Documente Academic
Documente Profesional
Documente Cultură
NAT might be a solution for networks that have private address ranges or
unofficial addresses and want to communicate with hosts on the Internet. In
fact, most of the time, this can also be achieved by implementing a firewall.
Hence, clients that communicate with the Internet by using a proxy or SOCKS
server do not expose their addresses to the Internet, so their addresses do
not have to be translated anyway. However, for any reason, when proxy and
SOCKS are not available, or do not meet specific requirements, NAT might be
used to manage the traffic between the internal and external network without
advertising the internal host addresses.
As shown in Figure 279, NAT takes the IP address of an outgoing packet and
dynamically translates it to an officially assigned global address. For
incoming packets it translates the assigned address to an internal address.
IP/ICMP
Filtering
NAT
Non-secure Secure
a.b.1.0/24 10.0.0.0/8
From the point of two hosts that exchange IP packets with each other, one in
the secure network and one in the non-secure network, NAT looks like a
standard IP router that forwards IP packets between two network interfaces
(please see Figure 280).
Translate
N Pool
To be
Map
translated A
T
Exclude Exclude
NAT looks like a normal IP router to the systems which use it. In order to
make the routing tables work, the IP network design should choose
addresses as if connecting two or more IP networks or subnets through a
router. The NAT IP addresses need to come from separate networks or
subnets, and the addresses need to be unambiguous with respect to other
networks or subnets in the non-secure network. If the non-secure network is
the Internet, the NAT addresses need to come from a public network or
subnet, in other words, the NAT addresses need to be assigned by IANA.
Network administrators also need to instruct NAT whether all the secure
hosts are allowed to use NAT or not. This can be done by using
corresponding configuration commands. If hosts in the non-secure network
need to initiate connections to hosts in the secure network, NAT should be
configured in advance as to which non-secure NAT address matches which
secure IP address. Thus, a static mapping should be defined to allow
connections from non-secure networks to a specific host in the internal
network. The external name server may, for example, have an entry for a mail
gateway that runs on a computer in the secure network. The external name
server resolves the public host name of the internal mail gateway to the
statically mapped IP address (the external address), and the remote mail
server sends a connection request to this IP address. When that request
comes to NAT on the non-secure interface, NAT looks into its mapping rules
to see if it has a static mapping between the specified non-secure public IP
address and a secure IP address. If so, it translates the IP address and
forwards the IP packet into the secure network to the internal mail gateway.
21.5.1 Concepts
Two major IPsec concepts should be clarified: Security Associations and
tunneling. These concepts are described in the following sections.