NAT via VPN :)

From

Andrew Lepilin (2:5011/60.5)

To

Aleksey Sobolev (2:5054/37.63)

Date

2005-03-12T23:38:58Z

Area

RU.WINDOWS.NT.ADMIN

Hi.

 Aleksey Sobolev -> Andrew Lepilin:

 AS > Интересно во многих подобных письмах употребляется NAT. Я
 AS > понимаю в смысле MASCARADING  (не помню как точно пишется :)
 AS > Т.е. трансляция многие к одному адресу. Так ли это? NAT imho
 AS > - трансляция многие ко многим...

Маскарадинг - одна из форм NAT (последний абзац). (Цитируется MS Press. MS Encyclopedia of Networking, 2ed)

Overview
Network address translation (NAT) is a mechanism for translating the IP addresses of hosts on one network into IP addresses belonging to a different network. NAT is usually used at the boundary of two networks, especially where a private network such as a corporate network meets a public network such as the Internet.

The motivation behind the creation of NAT is that the number of available global (public) registered IP addresses on the Internet is rapidly being depleted. NAT works around this problem by


Address reuse: NAT allows multiple private networks to use the same network IDs (same range of IP addresses). Private networks (networks not directly connected to the Internet) can use any range of IP addresses but usually employ those addresses specially reserved by the Internet Assigned Numbers Authority (IANA) for private network usage, such as 10.0.0.0 through 10.255.255.255 (or 10/8 in classless interdomain routing [CDIR] notation), 172.16.0.0 through 172.32.255.255 (or 172.16/12), and 192.168.0.0 through 192.168.255.255 (or 192.168/16). Addresses in this range are designated by IANA as nonroutable addresses, and networks using these addresses cannot directly connect to the Internet using a router. Instead, they need a router or access device that supports NAT so that these nonroutable addresses can be translated into public addresses for routing over the Internet.


Address multiplexing: NAT allows IP addresses of multiple hosts on a private network to be exposed to the Internet as a single public IP address. This allows the addresses of hosts on a private network to be hidden from the outside world, improving security on the network. Address multiplexing is sometimes referred to as network address port translation (NAPT).

Implementation
In a typical NAT scenario, a NAT-enabled router connects an internal corporate network with the Internet. The internal network has multiple IP hosts using private network IP addresses, while the router has a similar private IP address on its near-side (internal) interface and a public (global) address on its far-side (internal) interface. NAT operates by examining traffic passing through the router and building a table that maps the connections between hosts inside the network and hosts outside on the Internet. For each connection the table contains

Original IP address and port number of source address

Original IP address and port number of destination address

Translated IP address and port number of source address

Translated IP address and port number of destination address

Transmission Control Protocol (TCP) and Internet Control Message Protocol (ICMP) sequence numbers

All packets that enter the network through the router have their addresses translated, and all packets leaving the network have their addresses translated back again.

Implementing NAT on a router or firewall thus involves creating and configuring a NAT table containing these private/public IP address mappings. These address mappings can either be


Manually created: A static NAT table essentially consists of a series of manually created NAT rules that specify how IP addresses will be translated. Static NAT mappings are always one-to-one mappings between actual and translated addresses. For example, a typical static NAT rule might be equivalent to the statement, "Translate all IP addresses belonging to the network 176.43.8.z to IP addresses in the form 145.5.133.z with the subnet mask 255.255.255.0 used for both networks." This rule results in the address 176.43.8.1 being mapped to 145.5.133.1, 176.43.8.2 being mapped to 145.5.133.2, and so on. This approach can be used, for example, when corporate networks with conflicting addresses need to be merged into one network. Static mappings are not very useful, however, for connections between private networks and the Internet due to the large number of possible connections to Internet hosts, which can make the NAT table grow excessively large thus degrading router performance.

or


Dynamically assigned: NAT-enabled routers can often dynamically allocate IP addresses to hosts on the private network by selecting addresses drawn from a specified pool. Dynamic NAT mappings are also one-to-one mappings between actual and translated addresses. This process is similar to Dynamic Host Configuration Protocol (DHCP) and can be done either randomly or, more usually, on a round- robin basis. Each time a connection is formed between the external and internal networks, NAT assigns a different IP address from the pool to the internal host being connected to and address information in packets is modified accordingly.

Another popular form of dynamic NAT is called address overloading, masquerading, port address translation (PAT), or network address port translation (NAPT). In this situation all the IP addresses of the internal private network are hidden to outsiders, who can access only the single IP address of the interface exposed to the public network. Address overloading thus employs many-to- one mappings of IP addresses and is used when the number of internal addresses is greater than the available number of global addresses. Address overloading differs from standard NAT in that port numbers are also translated, not just IP addresses. For example, it is possible to multiplex many TCP connections through a single global IP address by assigning each connection a different port number. These numbers might be chosen, for example, from the range 61,000 through 65,096, which would allow up to 4096 simultaneous TCP connections through a single overloaded IP address. Address overloading is often used by firewalls and sometimes for load balancing Web servers.


Andrew

--- GoldED+/W32 snapshot-2002.9.29
 * Origin:  (2:5011/60.5)
SEEN-BY: 46/50 292/100 400/814 450/186 208 247 1024 452/25 160 454/9 455/15
SEEN-BY: 460/15 461/33 74 77 106 640 462/30 464/34 465/62 92 204 469/125
SEEN-BY: 478/40 44 65 550/150 5068 2432/200 2437/335 4600/126 4614/9 4623/56
SEEN-BY: 4623/178 4625/9 4626/100 4632/10 4635/4 99 1024 4641/444 4657/9
SEEN-BY: 5000/5000 5001/90 5001 5002/76 5002 5003/34 57 5010/87 146 5011/12 13
SEEN-BY: 5011/50 53 60 105 251 5015/4 10 28 5019/5 31 5020/35 52 115 128 139
SEEN-BY: 5020/150 154 175 378 400 486 545 600 639 642 647 715 755 758 794 817
SEEN-BY: 5020/830 921 968 982 1002 1100 1169 1212 1234 1371 1604 1626 1642
SEEN-BY: 5020/1724 1930 2020 2200 2204 2208 2238 2587 2590 2871 4400 4441
SEEN-BY: 5020/12000 5021/11 29 44 5022/5 128 5023/11 5024/1 73 5025/3 5026/10
SEEN-BY: 5026/49 5027/16 5028/63 5030/49 69 115 195 382 436 473 611 920 966
SEEN-BY: 5030/1016 1339 1900 5031/47 70 5032/11 16 23 5033/5 21 35 46 5034/8
SEEN-BY: 5035/38 5036/13 5037/21 5040/33 47 59 5041/4 5042/13 5045/7 5047/43
SEEN-BY: 5047/47 5049/97 157 5050/9 41 5051/35 5053/16 5054/1 4 5 8 9 37 45 50
SEEN-BY: 5054/63 67 81 84 5055/17 95 5056/16 5058/24 77 5059/20 5063/5 51
SEEN-BY: 5064/7 35 36 53 5067/2 5069/7 5070/26 66 948 1222 5071/22 5075/37
SEEN-BY: 5077/80 5079/49 5080/80 1003 5082/6 5083/13 21 5085/13 5090/23 106
SEEN-BY: 5093/4 23 27 33 5095/20 5096/18 5099/4 11 133 5100/113 6000/12 254
SEEN-BY: 6033/2727 6035/9 6045/7 6055/86 6070/5 228 6096/10

PATH: 5011/60 13 5020/52 4441 545 5054/1 37