Nat control, Nat implementation, Basic nat – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 284
263
3.
The external server responds to the internal host with an IP packet whose destination IP address is
20.1.1.1. After receiving the packet, the NAT device checks the IP header, looks up its NAT table
for the mapping, replaces the destination address with the private address of 192.168.1.3, and
then sends the new packet to the internal host.
The NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As a result, NAT
hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT has the following disadvantages:
•
Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also
true to the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection. Otherwise, its port command
cannot work correctly.
•
Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host because its internal IP address is
hidden.
NAT control
Typically, an enterprise allows some hosts in the internal network to access external networks and
prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP
address is in the denied address list, the NAT device does not translate the address. In addition, the NAT
device only translates private addresses to specified public addresses.
You can achieve NAT control through an access control list (ACL) and an address pool.
•
Only packets matching the ACL rules are served by NAT.
•
An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of
internal hosts, and network requirements. The NAT device selects an address from the address pool
as the public address of an IP packet.
NAT implementation
Basic NAT
When an internal host accesses an external network, NAT uses an external or public IP address to
replace the original internal IP address. As shown in
, NAT uses the IP address of the outbound
interface on the NAT device. All internal hosts use the same external IP address to access external
networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, NAT chooses an
available public IP address (if any) to replace the source IP address, forwards the packet, and records the
mapping between the two addresses. In this way, multiple internal hosts can access external networks
simultaneously.
The number of public IP addresses that a NAT device needs is usually far less than the number of internal
hosts because not all internal hosts access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.