Android. Operating system. Multimedia. Social media. Tools. Codecs. Graphics
You are here: » »

Nat is permanent. NAT - what is it? Instructions for setting up NAT

What is NAT

Your computer can be connected to the Internet directly. Then they say that he has external IP address.

This usually means that the computer is connected directly to a modem (DSL, cable or regular analog).

Behind NAT means that your computer is not connected to the Internet, but to local network. Then he has interior An IP address that is itself inaccessible from the Internet.

Your computer gains access to the Internet through NAT - the process of translating internal addresses to external ones and vice versa. A NAT device is usually called a router.

The specificity of NAT is that connections initiated by your computer transparently pass through the NAT device to the Internet. However, connections that other computers from the Internet would like to establish with you cannot reach you.

Finding the computer's IP address

Run">Open a dialog box to run programs: click on the Start button, select Run from the menu.

In Windows 2000/XP, type the command cmd /k ipconfig, click OK and look at the result.

Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.10 Subnet Mask. . . . . . . . . . . : 255.255.255.0 Default Gateway. . . . . . . . . : 192.168.1.1

The first of these addresses is the IP address of your computer.

Are you behind NAT?

Three special range IP addresses are reserved for local networks and are not used on the Internet:

10. 0. 0. 0 - 10. 255.255.255 172. 16. 0. 0 - 172. 31.255.255 192.168. 0. 0 - 192.168.255.255

If your computer's IP address is in one of these ranges, that is, it starts with 10. or with 192.168. or from 172.nn. (where nn is from 16 to 31), then this is a local (internal) address, and you are definitely behind NAT.

If not, now check under what IP address other computers on the Internet see you. For example, on whatsmyip.org (“Your IP Address is x.x.x.x” at the top of the page) or on myipaddress.com.

If your computer's IP address matches one of these sites shown, then you are definitely connected to the Internet directly.

In other cases it is impossible to say for sure. The following options are possible:

  • You are behind NAT, but your network administrator has chosen non-standard internal addresses for your local network. Find him and ask why he had to do this.
  • you access the Internet through a proxy server (then whatsmyip.org showed you the address of this proxy server). In many cases, you can determine whether there is a proxy server between you and the Internet, using for example lagado.com/proxy-test.

    Connecting via a proxy is not covered in this guide..

Connection options via NAT

If you are behind NAT, then the next step is to determine where exactly the NAT device is located.

NAT provider

    Then they say that
  • the provider provides you with the Internet via NAT,
  • or that the provider does not give you an external IP address,
  • or that you are connected through the provider's local network

The easiest way is to call your provider and find out. Or ask knowledgeable neighbors with the same connection.

When connecting to the Internet through the provider’s local network, you cannot make an accessible port for yourself. Unless, of course, your provider redirects a specific port specifically for you, which is unlikely. Or unless you pay extra for a service that is usually called an "external" ("white") IP address.

NAT in an office or apartment building

In principle, the situation is the same, but you can look for approaches to the local admin. Ultimately, deciding whether a port is available depends on whether you have access to the router settings.

In addition, you can also try UPnP, in case your router left it enabled.

NAT is your own

In this case, you can almost always configure it and get an available port.

Usually this is either a connection through a home router or a connection through another computer, for example using ICS (the second option is not considered here).

Of course, in principle, it also happens that you have NAT both at home and at your provider, that is, your computer is behind two NATs at once. This can be checked by going to the router settings, looking at its external address and then following the above scenario (whether it belongs to this address of local network ranges, does it match the address under which you are seen on the Internet).

Good day, dear readers! Well, let's talk about NAT.

Today we will discuss in more detail a somewhat painful and rather incomprehensible topic, but more incomprehensible than painful.

To a greater extent, this problem concerns those who play multiplayer games, and in short, this problem sounds something like this: “WHY DOES NO ONE COME TO ME?” For others, this problem looks a little different, namely:

  • Why doesn't the torrent download?
  • Why can’t users/friends/acquaintances/unknown individuals connect to FTP, WEB, VOIP (TS, Mumble, bucket) and other servers that you have been trying to set up for so long and even checked that everything is working for you?
  • Why your personal home server empty? Could this be a universal conspiracy?

But, however, there is no conspiracy, the culprit of all these troubles is next to you and slyly winks at you with light bulbs, and his name is... a router, yes, the same one that distributes the Internet to all your (and maybe your neighbors) devices.

In short, Internet users simply cannot connect to you because your router does not allow them, but it does this not just on a whim, but because it does not know that all these people want to connect to you. So he thinks that they want something from him.

Yes, I just described to you why NAT is needed. And now about what it is.

General definition

NAT (Network Address Translation) is a mechanism that allows the router to determine which services are located behind the router and should be accessible from the Internet so that users from there can use these services (I did not take the definition from the wiki, because it is abstruse and not everyone understands).

NAT is present in all routers and server operating systems in one form or another. In routers this is usually called port forwarding, in Linux iptables, on Windows servers - in special equipment. Now let's talk about various types NAT

Type one, Static NAT

Static NAT is not required for your home, but is needed if your provider has allocated several IP addresses (external or “white” addresses) to your company, and you need some servers to always be visible from the Internet, without their addresses changing .

Those. 1-1 address conversion occurs (one external IP is assigned to one internal server). With this setup, your servers will always be accessible from the Internet on any port.

  • The advantage of this method is that you open access from the Internet specifically for specific program on a specific computer/server, all other ports of the computer/server remain closed;
  • The disadvantage is that you need to open all ports manually (sometimes programs do this for you using UPnP technology, but this does not always happen).

Afterword

It turned out a little chaotic, and the topic is quite complicated, but I hope now the word NAT won’t make you shiver :)

As always, if you have any questions, thoughts, additions, etc., please feel free to comment on this post.

PS: For the existence of the article, special thanks to a friend of the project and a member of our team under the nickname “barn4k“

NAT (Network address translation) – translation technology network addresses. NAT technology made it possible to solve biggest problem IPv4 protocol: by the mid-1990s, the IPv4 address space may have been completely exhausted. If NAT technology had not been invented, the growth of the Internet would have slowed significantly. Of course, created for today new version IP protocol – IPv6. This version supports huge amount IP addresses that the existence of NAT is meaningless. However, quite a few organizations still use the IPv4 protocol in their work, and a complete transition to IPv6 will not happen soon. Therefore, it makes sense to study NAT technology.

Network Address Translation (NAT) allows a host that does not have a white IP to communicate with other hosts over the Internet. A white IP address is a registered, unique, global IP address on the Internet. There are also “grey IP addresses,” which are used on a private network and are not routed on the Internet. Therefore, NAT technology is needed, which will replace the gray IP address with a white one. The range of “gray IP addresses” is presented in the table.

NAT translation replaces private IP addresses with public registered IP addresses in each IP protocol packet.

By performing NAT translation, the router changes the source IP address the moment the packet leaves the private network. The router also changes the destination address of each packet that returns to the private network. Software Cisco IOS supports several types of NAT translation:

  1. Static NAT translation – each private IP address corresponds to one public IP. When using static translation, a NAT router simply establishes a one-to-one mapping between the private IP address and the registered IP address it is acting on behalf of.
  2. Dynamic NAT translation – conversion of internal IP addresses to external ones occurs dynamically. A pool of possible public IP addresses is created and IP addresses for translation are dynamically selected from this pool.
  3. PAT Port Address Translation—allows you to scale to support many clients using just a few public IP addresses. PAT translates a network address depending on the recipient's TCP/UDP port.

Let's take a closer look at each type of broadcast.

Static NAT translation makes an exact match between private and public IP addresses. Let's look at an example.

The company's ISP assigns it a registered network number of 200.1.1.0. Accordingly, the NAT router must make this private address appear as if it were on the 200.1.1.0 network. To do this, the router changes the source IP address in the packets, which are sent from left to right as in the figure. IN in this example The router changes the private IP address 10.1.1.1 to the public IP address 200.1.1.1. Another private address, 10.1.1.2, has a corresponding public address, 200.1.1.2. Next, let's look at setting up static NAT in Cisco.

Configuring Static NAT Translation on Cisco Equipment compared to other options it requires least action. In this case, you need to establish a correspondence between local (private) and global (public) IP addresses. You also need to tell the router which interfaces to use NAT translation because it may not be enabled on all interfaces. Specifically, the router needs to indicate each interface and whether it is internal or external.

The diagram shows that the user received from the provider the address 100.0.0.0 of a class C network. This entire network with a mask of 255.255.255.0 is configured on a serial channel between the user and the Internet. Because this is a point-to-point link, only 2 of the 254 valid (possible) IP addresses are used on this network.

Configuration for NAT_GW router:

NAT_GW>enable NAT_GW#configure terminal - interface description - set the default gateway - interface description - set IP and mask NAT_GW(config-if)#no shutdown - physically turn on the interface NAT_GW(config-if)#exit NAT_GW(config)#ip nat inside source static 192.168.1.2 100.0.0.1 NAT_GW(config)#ip nat inside source static 192.168.1.3 100.0.0.2 - static address mapping NAT_GW(config)#ip nat inside source static 192.168.1.4 100.0.0.3 - static address mapping

Static matches are created using the command ip nat inside source static. Keyword inside means that NAT translates addresses for hosts located on the internal part of the network. Keyword source means that NAT translates IP addresses in packets arriving at its internal interfaces. Keyword static means that these parameters define a static entry that will never be removed from the NAT table due to the expiration of a period of time. When creating static NAT entries, the router needs to know which interfaces are internal and which are external. Interface subcommands ip nat inside And ip nat outside each interface is identified accordingly.

To view important information about NAT there are two commands show ip nat translations, show ip nat statistics.

The first command displays the three static NAT translation entries created in the configuration. The second command displays statistical information, such as the number of active at the moment entries in the translation table. This statistic also includes the hit count, which increases by one for each packet for which NAT must translate addresses.

Let's move on to dynamic translation of NAT network addresses. Dynamic translation creates a pool of possible global internal addresses and defines a matching criterion to determine which internal global IP addresses should be translated using NAT. For example, in the diagram below, a pool of five global IP addresses was installed in the range 200.1.1.1 – 200.1.1.5. NAT translation is also configured to translate all internal local addresses that begin with octets 10.1.1

At setting up dynamic NAT translation on Cisco equipment identification of each interface, both internal and external, is still required, but static mapping no longer needs to be specified. To specify the private IP addresses to be translated, dynamic NAT uses access control lists (I wrote about them earlier), and also defines a pool of registered public IP addresses that will be allocated from this. So, the algorithm for setting up dynamic broadcasting is:

  1. Configure interfaces that will be located in the internal subnet using the command ip nat inside.
  2. Configure interfaces that will be located in the external subnet using the command ip nat outside.
  3. Configure an ACL that matches packets arriving on internal interfaces for which NAT translation should be applied
  4. Configure a pool of public registered IP addresses using the global configuration mode command ip nat pool name first-address last-address netmask subnet-mask.
  5. Enable dynamic NAT by specifying in the global configuration command ip nat inside source list acl-number pool pool-name

The scheme will be used the same as last time. New configuration for the NAT_GW router:

NAT_GW>enable - go to advanced mode NAT_GW#configure terminal - go to configuration mode NAT_GW(config)#interface fa0/0 - setting up the interface towards a private network NAT_GW(config-if)#description LAN - interface description NAT_GW(config-if)#ip address 192.168.1.1 255.255.255.0 - set the default gateway NAT_GW(config-if)#no shutdown - physically turn on the interface NAT_GW(config-if)#ip nat inside - configure the interface as internal NAT_GW(config-if)#exit NAT_GW(config)#interface fa0/1 - interface settings towards the provider NAT_GW(config-if)#description ISP - interface description NAT_GW(config-if)#ip address 100.0.0.253 255.255.255.0 - set IP and mask NAT_GW(config-if)#no shutdown - physically turn on the interface NAT_GW(config-if)#ip nat outside - configure the interface as external NAT_GW(config-if)#exit NAT_GW(config)#ip nat pool testPool 100.0.0.1 100.0.0.252 netmask 255.255.255.0 - create a dynamic pool NAT_GW(config)#access-list 1 permit 192.168.1.1 0.0.0.255 - create access list 1, in which we allow IP addresses to be broadcast from the subnet 192.168.1.1/24 NAT_GW(config)#ip nat inside source list 1 pool testPool - enable dynamic broadcasting NAT_GW(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.254 - static route towards the provider

The next type of translation is PAT (Port Address Translation) port address translation. I will talk about this type of NAT in the next article, when we connect a local subnet to the Internet. The topic is quite large and important. PAT is the most popular type of NAT.

Support the project

Friends, the Netcloud website is developing every day thanks to your support. We plan to launch new article sections, as well as some useful services.

You have the opportunity to support the project and contribute any amount you consider necessary.

2 32 or 4 294 967 296 IPv4 is that a lot of addresses? It seems so. However, with the rise of personal computing, mobile devices and the rapid growth of the Internet, it soon became apparent that 4.3 billion IPv4 addresses would not be enough. The long term solution was IPv6, but more were required quick solution to eliminate address shortages. And this decision became NAT (Network Address Translation).

What is NAT

Networks are typically designed using private IP addresses. These are the addresses 10.0.0.0/8, 172.16.0.0/12 And 192.168.0.0/16 . These private addresses are used within an organization or site to allow devices to communicate locally and are not routed across the Internet. To allow a device with a private IPv4 address to access devices and resources outside the local network, the private address must first be translated to a public public address.

And it’s just NAT that converts private addresses into public ones. This allows a device with a private IPv4 address to access resources outside of its private network. NAT, combined with private IPv4 addresses, has proven to be a useful method for storing public IPv4 addresses. One public IPv4 address can be used by hundreds, even thousands of devices, each with a private IPv4 address. NAT has the added benefit of adding a degree of privacy and security to the network because it hides internal IPv4 addresses from external networks.

NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are called a NAT pool. When a device on the internal network sends traffic from the network to the outside, the NAT-enabled router translates the device's internal IPv4 address to a public address from the NAT pool. To external devices, all traffic entering and leaving the network appears to have a public IPv4 address.

NAT router usually operates at the border Stub-networks A stub network is a stub network that has one connection to a neighboring network, one entry and exit from the network.

When a device inside the Stub network wants to communicate with a device outside its network, the packet is forwarded to the border router and it performs the NAT process, translating the device's internal private address to a public, external, routable address.

NAT Terminology

In NAT terminology, an internal network is a set of networks to be translated. The external network refers to all other networks.

When using NAT, IPv4 addresses have different designations based on whether they are on a private network or a public network (the Internet), and whether the traffic is inbound or outbound.

NAT includes four types of addresses:

  • Inside local address;
  • Inside global address;
  • Outside local address;
  • Outside global address;

When determining what type of address is used, it is important to remember that NAT terminology is always applied in terms of the device with the translated address:

  • Inside address- address of the device that is translated by NAT;
  • Outside address- destination device address;
  • Local address- this is any address that is displayed on the internal part of the network;
  • Global address- this is any address that is displayed on the external part of the network;

Let's look at this using an example diagram.


In the figure, the PC has an internal local ( Inside local) address is 192.168.1.5 and from its point of view the web server has an external ( outside) address 208.141.17.4. When packets are sent from a PC to the global address of the web server, the internal local ( Inside local) PC address is translated to 208.141.16.5 ( inside global). Address external device usually not translated because it is a public IPv4 address.

It is worth noting that a PC has different local and global addresses, while a web server has the same public IP address. From his point of view, traffic originating from the PC comes from the internal global address 208.141.16.5. A NAT router is the demarcation point between internal and external networks and between local and global addresses.

Terms inside And outside, combined with terms local And global to link to specific addresses. In the figure, the router is configured to provide NAT and has a pool of public addresses to assign to internal hosts.

The figure shows how traffic is sent from an internal PC to an external web server, through a NAT-enabled router, and is forwarded and forwarded in the opposite direction.


Internal local address ( Inside local address) - source address visible from the internal network. In the figure, the address 192.168.1.5 is assigned to the PC - this is its internal local address.

Internal global address ( Inside global address) - source address visible from the external network. In the figure, when traffic from the PC is sent to the web server at 208.141.17.4, the router translates the internal local address ( Inside local address) to the inside global address ( Inside global address). In this case, the router changes the IPv4 source address from 192.168.1.5 to 208.141.16.5.

External global address ( Outside global address) - address of the recipient, visible from the external network. This is a globally routable IPv4 address assigned to a host on the Internet. In the diagram, the web server is available at 208.141.17.4. Most often, external local and external global addresses are the same.

External local address ( Outside local address) - recipient address visible from the internal network. In this example, the PC sends traffic to the web server at 208.141.17.4

Let's consider the entire path of the packet. A PC with the address 192.168.1.5 is trying to communicate with the web server 208.141.17.4. When a packet arrives at a NAT-enabled router, it reads the IPv4 destination address of the packet to determine whether the packet meets the criteria specified for translation. In this example, the source address meets the criteria and is translated from 192.168.1.5 ( Inside local address) at 208.141.16.5. ( Inside global address). The router adds this local to global address mapping to the NAT table and sends a packet with the translated source address to the destination. The web server responds with a packet addressed to the PC's internal global address (208.141.16.5). The router receives a packet with a destination address of 208.141.16.5 and checks the NAT table, where it finds an entry for this mapping. It uses this information and translates back the inside global address (208.141.16.5) to the inside local address (192.168.1.5) and the packet is forwarded towards the PC.

NAT types

There are three types of NAT translation:

  • Static Address Translation (Static NAT)- one-to-one address mapping between local and global addresses;
  • Dynamic Address Translation (Dynamic NAT)- many-to-many address mapping between local and global addresses;
  • Port Address Translation (NAT)- multicast address mapping between local and global addresses using ports. This method is also known as NAT Overload;

Static NAT uses a one-to-one mapping of local and global addresses. These mappings are configured by the network administrator and remain permanent. When devices send traffic to the Internet, their internal local addresses are translated to the configured internal global addresses. For external networks, these devices have public IPv4 addresses. Static NAT is especially useful for web servers or devices that must have a consistent address accessible from the Internet, such as a company's web server. Static NAT requires a sufficient number of public addresses to satisfy the total number of concurrent user sessions.

A static NAT table looks like this:


Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-serve basis. When internal structure requests access to an external network, dynamic NAT assigns an available public IPv4 address from a pool. Similar to static NAT, dynamic NAT requires a sufficient number of public addresses to satisfy the total number of concurrent user sessions.

A dynamic NAT table looks like this:


Port Address Translation (PAT)

PAT broadcasts multiple private addresses to one or more public addresses. This is what most home routers do. The ISP assigns one address to the router, but multiple family members can access the Internet at the same time. This is the most common form of NAT.

With PAT, multiple addresses can be mapped to one or more addresses because each private address is also tracked by a port number. When a device initiates a session TCP/IP, it generates the source port value TCP or UDP to uniquely identify the session. When a NAT router receives a packet from a client, it uses its source port number to uniquely identify the specific NAT translation. PAT ensures that devices use different number TCP port for each session. When the response is returned from the server, the source port number, which becomes the destination port number on the return path, determines which device the router forwards the packets to.

The picture illustrates the PAT process. PAT adds unique source port numbers to the internal global address to distinguish between translations.


As the router processes each packet, it uses the port number (1331 and 1555, in this example) to identify the device from which the packet originated.

Source address ( Source Address) is an internal local address with an appended port number assigned by TCP/IP. Destination address ( Destination Address) is an external local address with a service port number appended. In this example, the service port is 80: HTTP.

For the source address, the router translates the inside local address to the inside global address with a port number appended. The destination address does not change, but is now called the external global IP address. When the web server responds, the path is reversed.

In this example, the client port numbers 1331 and 1555 were not changed on the NAT router. This is not a very likely scenario because there is a good chance that these port numbers were already attached to other active sessions. PAT attempts to preserve the original source port. However, if the original source port is already in use, PAT assigns the first available port number, starting from the beginning of the corresponding port group 0-511, 512-1023 or 1024-65535 . When there are no more ports and there is more than one external address in the address pool, PAT moves to the next address to try to allocate the original source port. This process continues until there are no more ports or external IP addresses available.

That is, if another host can choose the same port number 1444. This is acceptable for an internal address because hosts have unique private IP addresses. However, on a NAT router, the port numbers must be changed - otherwise packets from two different hosts will leave it with the same source address. Therefore, PAT assigns the next available port (1445) to the second host address.

Let's summarize the comparison between NAT and PAT. As you can see from the tables, NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4 addresses. However, PAT changes both the address itself and the port number. NAT forwards incoming packets to their internal address based on the incoming source IP address given by the host on the public network, and with PAT there is usually only one or very few publicly exposed IPv4 addresses and incoming packets are forwarded based on the router's NAT table.

What about IPv4 packets containing data other than TCP or UDP? These packets do not contain a Layer 4 port number. PAT translates the most common protocols carried by IPv4, which do not use TCP or UDP as the transport layer protocol. The most common of these are ICMPv4. Each of these protocol types is handled differently by PAT. For example, ICMPv4 request messages, echo requests, and responses include the request ID Query ID. ICMPv4 uses Query ID. to identify the echo request with the corresponding response. The request ID is incremented with each ping sent. PAT uses the request ID instead of the Layer 4 port number.

Advantages and Disadvantages of NAT

NAT provides many benefits, including:

  • NAT preserves the registered addressing scheme, allowing the privatization of intranets. With PAT, internal hosts can share one public IPv4 address for all external communications. In this type of configuration, very few external addresses are required to support many internal hosts;
  • NAT increases the flexibility of connections with public network. Numerous pools, pools backup and load balancing pools can be implemented to provide reliable public network connections;

    • NAT provides consistency for a network's internal addressing schemes. On a network that does not use private IPv4 addresses and NAT, changing general scheme IPv4 addresses require redirection of all hosts to existing network. The cost of host forwarding can be significant. NAT allows the existing private IPv4 addressing scheme to remain while allowing the new public addressing scheme to be easily changed. This means that an organization can change providers and not have to change any of its internal customers;

  • NAT provides network security. Because private networks do not advertise their addresses or internal topology, they remain quite secure when used in conjunction with NAT to achieve controlled external access. However, you need to understand that NAT does not replace firewalls;

But NAT has some disadvantages. The fact that hosts on the Internet appear to communicate directly with the NAT-enabled device rather than with the actual host inside the private network creates a number of problems:

  • One of the disadvantages of using NAT is related to network performance, especially for real-time protocols such as VoIP. NAT increases switching delays because it takes time to translate each IPv4 address in the packet headers;
  • Another disadvantage of using NAT is that end-to-end addressing is lost. Many Internet protocols and applications depend on end-to-end addressing from source to destination. Some applications do not work with NAT. Applications that use physical addresses rather than qualified domain name, do not reach recipients that are translated through a NAT router. Sometimes this problem can be avoided by implementing static NAT mappings;
  • End-to-end IPv4 tracing is also lost. It is more difficult to trace packets that undergo multiple packet address changes over multiple NAT hops, making troubleshooting more difficult;
  • The use of NAT also hampers tunneling protocols such as IPsec because NAT changes values ​​in headers that interfere with the integrity checks performed by IPsec and other tunneling protocols;
  • Services that require TCP connections to be initiated from an external network, or stateless protocols such as those using UDP, may be disrupted. If the NAT router is not configured to support such protocols, incoming packets cannot reach their destination;

Was this article useful to you?

Please tell me why?

We are sorry that the article was not useful for you: (Please, if it is not difficult, indicate why? We will be very grateful for a detailed answer. Thank you for helping us become better!

Internet router, access server, firewall. The most popular is Source NAT(SNAT), the essence of the mechanism is to replace the source address when a packet passes in one direction and reversely replace the destination address in the response packet. Along with the source/destination addresses, the source and destination port numbers can also be replaced.

Besides SNAT, i.e. providing users of a local network with internal addresses with access to the Internet, is often also used Destination NAT, when requests from outside are translated by the firewall to a server on the local network that has an internal address and therefore is not directly accessible from the external network (without NAT).

The figures below show an example of the operation of the NAT mechanism.


Rice. 7.1.

User corporate network sends a request to the Internet, which arrives at the internal interface of the router, access server, or firewall (NAT device).

The NAT device receives the packet and makes an entry in the connection tracking table, which controls address translation.

It then replaces the source address of the packet with its own external public IP address and sends the packet to its destination on the Internet.

The destination host receives the packet and sends a response back to the NAT device.

The NAT device, in turn, having received this packet, looks up the sender of the original packet in the connection tracking table, replaces IP address destination to the corresponding private IP address and forwards the packet to source computer. Because the NAT device sends packets on behalf of everyone internal computers, it changes the original network port And this information stored in the connection tracking table.

There are 3 basic concepts for address translation:

  • static (SAT, Static Network Address Translation),
  • dynamic (DAT, Dynamic Address Translation),
  • masquerade (NAPT, NAT Overload, PAT).

Static NAT maps local IP addresses to specific public addresses on a one-to-one basis. Used when the local host must be accessible from outside using fixed addresses.

Dynamic NAT maps a set of private addresses to a set of public IP addresses. If the number of local hosts does not exceed the number of public addresses available, each local address will be guaranteed to correspond to a public address. Otherwise, the number of hosts that can simultaneously access external networks will be limited by the number of public addresses.

Masquerade NAT(NAPT, NAT Overload, PAT, masquerading) is a form of dynamic NAT that maps multiple private addresses to a single public IP address using different ports. Also known as PAT (Port Address Translation).

There can be several mechanisms for interaction between an internal local network and an external public network - this depends on the specific task of providing access to the external network and back and is prescribed by certain rules. There are 4 types of network address translation defined:

  • Full Cone
  • Restricted Cone
  • Port Restricted Cone
  • Symmetric

In the first three types of NAT for interaction different IP addresses external network with addresses from the local network use the same external port. The fourth type - symmetrical - uses a separate external port for each address and port.

Full Cone, the external port of the device (router, access server, firewall) is open to requests coming from any address. If a user from the Internet needs to send a packet to a client located behind a NAT, then he only needs to know the external port of the device through which the connection is established. For example, a computer behind NAT with an IP address of 192.168.0.4 sends and receives packets on port 8000, which map to the external IP address and port as 10.1.1.1:12345. Packets from the external network arrive at the device with IP address:port 10.1.1.1:12345 and are then sent to client computer 192.168.0.4:8000.

In incoming packets, only the transport protocol is checked; The destination address and port, the source address and port do not matter.

When using NAT, working by type Restricted Cone, the external port of the device (router, access server, firewall) is open to any packet sent from the client computer, in our example: 192.168.0.4:8000. And a packet coming from an external network (for example, from computer 172.16.0.5:4000) to a device with address: port 10.1.1.1:12345 will be sent to computer 192.168.0.4:8000 only if 192.168.0.4:8000 previously sent a request to the IP address of the external host (in our case, to the computer 172.16.0.5:4000). That is, the router will broadcast incoming packets only from a specific source address (in our case, computer 172.16.0.5:4000), but the source port number can be anything. Otherwise, NAT blocks packets coming from hosts to which 192.168.0.4:8000 did not send a request.

NAT mechanism Port Restricted Cone almost similar to the NAT Restricted Cone mechanism. Only in this case, NAT blocks all packets coming from hosts to which the client computer 192.168.0.4:8000 did not send a request to any IP address and port. The router pays attention to the matching source port number and does not pay attention to the source address. In our example, the router will broadcast incoming packets with any source address, but the source port must be 4000. If the client sent requests to the external network to several IP addresses and ports, then they will be able to send packets to the client on the IP address: port 10.1 .1.1:12345.

Symmetric NAT differs significantly from the first three mechanisms in the way it maps the internal IP address:port to the external address:port. This display depends on the IP address:port of the computer to which the sent request is intended. For example, if client computer 192.168.0.4:8000 sends a request to computer #1 (172.16.0.5:4000), then it may appear as 10.1.1.1:12345, while at the same time if it sends from the same port (192.168. 0.4:8000) to a different IP address, it is displayed differently (10.1.1.1:12346).

  • Allows you to prevent or limit access from the outside to internal hosts, leaving the possibility of access from the internal network to the external one. When a connection is initiated from within the network, a broadcast is created. Response packets arriving from outside match the generated broadcast and are therefore passed through. If there is no corresponding translation for packets coming from the external network (and it can be created when the connection is initiated or static), they are not allowed through.
  • Allows you to hide certain internal services of internal hosts/servers. Essentially, the same broadcast above is performed on a specific port, but it is possible to replace the internal port of an officially registered service (for example, TCP port 80 (HTTP server) with external port 54055). Thus, from the outside, on the external IP address after the addresses are translated to the site (or forum), for knowledgeable visitors it will be possible to get to the address http://dlink.ru:54055, but on the internal server located behind NAT, it will work on the usual 80th port.

    • However, it is worth mentioning the disadvantages of this technology:

    1. Not all protocols can "traverse" NAT. Some fail if there is address translation on the path between communicating hosts. Certain IP address translation firewalls can correct this deficiency by appropriately replacing IP addresses not only in the IP headers, but also with more high levels(for example, in FTP protocol commands).
    2. Due to multi-to-one address translation, additional difficulties arise with identifying users and the need to store complete translation logs.
    3. DoS attack by a host performing NAT - If NAT is used to connect many users to the same service, it can create the illusion of a DoS attack on the service (multiple successes and failures). For example, an excessive amount ICQ users behind NAT leads to problems connecting to the server for some users due to exceeding the permissible connection speed.
    Heading: Gadgets
    Share