• Best VPN Service

    Top VPNs that Unlock Netflix, provide Secure Torrenting, Strong Encryption, Fast Downloads, DNS Leak Protection, Identity Protection and have Cheap VPN prices.

    read more

    Hyper-V Concepts

    It's time to get familiar with Hyper-V Virtualization, virtual servers, virtual switches, virtual CPUs, virtual deployment infrastructure (VDI) and more.
    Read more

Hot Downloads

Dynamic NAT - Part 2

Posted in Network Address Translation - NAT

Now that you understand the basic idea of Dynamic Network Address Translation we're going to take a closer look at the packets as they traverse the Dynamic NAT enabled device, which can be a router, a firewall appliance or even a PC running special software !

 

How NAT translations Take Place

Most of the rules that apply for Static NAT (which we've already covered), also apply for Dynamic NAT and there are very few changes between the two, making it very easy to understand and digest :)

The actual process remains the same no matter which device we use, e.g Firewall appliance, Linux gateway, router etc.

Because we don't want to get confused by using a different example, we'll stick to the previous page's network between Dynasoft and its contractor - Datapro, but we're now focusing on Datapro's internal network to learn how the router between its two internal networks (192.168.50.0 and 192.168.100.0) will deal with the Dynamic NAT required in order for the new network to gain access to Dynasoft's development network:

nat-dynamic-part2-1

Dynamic NAT - Part 1

Posted in Network Address Translation - NAT

Dynamic NAT is the second NAT mode we're going to talk about. Dynamic NAT, like Static NAT, is not that common in smaller networks but you'll find it used within larger corporations with complex networks.

The way Dynamic NAT differentiates from Static NAT is that where Static NAT provides a one-to-one internal to public static IP mapping, Dynamic NAT does the same but without making the mapping to the public IP static and usually uses a group of available public IPs.

 

What Exactly Does Dynamic NAT do?

While looking at Static NAT, we understood that for every private IP Address that needs access to the Internet we would require one static public IP Address. This public IP Address is mapped to our internal host's IP Address and it is then able to communicate with the rest of the world.

With Dynamic NAT, we also map our internal IP Addresses to real public IP Addresses, but the mapping is not static, meaning that for each session our internal hosts communicate with the Internet, their public IP Addresses remain the same, but are likely to change. These IPs are taken from a pool of public IP Addresses that have been reserved by our ISP for our public network.

With Dynamic NAT, translations don't exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table, thus making them available for other internal hosts.

The diagram below illustrates the way Dynamic NAT works:

nat-dynamic-part1-1

Static NAT - Part 2

Posted in Network Address Translation - NAT

The previous page helped us understand what exactly happens with Static NAT and how it works, and we saw a few examples of how to use it in various network configurations.

This page will deal with the transformations the packets undertake as they pass through the Static NAT device, which is normally a router or firewall appliance.

So let's get started ! Now would be a good time to fill that cup of yours and reload yourself with your special edible supplies :)

 

How NAT Translations Take Place

So what exactly happens to the packet that enters or exits the Static NAT-enabled device ? Well it's not that complicated once you get the hang of it. The concept is simple and we're going to see it and analyse it using an example, which is really the best possible approach.

The process of the Static NAT translation is the same for every device that supports it (assuming the manufacturer has followed the RFCs). This means that whether we use a router or a firewall appliance to perform Static NAT they'll both follow the same guidelines.

Consider our example network:

nat-static-part2-1

 

As the diagram describes we have Workstation No.1, which sends a request to the Internet. Its gateway is the router that connects the LAN to the Internet and also performs Static NAT.

The diagram below shows us how the Workstation's packet is altered as it transits the router before it's sent to the Internet (outgoing packet):

nat-static-part2-2

 

As you can see, the only thing that changes is the Source IP, which was 192.168.0.3 and was given the value of 203.31.220.135, which is a real IP Address on the Internet. The Destination IP Address, Source Port and Destination Port are not modified.

Assuming the packet arrives at its destination, we would most likely expect to see a reply. It would be logical to assume that the reply, or incoming packet, will require some sort of modification in order to successfully arrive at the originating host located on our private network (that's Workstation 1).

Here is how the incoming packet is altered as it transits the router:

nat-static-part2-3

 

The diagram above shows the part of the incoming packet that is altered by the router. Only the destination IP Address is changed, from 203.31.220.135 to 192.168.0.3 so the packet can then be routed to the internal workstation. Source IP Address, Source Port and Destination Port remain the same.

And in case you're wondering why the ports have changed in comparison to the original outgoing packet, this is not because of NAT but the way IP communications work and happens to be way out of the scope of this topic.

Now, because I understand that even a simple diagram can be very confusing, here's one more that summarises all the above. The diagram below shows you what the outgoing and incoming packets looked like before and after transiting the router:

nat-static-part2-4

 

So there you have it, Static NAT should now make sense to you :)

As you've seen, the concept is very simple and it varies slightly depending on the NAT mode you're working with. So NAT is not that difficult to understand after all ! If there are still a few things that are unclear to you, please try reading the page again and keep in mind the forum to which you can post your questions and doubts !

Next up is Dynamic NAT! So sit tight and let's rock and roll.... :)

 

Previous - Static NAT - Part 1                                                                                                                Next - Dynamic NAT - Part 1

or                                   

Back to Network Address Translation Section

Static NAT - Part 1

Posted in Network Address Translation - NAT

Static NAT (also called inbound mapping) is the first mode we're going to talk about and also happens to be the most uncommon between smaller networks.

Static NAT was mainly created to allow hosts on your private network to be direcly accessible via the Internet using real public IPs; we'll see in great detail how this works and is maintained. Static NAT is also considered a bit dangerous because a misconfiguration to your firewall or other NAT-enabled device can result in the full exposure of the machine on your private network to which the public IP Address maps, and we'll see the security risks later on this page.

 

What Exactly Does Static NAT Do ?

As mentioned in the introduction, Static NAT allows the mapping of public IP Addresses to hosts inside the internal network. In simple english, this means you can have a computer on your private network that exists on the Internet with its own real IP.

The diagram below has been designed to help you understand exactly how Static NAT works:

nat-static-part1-1

The Network Address Translation Table

Posted in Network Address Translation - NAT

After that simple and informative introduction to the NAT concept, it's time to find out more about how it works and this is where the NAT table comes in.

 

The NAT Table

The NAT table is the heart of the whole NAT operation, which takes place within the router (or any NAT-enabled device) as packets arrive and leave its interfaces. Each connection from the internal (private) network to the external (public-Internet) network, and vice versa, is tracked and a special table is created to help the router determine what to do with all incoming packets on all of its interfaces; in our example there are two. This table, known as the NAT table, is populated gradually as connections are created across the router and once these connections are closed the entries are deleted, making room for new entries.

The NAT table works differently depending on the NAT mode. This is explained in greater detail on each NAT mode's page. For now, we just need to get the feeling for this table to facilitate understanding of each NAT mode.

The larger the NAT table (which means the more memory it occupies), the more bi-directional connections it can track. This means that a NAT-enabled device with a big NAT table is able to serve more clients on the internal network than other similar devices with smaller NAT tables.

The illustration below shows you a typical table of a NAT-enabled device while internal clients are trying access resources on the Internet:

nat-table-1

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup