Nat implementation, One-to-one nat, many-to-many nat and nat control, Figure 1 – H3C Technologies H3C SecBlade FW Cards User Manual
Page 9
2
Figure 1 NAT operation
•
A NAT gateway lies between the private network and the public network.
•
The internal host at 192.168.1.3 sends an IP packet (IP packet 1) to the external server at 10.1.1.2
through the NAT gateway.
•
Upon receipt of the packet, the NAT gateway checks the IP header. Finding that the packet is
destined to the external network, the NAT gateway translates the private source IP address
192.168.1.3 to the globally unique IP address 20.1.1.1 and then forwards the resulting packet to the
external server. Meanwhile, the NAT gateway records the mapping between the two addresses in
its NAT table.
•
After receiving a response from the external server, the NAT gateway uses the destination IP address
20.1.1.1 of the packet to find the mapping, replaces the destination address with the private address
192.168.1.3, and then sends the packet to the internal host.
The above NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT has the following disadvantages:
•
As NAT involves translation of IP addresses, the IP header cannot be encrypted. This is also true for
some application protocol packets containing IP addresses or port numbers which need to be
translated. For example, you cannot encrypt FTP packets, or its port command cannot work
correctly.
•
Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is hard to pinpoint the attacking host because its internal IP address is
hidden.
NAT implementation
One-to-one NAT, Many-to-many NAT and NAT control
As depicted in
, when an internal host accesses an external network, NAT uses an external or
public IP address to replace the original internal IP address. In
, NAT uses the IP address of the
outbound interface on the NAT gateway. This means that all internal hosts use the same external IP
address to access external networks and only one host is allowed to access external networks at a given
time. This is called one-to-one NAT.