HP VPN Firewall Appliances NAT and ALG Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Configuring NAT

Overview

Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to

another IP address. NAT enables a large number of private users to access the Internet by using a small

number of public IP addresses. NAT effectively alleviates the depletion of IP addresses.

A private IP address is used only in an internal network, whereas a public or external IP address is used

on the Internet and is globally unique.

According to RFC 1918, three blocks of IP addresses are reserved for private networks:

• In Class A, 10.0.0.0 to 10.255.255.255.

• In Class B, 172.16.0.0 to 172.31.255.255.

• In Class C, 192.168.0.0 to 192.168.255.255.

No host with an IP address in the three ranges exists on the Internet. You can use those IP addresses in

an enterprise network freely without requesting them from an ISP or a registration center.

In addition to translating private addresses to public addresses, NAT can also perform address

translation between any two networks. In this document, the two networks refer to an internal network

and an external network. Generally, a private network is an internal network, and a public network is an

external network.

Figure 1 sh

ows the NAT operation.

Figure 1 NAT operation

1. The internal host with IP address 192.168.1.3 sends an IP packet to the external server with IP

address 1.1.1.2 through the NAT device.

2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the

external network. The NAT device then translates the private address 192.168.1.3 to the globally

unique public address 20.1.1.1 and forwards the packet to the server on the external network.

Meanwhile, the NAT device adds the mapping of the two addresses into its NAT table.

3. The external server responds to the internal host with an IP packet whose destination IP address is

20.1.1.1. Upon receiving the packet, the NAT device checks the IP header, looks into its NAT

table for the mapping, replaces the destination address with the private address of 192.168.1.3,

and then sends the new packet to the internal host.

192.168.1.3

Src : 192.168.1.3

Dst : 1.1.1.2

Src : 20.1.1.1

Dst : 1.1.1.2

192.168.1.1 20.1.1.1

Src : 1.1.1.2

Dst : 20.1.1.1

Src : 1.1.1.2

Dst : 192.168.1.3

1.1.1.2

Server

Host

NAT

Intranet

Internet

Before NAT

192.168.1.3

After NAT

20.1.1.1

Direction

Outbound