NAT Operation

written by: Leon Tufallo; article published: year 2007, month 09;


In: Categories » Electronics and communication » Protocols » NAT Operation

NAT can be confused with a proxy server, but there are definite differences between the two. NAT is transparent to the source and destination computers, but a proxy server is not. The source computer has to be specifically configured to communicate with a proxy server, whereas the destination computer thinks that the proxy server is the source computer. Proxy servers usually operate at Layer 4 (the transport layer of the OSI Reference Model) or higher, and NAT operates at Layer 3 (the network layer). Because proxy servers are usually an add-on application, they might be slower than NAT, because NAT is accomplished in hardware.

NAT is configured on the device you use to connect to an external network, whether it is a firewall, router, or computer. Before you get too far into the operation of NAT, you need to have a basic understanding of its many forms and the several ways in which it can be used:

  • Static NAT Used to map an unregistered IP address, such as a private address, to a registered IP address, usually provided by your Internet service provider (ISP), on a one-to-one basis. Also used to map one external public address to one internal private address.

  • Dynamic NAT Used to map an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT is usually accomplished with the assistance of a pool or a range of addresses that you configure on your NAT device.

  • Overloading A form of dynamic NAT used to map multiple unregistered IP addresses to a single registered IP address by using different ports. More commonly known as Port Address Translation (PAT) or port-level multiplexed NAT.

  • Overlapping Used when the IP address of your internal network is registered for use on another network. Your NAT device must maintain some type of lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. This means that your NAT device must be able to translate the "internal" addresses to registered unique addresses. It also must be able to translate the "external" registered addresses to addresses that are unique to the private network. You can implement this NAT method through the use of static NAT or through the use of a DNS entry and dynamic NAT.

One fact that might need to be mentioned at this point is that your internal network, or LAN, can often be referred to as a stub domain. When used in this manner, a stub domain is a LAN that uses IP addresses internally, with most of the network traffic having a local destination. Although you are allowed to have both registered and unregistered IP addresses in your stub domain, any network device that uses an unregistered IP addresses must use NAT to communicate with the outside world.

One other benefit of implementing dynamic NAT on your device is that it can automatically create a simple firewall between your internal network and outside networks or the Internet. NAT does this by allowing only connections that originate inside your stub domain. This lets you limit a computer on an external network from reaching your computer unless your computer initiated the contact. Using static NAT allows you to define where a connection initiated by an external device can connect on your computers. For instance, you might want to connect an inside global address to a specific inside local address that is assigned to your web server. Keep in mind that this simple firewall should not be considered a replacement for items such as the Cisco Secure PIX Firewall or the Cisco IOS Firewall Feature Set, because TCP packets may be forged by an unauthorized user to gain access to your "protected" devices.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Standardized Protocols for Private Instant Messaging
Although momentum is building for a standardized protocol for instant messaging, interoperability among IM applications continues to be vexed by unresolved business and security issues. Recently, the Internet Engineering Task Force (IETF)-sponsored protocol that would be a key to interoperability was criticized for being insecure by IM software vendors such as AOL Time Warner Inc. and IBM’s Lotus Software. The Lotus-AOL test used a variation of Simple Implementation Protocol (SIP) known as SIP for Instant Messaging ...

2. Detecting Unauthorized 802.11 Cards and Access Points
The first goal is detection. Can we tell when someone powers on a card within range of the local network? This can be done with off-the-shelf components and free software. The Cisco Aironet driver included with the more recent Linux kernels supports "RF Monitor" mode, which permits promiscuous monitoring of 802.11 packets - specifically, monitoring raw 802.11 frames to detect if there are any telltale frames broadcast by a rogue access point or card. As outlined in the original 802.11 specification, ther...

3. The HTTP Request and Response Codes
The HTTP protocol can be likened to a conversation based on a series of questions and answers, which we refer to respectively as HTTP requests and HTTP responses. The contents of HTTP requests and responses are easy to read and understand, being near to plain English in their syntax. This section examines the structure of these requests and responses, along with a few examples of the sorts of data they may contain. The HTTP Request After opening a connection to the intended serv...

4. INFRASTRUCTURE PROTOCOLS AND APPLICATIONS
H.323 H.323 defines packet standards for terminal equipment and services for multimedia communications over local and wide area  networks  communicating  with  systems  connected  to telephony networks such as ISDN. The initial version of this standard  came from the International Telecommunications Union (ITU) in June 1996. It  defines  communication over IP-based local area networks (LANs). A later version (v2), adopted in January 1998, extended it over wide are...

5. Wireless IN Services
The IN protocols and concepts can be used to implement enhanced wireless services rapidly and to have these services available across serving areas in an untethered wireless network. Some of these services are listed below: Voice-Based User Identification. This service employs a form of automatic speech recognition to validate the identity of the speaker. Access to services can then be restricted to the user whose voice (phrase) has been used to train the recognition device. Voice-Based Featur...

6. Wireless LAN and Personal Area Network
The Wireless Internet is not just wireless communications across town or the country. It is also local—sometimes in a home or office building. Wireless LANs are just becoming popular with economically  priced  wireless  Ethernet  equipment.  Standards such as IEEE 802.11, HiperLAN2, and Home RF are leading the way to untethered communications in-building or outside over small areas. Another important development is the Personal Area Network, also known as Bluetooth. Let’s take a look at each of th...

7. The Domain Concept
The solution to all of these problems is the network domain. In a domain, you only have a single name and password, which gets you into every shared PC and printer on the network. Everyone's account information resides on a central computer called a domain controllera computer so important, it's usually locked away in a closet or a data-center room. A domain controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network. When you log onto the domain with your PC,...

8. Duplexing Techniques in Wireless communication systems
Wireless communication systems have evolved through several stages of multiple-access control. The foremost controllable resource has always been the frequency spectrum. Other resources such as time, code, and space were initially manipulated in a very precarious and, therefore, ineffective manner. The early systems operated in the simplex mode in the forward link. Halfduplex systems soon appeared, in which forward link and reverse link shared the same channel. Access control was performed on a push-to-talk basis wit...