beautypg.com

Nat implementation, One-to-one nat, many-to-many nat and nat control – H3C Technologies H3C SecPath F1000-E User Manual

Page 443

background image

2

192.168.1.3 to the globally unique IP address 20.1.1.1 and then forwards the packet to the external

server. Meanwhile, the NAT gateway records the mapping between the two addresses in its NAT
table.

After receiving a response from the external server, the NAT gateway uses the destination IP
address 20.1.1.1 of the packet to find the mapping, replaces the destination address with the

private address 192.168.1.3, and then sends the packet to the internal host.

The above NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT

hides the private network from external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,

NAT has the following disadvantages:

As NAT involves translation of IP addresses, the IP header cannot be encrypted. This is also true for
some application protocol packets containing IP addresses or port numbers which need to be
translated. For example, you cannot encrypt FTP packets, or its port command cannot work

correctly.

Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is hard to pinpoint the attacking host because its internal IP address is
hidden.

NAT Implementation

One-to-One NAT, Many-to-Many NAT and NAT control

As depicted in

Figure 1

, when an internal host accesses an external network, NAT uses an external or

public IP address to replace the original internal IP address. In

Figure 1

, NAT uses the IP address of the

outbound interface on the NAT gateway. This means that all internal hosts use the same external IP

address to access external networks and only one host is allowed to access external networks at a given

time. This is called one-to-one NAT.
A NAT gateway can also hold multiple public IP addresses to support concurrent access requests.

Whenever a new external network access request comes from the internal network, NAT chooses an

available public IP address (if any) to replace the source IP address, forwards the packet, and records

the mapping between the two addresses. In this way, multiple internal hosts can access external
networks simultaneously. This is called many-to-many NAT.

NOTE:

The number of public IP addresses that a NAT gateway needs is usually far less than the number of
internal hosts because not all internal hosts will access external networks at the same time. The number of

public IP addresses is related to the number of internal hosts that might access external networks

simultaneously during peak hours.

In practice, an enterprise may need to allow some internal hosts to access external networks while
prohibiting others. This can be achieved through the NAT control mechanism. If a source IP address is

among addresses denied, the NAT gateway will not translate the address.
Many-to-many NAT can be implemented by using an address pool, which is a collection of consecutive

public IP addresses. The NAT gateway selects addresses from the address pool for packets. The number
of addresses in the pool is determined according to the number of available public IP addresses, the

number of internal hosts, and network requirements.
NAT control can be achieved through ACLs. Only packets matching the ACL rules are served by NAT.

This manual is related to the following products: