Network address translation, Security benefits, Nat static mappings – Eicon Networks DIVA LAN ISDN User Manual

Chapter Six: Security

Network address translation

78

Network address translation

The DIVA LAN ISDN Modem uses network address translation (NAT) to “hide” the local LAN it creates from
all external resources. The benefits of this are the ability for all connected computers to access the Internet
using one Internet address and ISP account. For example, when communicating with the Internet, these four
computers share the dynamically assigned address 222.182.22.39.

NAT operates transparently, translating internal addresses to a single external one for all data traffic. There is
no effect on throughput.

Most applications will work with NAT. For a list of applications that have been tested by Eicon Technology, see
the release notes on the DIVA LAN ISDN Modem CD.

NAT is enabled by default, and it is recommended that you do not turn it off unless you have a specific
requirement to do so.

(For more information on IP addressing see “About IP addresses” on page 120.)

Security benefits

An additional benefit of NAT is increased network security. Like a firewall, NAT restricts access to the
computers that reside on the local LAN. By default, no computer on the internal LAN is visible to the external
network the DIVA LAN ISDN Modem is connected to. This applies to the Internet, as well as a corporate
network. Computers on the internal network cannot act as FTP or web servers, nor can they share their drives
using Windows Network Neighborhood. These security features can be weakened if you use NAT static
mappings.

NAT static mappings

For those cases where you want to create an FTP or web server, or need a computer on the internal LAN to be
visible to the external network, the DIVA LAN ISDN Modem provides a solution. You can define NAT static
mappings.

How it works

NAT static mappings allow you to designate specific computers on the internal LAN to receive certain
incoming network traffic. For example, you could designate a computer to receive all incoming HTTP traffic,
essentially allowing it to function as a web server. However, the actual IP address of this computer is still
hidden by NAT. Therefore, remote users must specify the address of the DIVA LAN ISDN Modem to gain
access to the web server.

When you create a NAT static mapping, the DIVA LAN ISDN Modem routes all traffic for the protocol you
specify to the designated computer. This includes traffic normally handled by the DIVA LAN ISDN Modem
itself. This leads to the following restrictions:

• Remote access to the configuration interfaces on the DIVA LAN ISDN Modem via the ISDN link can be

disrupted. For example, if you designate a computer to receive HTTP traffic, remote access to the web
configuration interface will be disrupted. Local access via Ethernet will still be possible however.

• Only one computer on the internal LAN can be designated to receive the traffic for a specific protocol.

This means, for example, you can cannot create multiple web servers or FTP servers.

LAN interface

ISP profile

B-channel

DIVA LAN ISDN Modem

Internet

ISP

FAULT POWER

DIVA LAN ISDN Modem

ISDN

E4/C

E1

E2

E3

LINK

Ethernet

B1

B2

D

192.168.1.1

192.168.1.5

192.168.1.4

192.168.1.3

192.168.1.2

222.182.22.39

Address dynamically assigned by ISP

Network

ISDN