAT/PAT incoming traffic is usually not that much more complicated. you'll find rule-based PAT (source=WAN, destination=EXTERNAL_IP/PORT, redirect_to=server_ip/port, what_to_nat=destination/both) or a concept of virtual IP which allows to associate an external IP with an internal one and performs more or less the same task adding a level of abstraction (and actually more complexity) to the setup

there are variations in terminology and way to configure stuff but the concepts are not more complicated and it always boils down to transforming either the source or destination ip (or both) and use the proper ip (rule of thumb : for source nat, use the ip of the box that performs nat on the interface the packet will be leaving, and for destination nat, use your server's)

no need to be a rocket scientist

So when and why a company Network Administrator is called to configure NAT ?

usually they set it up once and for all when they setup the firewall/router

then they are called to add/modify a trivial port redirection when you add a new server or move it because although it is trivial to do, "normal" users are (hopefully ?) not allowed to play with firewall rules.
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 400 total points
ID: 39996744
craigbeck: I guess it depends on how you'd like to define "separate".  I don't have any problem with the original usage.  But you can find fault if you define it another way I suppose.  

The question was about NAT and not about firewalls.... but one might imply the need.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39996776
But I took NAT at face value...

You can use a chair to climb but that's not what its really for :-)
0
 

Author Comment

by:jskfan
ID: 39997514
Actually..it is not about whether the command line configuration is complex or simple….

it is about when NAT has to be configured.
I know that most or all companies have firewall and have access to internet.
So without NAT , company LAN networks still can access internet and be protected with Firewall….I am not sure if NAT has to be configured ONLY when an application from inside LAN needs to get responses back from other Apps on the internet? or ONLY when users from internet need access to the inside LAN?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39997528
No, without NAT you can't get to the internet even if you have a firewall, unless your LAN hosts have public IP addresses.

In its simplest form it's like this...

LAN PC: 10.1.1.1 - needs NAT to get internet.
LAN PC: 172.16.5.107 - needs NAT to get internet.
LAN PC: 192.168.200.3 - needs NAT to get internet.
LAN PC: 217.32.8.97 - doesn't need NAT to get to internet.

I am not sure if NAT has to be configured ONLY when an application from inside LAN needs to get responses back from other Apps on the internet?
Many LAN hosts use NAT overload to share a common internet (public) IP.

or ONLY when users from internet need access to the inside LAN?
PAT (port forwarding) is used for this.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39998336
++craigbeck

to make it simple, NAT is necessary when you have more computers (firewall included) than public addresses.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39999702
But generally one doesn't have enough public addresses and one wants to have private LAN addresses. Thus, NAT is required by almost all of us.
I did try to express this notion earlier....
0
 

Author Comment

by:jskfan
ID: 40002902
<<<LAN PC: 10.1.1.1 - needs NAT to get internet.
LAN PC: 172.16.5.107 - needs NAT to get internet.
LAN PC: 192.168.200.3 - needs NAT to get internet.
>>>>


Cannot I create the above VLANs on L3  switch and route them to internet router(just like the one at home ?)  without using NAT ?
Unless if you are saying, the internet router used by people at home has already a built in NAT configured….. If that's the case the same can be applied at the company If I am not wrong ?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40002919
No you can't route your LANs straight to the internet without NAT.

Internet routers used at home already do NAT by default, so it looks like you don't need to use NAT, but really you're already using it, just without knowing.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40003395
additionally, if you do so, the packets will be dropped AND your ISP might get angry or laugh at you and possibly terminate your connection in the first case. using private address space on the internet is not functional but also forbidden.
0
 

Author Comment

by:jskfan
ID: 40003543
Craigbeck:
<<<Internet routers used at home already do NAT by default, so it looks like you don't need to use NAT, but really you're already using it, just without knowing.>>>>>

That 's what I was talking about..If I can use Internet Router at home to get separate LANs reach  internet why not at the office ? without manually configuring NAT?
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 700 total points
ID: 40003557
That 's what I was talking about..If I can use Internet Router at home to get separate LANs reach  internet why not at the office ? without manually configuring NAT?
You can do this without configuring NAT, as long as it's enabled by default.  That's not what you said though...
Cannot I create the above VLANs on L3  switch and route them to internet router(just like the one at home ?)  without using NAT ?
You said "without using NAT".  You can't do it without using NAT.  It is required and you are using it even if you don't configure it if it's enabled by default on the router.
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 700 total points
ID: 40003833
office connections are not always the same as home connections. in most cases, at least external IPs and gateways need to be configured, and professional hardware comes with little preconfiguration even NAT-wise, so you'll have to do some work.

then if you use an aDSL link at your office, or have a provider that gives you an ethernet endpoint and provides addresses over dhcp, most likely any home router will just work with no extra configuration
0
 

Author Closing Comment

by:jskfan
ID: 40008649
Thank you Guys!
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question