The NAT gateway will then create a temporary entry in its internal translation table to track the translated source address and port number. To correctly map replies to the private host that initiated the connection, the source port number of the outbound packet must also be translated. Given a private segment with the network address 10.0.0.0/8 and a NAT policy that sets 172.19.19.130 as the public address, all outbound packets from the private network will be rewritten to have a translated source address of 172.19.19.130. The form of NAT commonly (but not exclusively) used in commercial circuit level gateways maps any number of addresses from the private network to a single address on the public segment. An inbound connection may be accepted only until the NAT table entry expires. The mapping is not persistent and is only temporarily bi-directional. If a current translation exists in the NAT table, the inbound packet’s destination address will be rewritten in accordance with the NAT table entry. An inbound packet’s destination address cannot be translated unless a corresponding entry exists in the NAT table. The NAT gateway will then create a temporary entry in its internal translation table to track the mapping. If 10.0.0.0/4 is the private segment’s network address and 172.19.19.0/28 is the public pool of addresses, then an outbound packet with a source address of 10.1.1.5 may be rewritten to have a translated source address of any host address in the pool of 172.19.19.0/28. Multiple Class A addresses may be mapped to part of a Class C network block. One form of NAT maps a large block of addresses from the private network to a small pool of addresses on the public segment. Therefore, connections may be initiated from either side of the circuit level gateway unless a default deny policy is applied. The mapping is persistent and bi-directional. If 10.1.1.0/24 is the private network address and 172.19.19.0/24 is the public network address, then outbound packets with a source address of 10.1.1.5 can always be rewritten with a translated source address of 172.19.19.5, and inbound packets with a destination address of 172.19.19.5 can be rewritten with a translated destination address of 10.1.1.5. For example, each host address on a Class C network on the private side of a circuit level gateway is uniquely mapped to a corresponding host address on a Class C network on the public side of the gateway. One form of NAT establishes a one to one translation between an equal number of private and public host addresses. This image illustrates the changes in source and destination addresses as packets cross a circuit level gateway performing network address translation As the packet crosses the circuit level gateway, the gateway rewrites the packet so that the destination address is translated to the destination host’s private address. The sender on the public side does not know the destination host’s true address. When a host on a public network transmits a packet to a host on the private network, the source host addresses the packet to the private host’s publicly translated address. Thus, the private address remains hidden from the outside world. The translated source address is what the outside world sees. With NAT, as a packet crosses from a trusted segment of a circuit level gateway to an untrusted segment, the packet is rewritten so that the packet’s source address as it appears on the private segment is replaced by a translated source address. Normally, when a router forwards a packet from one segment to another, the packet is unchanged. The simple purpose of NAT is to hide the IP addresses of a private network from the outside world. Network Address Translation (NAT) is one of the basic functions of a circuit level gateway.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |