Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: TCP SEGMENTS..THROUGH NAT

TCP SEGMENTS..THROUGH NAT 11 years 10 months ago #6742

  • noddy938
  • noddy938's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Hi Everybody,

Am a newbie into networking. There are some things for which I am not able to get a proper and logical explanation. It might sound very stupid…but I never like to keep these doubts in my head. Ok let me come to the point…

Let’s consider a scenario

Computer-->Router-->Cable Modem-->Internet

Computer is hardwired to the router and the router in turn is hardwired to the modem which leads to the internet. Let me also describe the characteristics of the router. The router is used as a GATEWAY and has NAT enabled, just like any of our Netgear, Linksys, D-link routers…etc.

Computer – IP 192.168.0.10/24 GW: 192.168.0.1
Router – LAN
IP: 192.168.0.1/24
WAN
IP: A valid public IP address and a default gateway within the subnet of the IP address

All requests from the computer that goes through the router (NAT) have its source IP address changed.

For instance…..

When you request for a webpage from Firewall.cx having the IP address of 66.45.237.140, the packet that leaves the computer has its Source IP address as the IP address of the computer which in our case is a Class C Private address, and the destination address as that of Firewall.cx. As soon as the packet crosses NAT, the Source IP address of the packet changes into the public IP address of the router, but the destination still remains the same. Now considering the TCP header flag CHECKSUM….

CHECKSUM = PSEUDO HEADER + TCP HEADER + DATA

PSEUDO HEADER is calculated at source and later at destination with these values
1) SOURCE IP ADDRESS
2) DESTINATION IP ADDRESS
3) PROTOCOL
4) TCP LENGTH

That means when a TCP connection has to be established the CHECKSUM calculated and put into the TCP segment at source and the TCP CHECKSUM recalculated at the destination would not match as the SOURCE IP ADDRESS in the segment, when the segment was at the computer is different from the SOURCE IP ADDRESS of the segment when the segment is at the destination.

Since this scenario works beautifully fine and that you get the firwall.cx page displayed, my doubt is if the router would recalculate the CHECKSUM in the TCP segment?
The administrator has disabled public write access.

Re: TCP SEGMENTS..THROUGH NAT 11 years 10 months ago #6763

  • mew
  • mew's Avatar
  • Offline
  • Frequent Member
  • Posts: 77
  • Karma: 0
Yes.
The administrator has disabled public write access.

Re: TCP SEGMENTS..THROUGH NAT 11 years 10 months ago #6770

  • noddy938
  • noddy938's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
mew,

As the router can DECAPSULATE the TCP SEGMENT and recalculate the CHECKSUM and again ENCAPSULATE it......this would mean that NAT works at Layer 4 of the OSI and not at Layer 3

More over as port number apear only in a TCP segment....and that Access List can be implemented in a router where traffic can be blocked or allowed using port numbers....this also means that the router works at Layer 4 of the OSI and not at Layer 3
The administrator has disabled public write access.

Re: TCP SEGMENTS..THROUGH NAT 11 years 10 months ago #6786

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
A router with access lists works at layer 4, however *routing* itself is a layer 3 activity..

Similarly a switch works at layer 2, but a switch that understands IP addressing works at layer 3.. if you have a content switch, it works at layer 7.. the application protocol layer :)

its all a matter of perspective, these things are never cut and dried.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup