R3166-R3206-HP High-End Firewalls NAT and ALG Configuration Guide-6PW101
2
• Upon receipt of the packet, the NAT gateway checks the IP header. Finding that the packet is
destined to the external network, the NAT gateway translates the private source IP address
192.168.1.3 to the globally unique IP address 20.1.1.1 and then forwards the resulting packet to the
external server. Meanwhile, the NAT gateway records the mapping between the two addresses in
its NAT table.
• After receiving a response from the external server, the NAT gateway uses the destination IP address
20.1.1.1 of the packet to find the mapping, replaces the destination address with the private address
192.168.1.3, and then sends the packet to the internal host.
The above NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT has the following disadvantages:
• As NAT involves translation of IP addresses, the IP header cannot be encrypted. This is also true for
some application protocol packets containing IP addresses or port numbers which need to be
translated. For example, you cannot encrypt FTP packets, or its port command cannot work
correctly.
• Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is hard to pinpoint the attacking host because its internal IP address is
hidden.
NAT implementation
One-to-one NAT, Many-to-many NAT and NAT control
As depicted in Figure 1, when an internal host accesses an external network, NAT uses an external or
public IP address to replace the original internal IP address. In Figure 1, N
AT uses the IP address of the
outbound interface on the NAT gateway. This means that all internal hosts use the same external IP
address to access external networks and only one host is allowed to access external networks at a given
time. This is called one-to-one NAT.
A NAT gateway can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, NAT chooses an
available public IP address (if any) to replace the source IP address, forwards the packet, and records the
mapping between the two addresses. In this way, multiple internal hosts can access external networks
simultaneously. This is called many-to-many NAT.
NOTE:
The number of public IP addresses that a NAT gateway needs is usually far less than the number of internal
hosts because not all internal hosts will access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.
In practice, an enterprise may need to allow some internal hosts to access external networks while
prohibiting others. This can be achieved through the NAT control mechanism. If a source IP address is
among addresses denied, the NAT gateway will not translate the address.
Many-to-many NAT can be implemented by using an address pool, which is a collection of consecutive
public IP addresses. The NAT gateway selects addresses from the address pool for packets. The number
of addresses in the pool is determined according to the number of available public IP addresses, the
number of internal hosts, and network requirements.