Dynamic Mode Implementation of NAT
This section describes the following configuration options:
NAT can be configured to operate in one of three modes: dynamic only, static only, and a combination of static and dynamic. Dynamic mode is used to allow hosts on your private network, or intranet, to access a public network, such as the Internet. Static mode is used to allow hosts on the public network to access selected hosts on your private network. The combination mode is used when both dynamic mode and static mode functions are required.
The following sections describe each NAT mode of operation and discuss the advantages of using each mode.
In dynamic only mode, NAT enables IP hosts on a private network to access the Internet without requiring an administrator to assign a globally unique IP address to each system. Instead, the NAT interface is configured with one public address, and private hosts can then access the Internet through the NAT interface.
Hosts accessing the Internet are dynamically assigned the IP address bound to the NAT interface and a port from a pool of available ports that are constantly reused. Each time a packet is forwarded to the public network, the private address is replaced with the globally unique public address and a randomly assigned port. When the session is completed, the port is returned to the pool to be reassigned as needed. No connections can be initiated from the public network into your private network.
All TCP, UDP, and ICMP packets have their source or destination address (depending on the direction) translated. The public address used for this translation is the primary IP address of the NAT interface, which is specified in the Local IP Address parameter.
NAT provides a pool of 5,000 ports for TCP connections, a pool of 5,000 ports for UDP mappings, and a pool of 5,000 ports for ICMP mappings. To establish a new connection when all 5,000 UDP or ICMP mappings are already used, NAT drops the oldest mapping and provides a port number to the new mapping. To establish a new TCP connection when all 5,000 connections are already used, NAT provides a port number to the new connection by dropping the oldest connection that meets the following criteria in the order shown:
Static only mode is used for permanent one-to-one mapping of public registered IP addresses to local IP addresses inside a private network. Static address translations are recommended when internal hosts, such as FTP servers or Web servers, are made available to the public network.
In static only mode, NAT is configured with a table of IP address pairs. Each table entry contains a pair of IP addresses for each host that public hosts are permitted to access. The first IP address in each pair is a public IP address to which the private address is mapped; the second address is the address of the host on your private network.
Because public hosts can access private hosts only by using the private hosts' public IP addresses, only those hosts that have their IP addresses defined in the network address translation table are accessible. The NAT interface drops packets addressed to hosts that do not have an address mapping entry in the table. Similarly, to allow private hosts access to the public network using the static only mode, each private host must have its private IP address mapped to a unique public IP address in the network address translation table.
IMPORTANT: When NAT runs in dynamic only mode, a single public IP address and a random port number are assigned to multiple private hosts. When NAT runs in static only mode, all address mappings must be unique. A public address in the network address translation table cannot be mapped to more than one private host.
The combination static and dynamic mode is used if some hosts on your network require dynamic address translation and other hosts require static address translation. For example, your private network might have hosts that you want to access the Internet and might also have resources that you want to be accessed by public hosts. With the combined static and dynamic mode, you can use both methods simultaneously.
To use static and dynamic mode, one public address must be configured for dynamic translations and one public address must be configured for each private host. Because the static and dynamic mode requires more than one public address bound to the same NAT interface, secondary IP addresses (multihoming) must be configured.
Configure the NAT-enabled interface for multihoming as described in the Novell IP Gateway and NAT online documentation. For a brief description of multihoming, refer to Using Multihoming.
IMPORTANT: When secondary IP addresses are bound to the NAT interface and the static and dynamic mode of operation is selected, the NAT interface automatically uses the primary IP address for dynamic mode. Secondary IP addresses should be mapped to private host IP addresses in the static network address translation table.
The following are examples of dynamic and static modes of NAT operation.
The following figure shows an application of NAT in dynamic only mode. In the figure, the host on the private network uses the class A address 10.33.96.5. The router's NAT interface to the public network has been configured with the class C address 201.44.53.7. This class C address is globally unique and registered with the Internet Assigned Numbers Authority (IANA) or another Internet registry located outside the United States.
When the host with private address 10.33.96.5 wants to access a host on the Internet with the public address 198.76.28.4, it sends packets to its primary router. The router has a default route configured on the WAN interface, so packets are forwarded to the WAN interface. NAT running on the interface then translates the source address 10.33.96.5 in the IP header to its own globally unique address 201.44.53.7 and assigns a new source port before the packets are forwarded. Similarly, all replying inbound IP packets undergo the reverse address and port translation.
IMPORTANT: The NAT-enabled interface should be configured so that it never uses the Routing Information Protocol (RIP) to advertise the private networks to the public backbone.
