beautypg.com

Nat implementation, One-to-one nat, many-to-many nat and nat control, Figure 1 – H3C Technologies H3C SecBlade FW Cards User Manual

Page 9

background image

2

Figure 1 NAT operation

A NAT gateway lies between the private network and the public network.

The internal host at 192.168.1.3 sends an IP packet (IP packet 1) to the external server at 10.1.1.2
through the NAT gateway.

Upon receipt of the packet, the NAT gateway checks the IP header. Finding that the packet is
destined to the external network, the NAT gateway translates the private source IP address
192.168.1.3 to the globally unique IP address 20.1.1.1 and then forwards the resulting packet to the

external server. Meanwhile, the NAT gateway records the mapping between the two addresses in

its NAT table.

After receiving a response from the external server, the NAT gateway uses the destination IP address
20.1.1.1 of the packet to find the mapping, replaces the destination address with the private address

192.168.1.3, and then sends the packet to the internal host.

The above NAT operation is transparent to the terminals involved. The external server believes that the IP

address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT

hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT has the following disadvantages:

As NAT involves translation of IP addresses, the IP header cannot be encrypted. This is also true for
some application protocol packets containing IP addresses or port numbers which need to be

translated. For example, you cannot encrypt FTP packets, or its port command cannot work

correctly.

Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is hard to pinpoint the attacking host because its internal IP address is
hidden.

NAT implementation

One-to-one NAT, Many-to-many NAT and NAT control

As depicted in

Figure 1

, when an internal host accesses an external network, NAT uses an external or

public IP address to replace the original internal IP address. In

Figure 1

, NAT uses the IP address of the

outbound interface on the NAT gateway. This means that all internal hosts use the same external IP

address to access external networks and only one host is allowed to access external networks at a given

time. This is called one-to-one NAT.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: