Nat control, Nat operation, Basic nat – H3C Technologies H3C S12500 Series Switches User Manual
Page 108
94
3.
The external server responds to the internal host with an IP packet whose destination IP address is
20.1.1.1. Upon receiving the packet, the NAT device checks the IP header, looks into its NAT
table for the mapping, replaces the destination address with the private address of 192.168.1.3,
and then sends the new packet to the internal host.
The NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT also has the following disadvantages:
•
As NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to
the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection, or its port command cannot work
correctly.
•
Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host as the host IP address has been
hidden.
NAT control
In practice, an enterprise needs to allow some hosts in the internal network to access external networks
and prohibit others. This can be achieved through the NAT control mechanism. If a source IP address is
among addresses denied, the NAT device does not translate the address. In addition, the NAT device
only translates private addresses to specified public addresses.
NAT control can be achieved through an access control list (ACL) and an address pool.
•
Only packets matching the ACL rules are served by NAT.
•
An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of
internal hosts, and network requirements. The NAT device selects an address from the address pool
as the public address of an IP packet.
NAT operation
Basic NAT
As shown in
, when an internal host accesses an external network, the NAT device uses a public
IP address to replace the private source original internal IP address. In
, NAT uses the IP address
of the outgoing interface as the public IP address. All internal hosts use the same public IP address to
access external networks and only one host is allowed to access external networks at a given time.
A NAT device gateway can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, the NAT device
chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its
NAT table, forwards the packet, and records the mapping between the two addresses. In this way,
multiple internal hosts can access external networks simultaneously.