Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
81828384858687888990
82 CHAPTER 6: NAT CONFIGURATION
destination address in the header is an extranet address, the server will translate
the source address 192.168.1.3 into a valid public address on the Internet
202.169.10.1, then forward the packet to the external server and record the
mapping in the network address translation list. The external server sends the
response packet2 (The destination is 202.169.10.1) to the NAT server. After
inquiring the network address translation list, the NAT server replaces the
destination address in packet2 header with the original private address
192.168.1.3 of the internal PC.
The above mentioned NAT process is transparent for terminals such as the PC and
server in the above figure. NAT "hides" the private network of an enterprise
because the external server regards 202.169.10.1 as the IP address of the internal
PC without the awareness of the existence of 192.168.1.3.
The main benefit NAT offers is the easy access to the outside resources for the
intranet hosts while maintaining the privacy of the inner hosts.
Since it is necessary to translate the IP address translation of data packets, the
header of the data packet related to IP address cannot be encrypted. For
example, encrypted FTP connection is forbidden to be used. Otherwise, FTP
port cannot be correctly translated.
Network debugging becomes more difficult. For instance, while a certain
internal network host attempts to attack other networks, it is hard to point out
which computer is malicious, for the host IP address is shielded.
Functions Provided by
NAT
Many-to-Many Address
Translation and Address
Translation Control
As shown in Figure 15, the source address of the intranet will be translated into an
appropriate extranet address (the public address of the outbound interface on the
NAT server in the above figure) via NAT. In this way, all the hosts in the intranet
share one extranet address when they access the external network. In other
words, only one host can access the external network at a time when there are
many access requirements, which is called "one-to-one address translation".
An extended NAT implements the concurrent access, that is, multiple public IP
addresses are assigned to a NAT server. The NAT server assigns a public address IP1
to a requesting host, keeps a record in the address translation list and forwards the
data packet, then assigns another public address IP2 to another request host and
so on. This is called "many-to-many address translation".
n
The number of public IP addresses on the NAT server is far less than the number of
hosts in the intranet because not all hosts will access the extranet at one time. The
public IP address number is determined based on the maximum number of
intranet hosts at the rush hour of the network.
In practice, it may be required that only some intranet hosts can access the
Internet (external network). In other words, the NAT server will not translate
source IP addresses of those unauthorized hosts, which is called address
translation control.