Figure 7
Dynamic Mode Implementation of NAT
The above figure shows an application of NAT in static only mode. In this case, NAT is configured to allow hosts on the public network to access two UNIX hosts on the private network. The private addresses of the hosts are 10.33.96.10 and 10.33.96.30. The network address translation table is configured to translate these private addresses to the public IP addresses 198.76.28.11 and 198.76.28.31, respectively.
When NAT is configured in this way and packets from public hosts with a destination address of either 198.76.28.11 or 198.76.28.31 are received by the NAT-enabled interface on the NetWare router, NAT substitutes the destination address of the packets with the appropriate private address and forwards the packets to the private hosts. Reply packets from the private hosts to public hosts undergo the reverse address translation. In this way, hosts on the public network can access specific resources on the private network, but access is limited to only those resources that have their private addresses configured in the network address translation table. A private host whose address is mapped to a public address in the network address translation table can also access any public host.
NOTE: When NAT is used in static mode with a multiaccess configuration, the public router must have a static host route for each address pair defined in the NAT static mapping table. If NAT is used with a numbered point-to-point configuration, you are not required to configure static host routes.
IMPORTANT: The NAT-enabled interface should be configured so that it never uses the Routing Information Protocol (RIP) to advertise the private networks to the public backbone.
Figure 8
Static Mode Implementation of NAT
The types of packets that the NAT interface filters are largely determined by the mode in which NAT is operating. The NAT mode is set using the Status parameter. There are four possible settings for this parameter: Disabled, Dynamic Only, Static and Dynamic, and Static Only. For more information about how to configure NAT parameters, refer to the Novell IP Gateway and NAT online documentation.
If a NAT-enabled interface is configured for Disabled, all incoming and outgoing packets are passed without any modifications to either the source or destination IP address or port. This is the default setting.
If a NAT-enabled interface is configured for Dynamic Only, the filtering rules are as follows:
NOTE: NAT translates any outbound packets that pass through the interface. If a private network has both registered and unregistered IP addresses, the registered IP addresses are translated to the registered address configured for the NAT interface.
If a NAT-enabled interface is configured for Static and Dynamic, the filtering rules are as follows:
If a NAT-enabled interface is configured for Static Only, the filtering rules are as follows:
NOTE: By configuring filters for a NAT-enabled interface, a secure static translation can be created by allowing only specified services, hosts, or networks access from the public network.
For more information about configuring filters, refer to the packet filtering online documentation.
Consider the following when you configure address translation mappings in a static network address translation table:
To determine which IP address to assign to private hosts when NAT is used, use the guidelines in RFC 1918. In summary, RFC 1918 explains that the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP space for private internets:
10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
The first block is referred to as a 24-bit block, the second block as a 20-bit block, and the third block as a 16-bit block. Note that the first block is a single class A network number, the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous class C network numbers. Because the backbone routers of the Internet have filters that prevent them from forwarding packets to these network addresses, using the addresses offers additional protection for private hosts hidden by the Novell IP Gateway or NAT in the event that the gateway, NAT, or firewall malfunctions or is configured incorrectly. However, the routers used by some ISPs might not have filters for these addresses, thereby allowing access to your private hosts by any IP hosts outside your network that use the same ISP.
An enterprise can use the network numbers of the address space described in RFC 1918 without any coordination with IANA or an Internet registry. Therefore, the network numbers can be used by many enterprises. Addresses within this private address space must be unique within the enterprise, or within the set of enterprises that choose to share the address space in order to communicate with each other using their private internetwork.
Multihoming describes the condition when multiple IP addresses on the same network are bound to a single network interface. IP addresses other than the first address bound to the network interface are referred to as secondary IP addresses.
The most common use of secondary IP addresses on the same network interface is for a single Web server to operate as though it were several Web servers. A different secondary IP address can point to a different Web page on the same Web server, depending on the DNS domain name that is used to reach the server.
Multihoming is commonly used with NAT running in static mode, proxy services, and Virtual Private Networks (VPNs). In all cases, the secondary IP addresses are configured on a network interface that already has a primary IP address bound to it.
When multiple interfaces are configured on a server, the secondary address is associated with the interface that has the same network address bound to it, that is, the network portions of the two IP addresses match. If you attempt to configure a secondary address that is not valid on any of the networks bound to existing interfaces, the address is rejected and an error message appears on the server console.
When multihoming is used with NAT, proxy services, or VPNs, the secondary addresses must be configured manually, as described in the Novell IP Gateway and NAT online documentation.
NAT has the following limitations: