R2511-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V5)
118
The NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT also has the following disadvantages:
• Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also
true to the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection, or its port command cannot work
correctly.
• Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host because the host IP address has
been hidden.
NAT control
Typically, an enterprise allows some hosts in the internal network to access external networks and
prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP
address is among addresses denied, the NAT device does not translate the address. In addition, the NAT
device only translates private addresses to specified public addresses.
You can achieve NAT control through an ACL and an address pool.
• Only packets matching the ACL rules are served by NAT.
• An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of
internal hosts, and network requirements. The NAT device selects an address from the address pool
as the public address of an IP packet.
NAT operation
Basic NAT
As shown in Figure 52, when an internal host accesses an external network, the NAT device uses a public
IP address to replace the private source IP address. In Figure 52, N
AT uses the IP address of the outgoing
interface as the public IP address. All internal hosts use the same public IP address to access external
networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, the NAT device
chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its
NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks
simultaneously.
The number of public IP addresses that a NAT device needs is usually far less than the number of internal
hosts because not all internal hosts access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.
NAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses
to be mapped to the same public IP address, which is called multiple-to-one NAT.