NAT was developed to address a couple of concerns. First, the number of public IP addresses available on the Internet was becoming depleted. Second, because of the interconnectivity of networks, it was possible for an administrator to assign a set of IP addresses to a network that someone else might be using. This is a common situation when two companies and their respective networks are combined. NAT addresses these two concerns by providing a mechanism by which any number of IP addresses can be translated to a different range of IP addresses, or in some cases a single or smaller range of IP addresses. To address the limitation of available IP addresses NAT can be used to translate hundreds or even thousands of IP addresses to just a couple of IP addresses or even a single IP address, thereby allowing a company to provide Internet access to their hosts without needing to allocate thousands of IP addresses on the Internet to do so. To address the issue of invalid networks, or in many cases duplicate networks, NAT can be used to allow each network to appear as a completely different network. Figure 3-13 illustrates the process of NAT and Internet connectivity. Figure 3-13. Example of NAT and Internet Access
In this example, when Host A attempts to access the Internet, the firewall translates the request from having a source address of 10.1.1.100 to having a source address of 209.165.201.10 and transmits the data across the Internet. The firewall then stores this translation in its translation table so that it knows how to deal with the return traffic. When host B receives the data, it thinks it is communicating with 209.165.201.10 and addresses the return traffic accordingly. When the firewall receives the return traffic, it refers back to its translation table and determines that the traffic should be delivered to 10.1.1.100. The firewall repackages the packet, this time changing the destination IP address to be 10.1.1.100 and transmits it accordingly. In doing so, hosts A and B can communicate with each other, for all intents and purposes completely unaware that NAT is occurring. Because NAT effectively hides the actual IP addresses that are in use, many networks have elected to use it in conjunction with private IP addresses. Private IP addresses are defined in RFC 1918 and are a predefined set of IP addresses that cannot be used on the Internet and therefore are referred to as being nonroutable. Because NAT prevents Internet-connected hosts from being able to ascertain what IP address is being used behind a NAT router, organizations have elected to implement the private IP addresses so that they can pretty much do whatever they want with them without concern with how they may interact with the Internet or other networks. The RFC 1918 IP addresses are as follows:
Note RFC 3022 and RFC 2663 define NAT. NAT ImplementationsThere are four primary NAT implementations. They all accomplish the same function, the translating of traffic from one IP address to another, but they go about the translation process in different manners. They are as follows:
NAT and IPsec: The Issues and the SolutionsAlthough NAT works in most cases, not all traffic can be successfully translated (in particular, when the original data cannot be manipulated, such as the case with IPsec). The reason for this is that the NAT process actually changes the data packet while it is being translated. Because of the nature of IPsec, when the data packet is rebuilt using NAT, the receiving router detects that the data has been changed (the source IP address is no longer the correct source IP address) and discards the packet. To address this, a process known as NAT traversal (NAT-T) has been developed. NAT-T encapsulates the complete IPsec packet into either a TCP or UDP packet, which is then translated accordingly. By doing this, the traffic can be translated as required without the original IPsec data being changed. Figure 3-14 illustrates the encapsulation process and subsequent NAT. Figure 3-14. NAT-T EncapsulationNote RFC 3947 and RFC 3948 define NAT-T. |