What is NAT
Your computer can be connected to the Internet directly. Then they say that he has external IP address.
This usually means that the computer is connected directly to a modem (DSL, cable or regular analog).
Behind NAT means that your computer is not connected to the Internet, but to a local network. Then he has interior An IP address that is itself inaccessible from the Internet.
Your computer accesses the Internet through NAT - the process of translating internal addresses to external ones and vice versa. A NAT device is usually called a router.
The specificity of NAT is that connections initiated by your computer transparently pass through the NAT device to the Internet. However, connections that other computers from the Internet would like to establish with you cannot reach you.
Finding the computer's IP address
Run">Open a dialog box to run programs: click on the Start button, select Run from the menu.
In Windows 2000/XP, type the command cmd /k ipconfig, click OK and look at the result.
Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.10 Subnet Mask. . . . . . . . . . . : 255.255.255.0 Default Gateway. . . . . . . . . : 192.168.1.1
The first of these addresses is the IP address of your computer.
Are you behind NAT?
Three special IP address ranges are reserved for local networks and are not used on the Internet:
10. 0. 0. 0 - 10. 255.255.255 172. 16. 0. 0 - 172. 31.255.255 192.168. 0. 0 - 192.168.255.255
If your computer's IP address is in one of these ranges, that is, it starts with 10. or with 192.168. or from 172.nn. (where nn is from 16 to 31), then this is a local (internal) address, and you are definitely behind NAT.
If not, now check what IP address other computers on the Internet see you under. For example, on whatsmyip.org (“Your IP Address is x.x.x.x” at the top of the page) or on myipaddress.com.
If your computer's IP address matches one of these sites shown, then you are definitely connected to the Internet directly.
In other cases it is impossible to say for sure. The following options are possible:
- You are behind NAT, but your network administrator has chosen non-standard internal addresses for your local network. Find him and ask why he had to do this.
- you access the Internet through a proxy server (then whatsmyip.org showed you the address of this proxy server). In many cases, you can determine whether there is a proxy server between you and the Internet, using for example lagado.com/proxy-test.
Connecting via a proxy is not covered in this guide..
Connection options via NAT
If you are behind NAT, then the next step is to determine where exactly the NAT device is located.
NAT provider
- Then they say that
- the provider provides you with the Internet via NAT,
- or that the provider does not give you an external IP address,
- or that you are connected through the provider's local network
The easiest way is to call your provider and find out. Or ask knowledgeable neighbors with the same connection.
When connecting to the Internet through the provider’s local network, you cannot make an accessible port for yourself. Unless, of course, your provider redirects a specific port specifically for you, which is unlikely. Or unless you pay extra for a service that is usually called an "external" ("white") IP address.
NAT in an office or apartment building
In principle, the situation is the same, but you can look for approaches to the local admin. Ultimately, deciding whether a port is available depends on whether you have access to the router settings.
In addition, you can also try UPnP, in case your router left it enabled.
NAT is your own
In this case, you can almost always configure it and get an available port.
Usually this is either a connection through a home router or a connection through another computer, for example using ICS (the second option is not considered here).
Of course, in principle, it also happens that you have NAT both at home and at your provider, that is, your computer is behind two NATs at once. This can be checked by going to the router settings, looking at its external address and then following the above scenario (whether it belongs to this address of local network ranges, does it match the address under which you are seen on the Internet).
Good day, dear readers! Well, let's talk about NAT.
Today we will discuss in more detail a somewhat painful and rather incomprehensible topic, but more incomprehensible than painful.
To a greater extent, this problem concerns those who play multiplayer games, and in short, this problem sounds something like this: “WHY DOES NO ONE COME TO ME?” For others, this problem looks a little different, namely:
- Why doesn't the torrent download?
- Why can’t users/friends/acquaintances/unknown personalities connect to FTP, WEB, VOIP (TS, Mumble, bucket) and other servers that you have been trying to set up for so long and even checked that everything is working for you?
- Why is your personal home server empty? Could this be a universal conspiracy?
But, however, there is no conspiracy, the culprit of all these troubles is next to you and slyly winks at you with light bulbs, and his name is... a router, yes, yes, the same one that distributes the Internet to all yours (and maybe your neighbors) devices.
In short, Internet users simply cannot connect to you because your router does not allow them, but it does this not just on a whim, but because it does not know that all these people want to connect to you. So he thinks that they want something from him.
Yes, I just described to you why NAT is needed. And now about what it is.
General definition
NAT (Network Address Translation) is a mechanism that allows the router to determine which services are located behind the router and should be accessible from the Internet so that users from there can use these services (I did not take the definition from the wiki, because it is abstruse and not everyone understands).
NAT is present in all routers and server operating systems in one form or another. In routers this is usually called port forwarding, in Linux iptables, on Windows servers - in special equipment. Now let's talk about the different types of NAT.
Type one, Static NAT
Static NAT is not required for your home, but is needed if your provider has allocated several IP addresses (external or “white” addresses) to your company, and you need some servers to always be visible from the Internet, without their addresses changing .
Those. 1-1 address conversion occurs (one external IP is assigned to one internal server). With this setup, your servers will always be accessible from the Internet on any port.
- The advantage of this method is that you open access from the Internet specifically for a specific program on a specific computer/server, all other ports of the computer/server remain closed;
- The disadvantage is that you need to open all ports manually (sometimes programs do this for you using UPnP technology, but this does not always happen).
Afterword
It turned out a little chaotic, and the topic is quite complicated, but I hope now the word NAT won’t make you shiver :)
As always, if you have any questions, thoughts, additions, etc., please feel free to comment on this post.
PS: For the existence of the article, special thanks to a friend of the project and a member of our team under the nickname “barn4k“
These are completely different technologies. Don't confuse them.
What is NAT
NAT is a collective term that refers to the technology of translating network addresses and/or protocols. NAT devices perform transformations on passing packets, replacing addresses, ports, protocols, etc.
There are narrower concepts of SNAT, DNAT, masquerading, PAT, NAT-PT, etc.
why is NAT needed, how is it used
To connect the internal network to the Internet
- through a pool of external addresses
- via one external address
To replace an external IP address with another (traffic redirection)
To balance the load between identical servers with different IP addresses.
To combine two local networks with intersecting internal addressing.
how NAT works
s+d NAT (branch merging - evil!)
port-mapping, forwarding ports
Advantages and disadvantages
Incompatible with some protocols. A particular NAT implementation must support inspection of the required protocol.
NAT has the property of "screening" the internal network from the outside world, but it cannot be used instead of a firewall.
Setup on Cisco IOS
Cisco routers and firewalls support different types of NAT, depending on the set of software options. The most used is the NAT method with binding internal local addresses to different ports of the same external address (PAT in Cisco terminology).
To configure NAT on a router, you need to: o Determine the traffic that needs to be translated (using access-lists or route-maps);
Ip access-list extended LOCAL permit ip 10.0.0.0 0.255.255.255 any
Route-map INT1 match ip address LOCAL match interface FastEthernet0/1.1
The LOCAL access list selects all traffic from network 10.
Route map INT1 selects LOCAL access list traffic exiting through subinterface Fa 0/1.1
o Determine which external addresses to broadcast to. Select a pool of external addresses. For PAT, one address is enough.
Ip nat pool GLOBAL 212.192.64.74 212.192.64.74 netmask 255.255.255.0
Specifying a pool of external addresses named GLOBAL. There is only one address in the pool.
o Enable NAT for selected internal and external addresses.
Ip nat inside source route-map INT1 pool GLOBAL overload
Enable NAT for source address translation on the internal interface. Only traffic falling within the conditions of the INT1 route map will be broadcast. The external address will be taken from the GLOBAL pool.
Ip nat inside source static tcp 10.0.0.1 23 212.192.64.74 23 extend
Static “port forwarding” or “service publishing”. In traffic going inward to address 212.192.64.74 on tcp port 23, the destination will be replaced by address 10.0.0.1 and port 23.
o Assign internal and external interfaces.
Interface FastEthernet0/0 ip nat inside interface FastEthernet0/1.1 ip nat outside
Interface Fa 0/0 is assigned internal for NAT.
Subinterface Fa 0/1.1 is assigned as external for NAT.
O Debugging and diagnostics:
Sh ip nat translations - view the table of current broadcasts; clear ip nat translations - delete all current translations; debug ip nat – enable debug messages (undebug all – disable debugging).
