4.2.1 Selecting a NAT Mode of Operation

NAT can be configured to operate in one of three modes: dynamic only, static only, and a combination of static and dynamic. Dynamic mode is used to allow hosts on your private network, or intranet, to access a public network, such as the Internet. Static mode is used to allow hosts on the public network to access selected hosts on your private network. The combination mode is used when both dynamic mode and static mode functions are required.

The following sections describe each NAT mode of operation and discuss the advantages of using each mode.

4.2.2 Dynamic Only

In dynamic only mode, NAT enables IP hosts on a private network to access the Internet without requiring an administrator to assign a globally unique IP address to each system. Instead, the NAT interface is configured with one public address, and private hosts can then access the Internet through the NAT interface.

Hosts accessing the Internet are dynamically assigned the IP address bound to the NAT interface and a port from a pool of available ports that are constantly reused. Each time a packet is forwarded to the public network, the private address is replaced with the globally unique public address and a randomly assigned port. When the session is completed, the port is returned to the pool to be reassigned as needed. No connections can be initiated from the public network into your private network.

All TCP, UDP, and ICMP packets have their source or destination address (depending on the direction) translated. The public address used for this translation is the primary IP address of the NAT interface, which is specified in the Local IP Address parameter.

NAT provides a pool of 5,000 ports for TCP connections, a pool of 5,000 ports for UDP mappings, and a pool of 5,000 ports for ICMP mappings. To establish a new connection when all 5,000 UDP or ICMP mappings are already used, NAT drops the oldest mapping and provides a port number to the new mapping. To establish a new TCP connection when all 5,000 connections are already used, NAT provides a port number to the new connection by dropping the oldest connection that meets the following criteria in the order shown:

4.2.3 Static Only

Static only mode is used for permanent one-to-one mapping of public registered IP addresses to local IP addresses inside a private network. Static address translations are recommended when internal hosts, such as FTP servers or Web servers, are made available to the public network.

In static only mode, NAT is configured with a table of IP address pairs. Each table entry contains a pair of IP addresses for each host that public hosts are permitted to access. The first IP address in each pair is a public IP address to which the private address is mapped; the second address is the address of the host on your private network.

Because public hosts can access private hosts only by using the private hosts’ public IP addresses, only those hosts that have their IP addresses defined in the network address translation table are accessible. The NAT interface drops packets addressed to hosts that do not have an address mapping entry in the table. Similarly, to allow private hosts access to the public network using the static only mode, each private host must have its private IP address mapped to a unique public IP address in the network address translation table.

4.2.4 Static and Dynamic

The combination static and dynamic mode is used if some hosts on your network require dynamic address translation and other hosts require static address translation. For example, your private network might have hosts that you want to access the Internet and might also have resources that you want to be accessed by public hosts. With the combined static and dynamic mode, you can use both methods simultaneously.

To use static and dynamic mode, one public address must be configured for dynamic translations and one public address must be configured for each private host. Because the static and dynamic mode requires more than one public address bound to the same NAT interface, secondary IP addresses (multihoming) must be configured.

You must configure the NAT-enabled interface for multihoming. For more information, see Using Multihoming.

4.2.5 Implementing NAT Modes of Operation

The following sections describe how to implement NAT modes of operation:

Dynamic Only Example

Figure 4-1 shows an application of NAT in dynamic only mode. In the figure, the host on the private network uses the class A address 10.33.96.5. The router’s NAT interface to the public network has been configured with the class C address 201.44.53.8. This class C address is globally unique and registered with the Internet Assigned Numbers Authority (IANA) or another Internet registry located outside the United States.

When the host with private address 10.33.96.5 wants to access a host on the Internet with the public address 198.76.28.4, it sends packets to its primary router. The router has a default route configured on the WAN interface, so packets are forwarded to the WAN interface. NAT running on the interface then translates the source address 10.33.96.5 in the IP header to its own globally unique address 201.44.53.8 and assigns a new source port before the packets are forwarded. Similarly, all replying inbound IP packets undergo the reverse address and port translation.

IMPORTANT:The NAT-enabled interface should be configured so that it never uses the Routing Information Protocol (RIP) to advertise the private networks to the public backbone.

Figure 4-1 Dynamic Mode Implementation of NAT

Static Only Example

Figure 4-2 shows an application of NAT in static only mode. In this case, NAT is configured to allow hosts on the public network to access two UNIX hosts on the private network. The private addresses of the hosts are 10.33.96.10 and 10.33.96.30. The network address translation table is configured to translate these private addresses to the public IP addresses 198.76.28.11 and 198.76.28.31, respectively.

When NAT is configured in this way and packets from public hosts with a destination address of either 198.76.28.11 or 198.76.28.31 are received by the NAT-enabled interface on the NetWare® router, NAT substitutes the destination address of the packets with the appropriate private address and forwards the packets to the private hosts. Reply packets from the private hosts to public hosts undergo the reverse address translation. In this way, hosts on the public network can access specific resources on the private network, but access is limited to only those resources that have their private addresses configured in the network address translation table. A private host whose address is mapped to a public address in the network address translation table can also access any public host.

When NAT is used in static mode with a multiaccess configuration, the public router must have a static host route for each address pair defined in the NAT static mapping table. If NAT is used with a numbered point-to-point configuration, you are not required to configure static host routes.

IMPORTANT:The NAT-enabled interface should be configured so that it never uses the Routing Information Protocol (RIP) to advertise the private networks to the public backbone.

Figure 4-2 Static Mode Implementation of NAT

4.2.6 Considerations for Static Network Address Translation Tables

Consider the following when you configure address translation mappings in a static network address translation table:

4.2.7 Assigning Unregistered Addresses to Hosts Using NAT

To determine which IP address to assign to private hosts when NAT is used, use the guidelines in RFC 1918.

In summary, RFC 1918 explains that the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP space for private Internets:

10.0.0.0 to 10.255.255.255 (10/8 prefix)[lnbrk]172.16.0.0 to 172.31.255.255 (172.16/12 prefix)[lnbrk]192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

The first block is referred to as a 24-bit block, the second block as a 20-bit block, and the third block as a 16-bit block. Note that the first block is a single class A network number, the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous class C network numbers. Because the backbone routers of the Internet have filters that prevent them from forwarding packets to these network addresses, using the addresses offers additional protection for private hosts hidden by the NAT in the event that the gateway, NAT, or firewall malfunctions or is configured incorrectly. However, the routers used by some ISPs might not have filters for these addresses, thereby allowing access to your private hosts by any IP hosts outside your network that use the same ISP.

An enterprise can use the network numbers of the address space described in RFC 1918 without any coordination with IANA or an Internet registry. Therefore, the network numbers can be used by many enterprises. Addresses within this private address space must be unique within the enterprise, or within the set of enterprises that choose to share the address space in order to communicate with each other using their private internetwork.

4.2.8 Using Multihoming

Multihoming is when multiple IP addresses on the same network are bound to a single network interface. IP addresses other than the first address bound to the network interface are referred to as secondary IP addresses.

The most common use of secondary IP addresses on the same network interface is for a single Web server to operate as though it were several Web servers. A different secondary IP address can point to a different Web page on the same Web server, depending on the DNS domain name that is used to reach the server.

Multihoming is commonly used with NAT running in static mode, proxy services, and Virtual Private Networks (VPNs). In all cases, the secondary IP addresses are configured on a network interface that already has a primary IP address bound to it.

When multiple interfaces are configured on a server, the secondary address is associated with the interface that has the same network address bound to it; that is, the network portions of the two IP addresses match. If you attempt to configure a secondary address that is not valid on any of the networks bound to existing interfaces, the address is rejected and an error message appears on the server console.

When multihoming is used with NAT, proxy services, or VPNs, the secondary addresses must be configured manually. For more information, see Novell BorderManager 3.9 Administration Guide .

4.2.9 NAT Limitations

NAT has the following limitations: