Nat control, Nat implementation, Basic nat – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

263

3.

The external server responds to the internal host with an IP packet whose destination IP address is

20.1.1.1. After receiving the packet, the NAT device checks the IP header, looks up its NAT table
for the mapping, replaces the destination address with the private address of 192.168.1.3, and

then sends the new packet to the internal host.

The NAT operation is transparent to the terminals involved. The external server believes that the IP

address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As a result, NAT
hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,

NAT has the following disadvantages:

•

Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also
true to the application protocol packets when the contained IP address or port number needs to be

translated. For example, you cannot encrypt an FTP connection. Otherwise, its port command
cannot work correctly.

•

Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host because its internal IP address is

hidden.

NAT control

Typically, an enterprise allows some hosts in the internal network to access external networks and

prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP

address is in the denied address list, the NAT device does not translate the address. In addition, the NAT
device only translates private addresses to specified public addresses.
You can achieve NAT control through an access control list (ACL) and an address pool.

•

Only packets matching the ACL rules are served by NAT.

•

An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of

internal hosts, and network requirements. The NAT device selects an address from the address pool

as the public address of an IP packet.

NAT implementation

Basic NAT

When an internal host accesses an external network, NAT uses an external or public IP address to
replace the original internal IP address. As shown in

Figure 236

, NAT uses the IP address of the outbound

interface on the NAT device. All internal hosts use the same external IP address to access external

networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, NAT chooses an

available public IP address (if any) to replace the source IP address, forwards the packet, and records the

mapping between the two addresses. In this way, multiple internal hosts can access external networks

simultaneously.
The number of public IP addresses that a NAT device needs is usually far less than the number of internal

hosts because not all internal hosts access external networks at the same time. The number of public IP

addresses is related to the number of internal hosts that might access external networks simultaneously

during peak hours.