Examples
Here are some demo examples for the Cisco Packet Tracer emulator.
A simple scheme for connecting a small network to the Internet through a pool of external addresses
A simple scheme for connecting a network to the Internet through one external address
Scheme of combining networks with intersecting addressing
How NAT works
The way NAT rules are applied varies among different manufacturers and on different equipment. Here is the procedure for applying NAT policies for routers on Cisco IOS:
Inside-to-Outside
If IPSec then check input access list decryption - for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting redirect to web cache policy routing routing NAT inside to outside (local to global translation) crypto (check map and mark for encryption) check output access list inspect (Context-based Access Control (CBAC)) TCP intercept encryption QueuingOutside-to-Inside
If IPSec then check input access list decryption - for CET or IPSec check input access list check input rate limits input accounting redirect to web cache NAT outside to inside (global to local translation) policy routing routing crypto (check map and mark for encryption) check output access list inspect CBAC TCP intercept encryption QueuingInternet channel from one provider via NAT
A simple scheme for implementing NAT with one provider
Reserving an Internet channel from two providers using NAT, ip sla
Given: we receive Internet for several computers from ISP1. He gave us the address 212.192.88.150. Internet access is organized from this IP address via NAT.
Task: connect a backup provider - ISP2. He will give us the address 212.192.90.150. Organize traffic balancing: send web traffic through ISP1, other traffic through ISP2. If one of the providers fails, allow all traffic to go through the live channel.
What is the difficulty of the task? clear ip nat translations?
Scheme
Config
1 clear ip nat translations *
Such a piece of EEM has been found and tested. The event is not generated on all versions of IOS. We need to clarify.
! event manager applet NAT-TRACK event syslog pattern "TRACKING-5-STATE" action 0.1 cli command "enable" action 0.2 wait 3 action 0.3 cli command "clear ip nat translation *" action 0.4 syslog msg "NAT translation cleared after track state change "!2 If the interface fails on the provider, there is a high chance that its gateway will ping through the second
! username NAME password 0 PASSWORD enable secret 0 CONFIG PASSWORD! ! control of login to the router line vty 0 4 login local ! ! DHCP ip dhcp pool LAN network Internal Network Mask default-router Gateway dns-server 10.11.12.13 ! DNS - a fictitious one they came up with - NOT from our local network! ! ! Ping monitor to provider gateway address-1! Wait 100 ms for a response! Ping with a frequency of 1 second ip sla monitor 1 type echo protocol ipIcmpEcho GatewayProv1 source-interface InterfaceOnProv1 timeout 100 frequency 1 ! ! Ping monitor for provider-2 ip sla monitor 2 type echo protocol ipIcmpEcho GatewayProv2 source-interface InterfaceNaProv2 timeout 50 frequency 1 ! ! Launching pings 1 and 2, now and forever ip sla monitor schedule 1 life forever start-time now ip sla monitor schedule 2 forever start-time now ! ! Tracks 10 and 20 - tracking the status of pings! Reacts to Down or Up status with a delay of 1 second. track 10 rtr 1 reachability delay down 1 up 1 ! track 20 rtr 2 reachability delay down 1 up 1 ! ! ! Routes to all external networks on both providers! Routes are linked to tracks! and will be activated only if the track is in the Up state! those. if the gateway to the corresponding provider is available ip route 0.0.0.0 0.0.0.0 GatewayProv1 track 10 ip route 0.0.0.0 0.0.0.0 GatewayProv2 track 20 ! ! ! int fa 0/0 no shut ! ! Sub-interfaces towards external providers! are marked as outside for NAT interface FastEthernet0/0.1 description ISP1 encaps dot1q NumberVlanProv1 ip address ipOnProv1 Mask ip nat outside ! interface FastEthernet0/0.2 description ISP2 encapsulation dot1Q NumberVlanProv2 ip address ipNaProv2 Mask ip nat outside ! ! Interface to the internal network! marked as inside for NAT ! The routing policy is bound PBR interface FastEthernet0/1 ip address ipOnInternalNet mask ip nat inside ip policy route-map PBR no shut ! ! Access lists from the internal network to the outside! For web traffic and everything else ip access-list extended LOCAL permit ip intranet any! ip access-list extended WEB permit tcp internal network any eq www permit tcp internal network any eq 443 ! ip access-list extended ALL permit ip any any ! ! ! tricky PBR root map! If the traffic is from LAN to the Web! then assign the first provider as its gateway! Otherwise, other traffic from the local area! assign the second provider as the gateway. ! When assigning a gateway, the Tracks route-map PBR permit 10 match ip address WEB set ip next-hop verify-availability GatewayProv1 1 track 10 ! route-map PBR permit 20 match ip address ALL set ip next-hop verify-availability GatewayProv2 1 track 20 ! ! ! tricky ISP1 rootmap! works if the traffic is from LAN! trying to exit via interface Fa0/0.1 route-map ISP1 permit 10 match ip address LOCAL match interface FastEthernet0/0.1 ! ! tricky ISP2 rootmap! works if the traffic is from LAN! trying to exit via interface Fa0/0.2 route-map ISP2 permit 10 match ip address LOCAL match interface FastEthernet0/0.2 ! ! ! Finally, NAT ;-) ! ! Traffic from LAN to the first provider Navigate through the first interface ip nat inside source route-map ISP1 interface FastEthernet0/0.1 overload ! ! Traffic from LAN to the second provider Navigate through the second interface ip nat inside source route-map ISP2 interface FastEthernet0/0.2 overload ! ! Redirect traffic to fictitious DNS to Google-DNS ip nat outside source static 8.8.8.8 10.11.12.13 no-alias ! ! forwarding internal port 3389 to external port 1111 ip nat inside source static tcp internalHost 3389 external 1111 extendable ip nat inside source static tcp internalHost 3389 external 1111 extendable ! !Miscellaneous
CGN (carrier grade nat) with a special pool of private addresses
NAT as ALG (application layer gateway), (plain text protocols e.g. SIP)
Internet router, access server, firewall. The most popular is Source NAT(SNAT), the essence of the mechanism is to replace the source address when a packet passes in one direction and reversely replace the destination address in the response packet. Along with the source/destination addresses, the source and destination port numbers can also be replaced.Besides SNAT, i.e. providing users of a local network with internal addresses with access to the Internet, is often also used Destination NAT, when requests from outside are translated by the firewall to a server on the local network that has an internal address and therefore is not directly accessible from the external network (without NAT).
The figures below show an example of the operation of the NAT mechanism.
Rice. 7.1.
A user on a corporate network sends a request to the Internet, which arrives at the internal interface of the router, access server, or firewall (NAT device).
The NAT device receives the packet and makes an entry in the connection tracking table, which controls address translation.
It then replaces the source address of the packet with its own external public IP address and sends the packet to its destination on the Internet.
The destination host receives the packet and sends a response back to the NAT device.
The NAT device, in turn, upon receiving this packet, looks up the source of the original packet in the connection tracking table, replaces the destination IP address with the corresponding private IP address, and forwards the packet to the source computer. Because the NAT device sends packets on behalf of all internal computers, it changes the source network port and this information is stored in the connection tracking table.
There are 3 basic concepts for address translation:
- static (SAT, Static Network Address Translation),
- dynamic (DAT, Dynamic Address Translation),
- masquerade (NAPT, NAT Overload, PAT).
Static NAT maps local IP addresses to specific public addresses on a one-to-one basis. Used when the local host must be accessible from outside using fixed addresses.
Dynamic NAT maps a set of private addresses to a set of public IP addresses. If the number of local hosts does not exceed the number of public addresses available, each local address will be guaranteed to correspond to a public address. Otherwise, the number of hosts that can simultaneously access external networks will be limited by the number of public addresses.
Masquerade NAT(NAPT, NAT Overload, PAT, masquerading) is a form of dynamic NAT that maps multiple private addresses to a single public IP address using different ports. Also known as PAT (Port Address Translation).
There can be several mechanisms for interaction between an internal local network and an external public network - this depends on the specific task of providing access to the external network and back and is prescribed by certain rules. There are 4 types of network address translation defined:
- Full Cone
- Restricted Cone
- Port Restricted Cone
- Symmetric
In the first three types of NAT, the same external port is used to communicate between different IP addresses on the external network and addresses from the local network. The fourth type - symmetrical - uses a separate external port for each address and port.
Full Cone, the external port of the device (router, access server, firewall) is open to requests coming from any address. If a user from the Internet needs to send a packet to a client located behind a NAT, then he only needs to know the external port of the device through which the connection is established. For example, a computer behind NAT with an IP address of 192.168.0.4 sends and receives packets on port 8000, which map to the external IP address and port as 10.1.1.1:12345. Packets from the external network arrive at the device with IP address: port 10.1.1.1:12345 and are then sent to the client computer 192.168.0.4:8000.
In incoming packets, only the transport protocol is checked; The destination address and port, the source address and port do not matter.
When using NAT, working by type Restricted Cone, the external port of the device (router, access server, firewall) is open to any packet sent from the client computer, in our example: 192.168.0.4:8000. And a packet coming from an external network (for example, from computer 172.16.0.5:4000) to a device with address: port 10.1.1.1:12345 will be sent to computer 192.168.0.4:8000 only if 192.168.0.4:8000 previously sent a request to the IP address of the external host (in our case, to the computer 172.16.0.5:4000). That is, the router will broadcast incoming packets only from a specific source address (in our case, computer 172.16.0.5:4000), but the source port number can be anything. Otherwise, NAT blocks packets coming from hosts to which 192.168.0.4:8000 did not send a request.
NAT mechanism Port Restricted Cone almost similar to the NAT Restricted Cone mechanism. Only in this case, NAT blocks all packets coming from hosts to which the client computer 192.168.0.4:8000 did not send a request to any IP address and port. The router pays attention to the matching source port number and does not pay attention to the source address. In our example, the router will broadcast incoming packets with any source address, but the source port must be 4000. If the client sent requests to the external network to several IP addresses and ports, then they will be able to send packets to the client on the IP address: port 10.1 .1.1:12345.
Symmetric NAT differs significantly from the first three mechanisms in the way it maps the internal IP address:port to the external address:port. This display depends on the IP address:port of the computer to which the sent request is intended. For example, if client computer 192.168.0.4:8000 sends a request to computer #1 (172.16.0.5:4000), then it may appear as 10.1.1.1:12345, while at the same time if it sends from the same port (192.168. 0.4:8000) to a different IP address, it is displayed differently (10.1.1.1:12346).
However, it is worth mentioning the disadvantages of this technology:
- Not all protocols can "traverse" NAT. Some fail if there is address translation on the path between communicating hosts. Certain IP address translation firewalls can correct this deficiency by appropriately replacing IP addresses not only in the IP headers, but also at higher levels (for example, in FTP protocol commands).
- Due to multi-to-one address translation, additional difficulties arise with identifying users and the need to store complete translation logs.
- DoS attack by a host performing NAT - If NAT is used to connect many users to the same service, it can create the illusion of a DoS attack on the service (multiple successes and failures). For example, an excessive number of ICQ users behind NAT leads to problems connecting to the server for some users due to exceeding the permissible connection speed.
IP addresses are a scarce resource. The provider may have a /16 address (formerly class B), which makes it possible to connect 65,534 hosts. If there are more clients, problems begin to arise. Hosts that connect to the Internet from time to time via a regular telephone line can be allocated IP addresses dynamically, only for the duration of the connection. Then one /16 address will serve up to 65,534 active users, and this may be enough for an ISP with several hundred thousand clients. When the communication session ends, the IP address is assigned to a new connection. This strategy may solve the problems of providers who do not have a very large number of private clients connecting via telephone line, but it will not help providers whose majority of their clientele are organizations.
The fact is that corporate clients prefer to have a constant connection to the Internet, at least during the working day. Both small offices, for example travel agencies, consisting of three employees, and large corporations have local networks consisting of a certain number of computers. Some computers are employee workstations, some serve as web servers. In general, there is a LAN router connected to the ISP via a dedicated line to provide a permanent connection. This solution means that each computer is associated with one IP address all day long. In fact, even all the computers that corporate clients have taken together cannot cover the IP addresses available to the provider. For an address of length /16, this limit is, as we have already noted, 65,534. However, if the Internet service provider has a number of corporate clients in the tens of thousands, then this limit will be reached very quickly.
The problem is further aggravated by the fact that an increasing number of private users want to have an ADSL or cable connection to the Internet. The features of these methods are as follows:
a) users receive a permanent IP address;
b) there is no time-based payment (only a monthly subscription fee is charged).
Users of this type of service have a permanent connection to the Internet. Development in this direction leads to an increase in the shortage of IP addresses. Assigning IP addresses on the fly, as is done with a telephone connection, is useless, because the number of active addresses at any given time can be many times greater than the provider has.
Often the situation is further complicated by the fact that many ADSL and cable Internet users have two or more computers at home (for example, one for each family member) and want all machines to have Internet access. What to do - after all, there is only one IP address issued by the provider! The solution is this: you need to install a router and connect all computers into a local network. From the provider's point of view, in this case the family will act as an analogue of a small company with several computers. Welcome to the Pupkin Corporation!
The problem of the shortage of IP addresses is by no means theoretical and does not at all relate to the distant future. It is already relevant, and we have to fight it here and now. The long-term project involves a total transfer of the entire Internet to the IPv6 protocol with 128-bit addressing. This transition is indeed happening gradually, but the process is so slow that it drags on for years. Seeing this, many realized that it was urgent to find some solution, at least for the near future. Such a solution was found in the form of a network address translation method, NAT (Network Address Translation), described in RFC 3022. The essence of this will be discussed later, and more detailed information can be found in (Butcher, 2001).
The basic idea of network address translation is to assign each firm one IP address (or at least a small number of addresses) for Internet traffic. Within the company, each computer receives a unique IP address, which is used to route internal traffic. However, as soon as the packet leaves the company building and is sent to the provider, address translation is performed. To implement this scheme, three ranges of so-called private IP addresses were created. They can be used within the company at its discretion. The only restriction is that packets with such addresses must under no circumstances appear on the Internet itself. These three reserved ranges are:
10.0.0.0 - 10.255.255.255/8 (16,777,216 hosts)
172.16.0.0 - 172.31.255.255/12 (1,048,576 hosts)
192.168.0.0 -192.168.255.255/16 (65,536 hosts)
The operation of the network address translation method is shown in the following diagram. Within the company's territory, each machine has its own unique address of the form 10.x.y.z. However, when a packet leaves the company's premises, it passes through a NAT block that translates the internal source IP address (10.0.0.1 in the figure) into the real IP address the company received from the ISP (198.60.42.12 for our example) . A NAT block is usually a single device with a firewall that provides security by strictly monitoring a company's incoming and outgoing traffic. The NAT block can be integrated with the company's router.
We have so far avoided one small detail: when a response to a request arrives (for example, from a web server), it is addressed to 198.60.42.12. How does the NAT block know which internal address to replace the company's public address with? This is the main problem with using network address translation. If there was a free field in the IP packet header, it could be used to remember the address of who sent the request. But there is only one bit left unused in the header. In principle, it would be possible to create such a field for the true source address, but this would require changing the IP code on all machines across the Internet. This is not the best solution, especially if we want to find a quick solution to the problem of running out of IP addresses.
This is what actually happened. The designers of NAT noticed that most of the payload of IP packets is either TCP or UDP. Both formats have headers containing source and destination port numbers. Port numbers are 16-bit integers that indicate where the TCP connection begins and ends. The location where the port numbers are stored is used as a field required for NAT to work.
When a process wants to establish a TCP connection with a remote process, it contacts a free TCP port on its own computer. This port becomes the source port, which tells the TCP code where to forward packets for that connection. The process also determines the destination port. The destination port tells who to give the packet to on the remote side. Ports 0 to 1023 are reserved for well-known services. For example, port 80 is used by web servers, so remote clients can target them. Each outgoing TCP message contains information about the source port and destination port. Together they serve to identify the processes on both ends using the connection.
Let's make an analogy that will somewhat clarify the principle of using ports. Let's say a company has one general telephone number. When people dial it, they hear an operator's voice asking who exactly they would like to connect to, and it connects them to the appropriate telephone extension. The main telephone number is analogous to a company's IP address, and the extensions on both ends are analogous to ports. Port addressing uses a 16-bit field that identifies the process receiving the incoming packet.
Using the Source Port field we can solve the problem of displaying addresses. When an outgoing packet arrives at a NAT block, the source address of the form 192.168.c.d is replaced with the real IP address. In addition, the TCP Source Port field is replaced by the index of a NAT block translation table containing 65,536 entries. Each entry contains the source IP address and source port number. Finally, the TCP and IP header checksums are recalculated and inserted into the packet. It is necessary to replace the Source Port field because machines with local addresses 10.0.0.1 and 10.0.0.2 may accidentally want to use the same port (5000, for example). So to uniquely identify the sender process, the Source Port field alone is not enough.
When a packet arrives at the ISP's NAT block, the value of the Source Port field of the TCP header is retrieved. It is used as an index into the NAT block mapping table. Based on the entry found in this table, the internal IP address and the real TCP source port are determined. These two values are inserted into the package. The TCP and IP checksums are then recalculated. The packet is sent to the company's main router for normal delivery with an address like 192.168.y.z.
In the case of ADSL or cable Internet, network address translation can be used to ease the fight against address shortages. The addresses assigned to users are 10.x.y.z. As soon as the packet leaves the property of the provider and goes to the Internet, it ends up in a NAT block, which converts the internal address into the real IP address of the provider. On the way back, the reverse operation is performed. In this sense, for the rest of the Internet, the provider with its clients using ADSL and cable connections appears as one big company.
Although the scheme described above partially solves the problem of the shortage of IP addresses, many IP adherents view NAT as a kind of infection spreading across the Earth. And they can be understood.
Firstly, the very principle of network address translation does not fit into the IP architecture, which implies that each IP address uniquely identifies only one machine in the world. The entire software structure of the Internet is built on exploiting this fact. When translating network addresses, it turns out that thousands of machines can (and actually do) have the address 10.0.0.1.
Second, NAT transforms the Internet from a connectionless network into something similar to a connection-oriented network. The problem is that the NAT block must maintain a mapping table for all connections passing through it. Remembering connection state is the job of connection-oriented networks, but not connectionless networks. If a NAT block breaks and its mapping tables are lost, then all TCP connections passing through it can be forgotten. In the absence of network address translation, the failure of a router has no effect on TCP activity. The sending process simply waits a few seconds and resends any unacknowledged packets. With NAT, the Internet becomes as susceptible to failure as a circuit-switched network.
Third, NAT violates one of the fundamental rules of layered protocol design: layer k should not make any assumptions about what layer k+1 put in the payload field. This principle determines the independence of levels from each other. If TCP is ever replaced by TCP-2, which has a different header format (for example, 32-bit port addressing), then network address translation will fail. The whole idea of multi-layer protocols is that changes in one of the layers cannot in any way affect the other layers. NAT destroys this independence.
Fourth, processes on the Internet are not required to use only TCP or UDP. If the user of machine A decides to come up with a new transport layer protocol for communicating with the user of machine B (this could be done, for example, for some multimedia application), then he will have to somehow deal with the fact that the NAT block will not be able to correctly process TCP Source Port field.
Fifth, some applications insert IP addresses into the text of messages. The recipient retrieves them from there and then processes them. Since NAT does not know anything about this addressing method, it will not be able to process packets correctly, and any attempts by the remote side to use these addresses will fail. The file transfer protocol, FTP (File Transfer Protocol), uses exactly this method and may refuse to work when translating network addresses unless special measures are taken. The H.323 Internet telephony protocol also has a similar property. It is possible to improve the NAT method and make it work correctly with H.323, but it is impossible to improve it every time a new application appears.
Sixth, since the Source Port field is 16-bit, approximately 65,536 local machine addresses can be mapped to a single IP address. In fact, this number is slightly smaller: the first 4096 ports are reserved for service needs. In general, if there are multiple IP addresses, each IP address can support up to 61,440 local addresses.
These and other problems associated with Network Address Translation are discussed in RFC 2993. Typically, opponents of NAT say that fixing the IP address shortage problem by creating a temporary patch only interferes with the real evolutionary process of moving to IPv6. But if we return to reality, we will see that in most cases NAT is simply an irreplaceable thing, especially for small offices with the number of computers from several to several dozen. NAT can be implemented on your own in OS Linux using
