Network Address Translation (NAT) has two main applications:

• NAT can be used to allow IP hosts on your private network that do not have globally unique registered addresses to access the Internet.
• NAT can be used to limit the access of IP hosts on the public network to resources on your private network.

To access the Internet, a host must have a globally unique address assigned by the Internet Assigned Numbers Authority (IANA) or other Internet registry. However, because of the depletion of registered IP addresses, it might be impractical to reassign globally unique IP addresses to all the systems on your private network. NAT solves this problem by automatically reassigning a globally unique address to any host that accesses the Internet through a particular router interface. NAT enables the hosts on your private network to access the Internet even if their IP addresses are not globally unique.

NAT can also be used to limit the access of hosts on the public network to resources on your private network. By configuring NAT to translate addresses for only the private hosts that you want to be accessed by hosts outside your private network, you can deny access to all other resources on your network.

Although NAT is most often used to provide access to the Internet, it can also be used within a private network to isolate or protect certain systems from the rest of the private network. For example, NAT can be used to limit the access the overall company has to critical resources, or it can be used to protect the confidentiality of the resources of the finance or personnel departments from general access.

Modes of Operation

NAT can be configured to operate in one of three modes: dynamic only, static only, and a combination of dynamic and static. Dynamic mode is used to allow hosts on your private network to access the public network. Static mode is used to allow hosts on the public network to access selected resources on your private network or is used to allow certain private hosts to access public hosts. The combination mode is used when both dynamic mode and static mode functions are needed.

In dynamic mode, hosts accessing the Internet are dynamically assigned the IP address used by NAT and a port from a pool of available ports that are constantly reused. Each time a packet is forwarded to the public network, the private address is replaced with the globally unique public address and randomly assigned port. When the session is completed, the port is returned to the pool to be reassigned when needed. No connections can be initiated from the public network into your private network. To use dynamic mode, the NAT interface must be configured with one public address.

NAT provides a pool of 5,000 ports for TCP connections, a pool of 5,000 ports for UDP mappings, and a pool of 5,000 ports for ICMP mappings. To establish a new conversation when all 5,000 UDP or ICMP mappings are being used, NAT drops the oldest mapping and provides a port number to the new mapping. To establish a new TCP connection when all 5,000 connections are being used, NAT provides a port number to the new connection by dropping the oldest connection that meets the following criteria in the order shown:

• Any connection that has had no packets for more than eight hours
• Any connection that has been trying to connect for two minutes but has been unable to connect (that is, the three-way TCP handshake has not been completed)

In static mode, NAT is configured with a table of IP address pairs. Each table entry contains a pair of IP addresses for each host that public hosts are permitted to access. The first IP address in each pair is a public IP address to which the private address is mapped; the second address is the address of the host on your private network. Because public hosts can access private hosts only by using the public IP address, public hosts can access only those hosts that have their IP addresses defined in this network address translation table. In addition, once a private IP host has an entry configured in the network address translation table, it has full access to public IP hosts. To use static mode, one public IP address must be configured for each private host.

NAT can be configured to operate simultaneously in both dynamic and static mode. This combination mode is used when your private network has hosts that want to access the Internet and has resources that you want to be accessed by public hosts. To use dynamic and static mode, one public address must be configured for dynamic translations and one public address must be configured for each private host.

Implementations

In addition to translating IP addresses, NAT has the following advantages:

• In dynamic mode, NAT enables you to access the Internet without having to obtain and reassign globally unique IP addresses for every system on your private network.
• NAT enhances the level of security of your private network by hiding its private addresses.
• In dynamic mode, NAT permits a large number of users access to the Internet using just one network address because a different port number is used for each user that is connected to the Internet.
• NAT acts as a filter, allowing only certain outbound and inbound connections. The type of filtering that occurs is determined by whether NAT is configured to operate in dynamic or static mode. For more information about the rules that apply to NAT filtering, refer to "Filtering Rules.”
• NAT provides the functionality of a proxy server without the extra administrative overhead and without the need for special client software.

Figure 2-22 shows an application of NAT in dynamic mode. In Figure 2-22, the host on the private network uses the class A address 10.33.96.5. The router's NAT interface to the public network has been configured with the class C address 201.44.53.7. This class C address is globally unique and is registered with the IANA.

When the host with private address 10.33.96.5 wants to access a host on the Internet with the public address 198.76.28.4, it sends packets to its primary router. The router has a default route configured on the WAN interface, so packets are forwarded to the WAN interface. NAT then translates the source address 10.33.96.5 in the IP header with the globally unique address 201.44.53.7 and a new source port before packets are forwarded. Similarly, IP packets on the return path undergo the reverse address and port translation.

The NAT-enabled interface should be configured so that it never uses RIP to advertise the private networks to the public backbone.

Figure 2-22.
Dynamic Mode Implementation of NAT

Figure 2-23 shows an application of NAT in static mode. In this case, NAT is configured to allow hosts on the public network to access two UNIX hosts on the private network. The private addresses of the hosts are 10.33.96.10 and 10.33.96.30. The network address translation table is configured to translate these private addresses to the public IP addresses 198.76.28.11 and 198.76.28.31, respectively. To configure more than one public address in the network address translation table, you must configure the NAT-enabled interface using multihoming as described in Novell Internet Access Server 4.1 Routing Configuration.

When NAT is configured in this way and packets from public hosts with a destination address of either 198.76.28.11 or 198.76.28.31 are received by the NetWare router on a NAT-enabled interface, NAT substitutes the destination address of the packets with the appropriate private address and forwards the packets to the private hosts. Reply packets from the hosts to public hosts have the reverse procedure performed on them. In this way, hosts on the public network can access specific resources on the private network, but access is limited to only those resources that have their private addresses configured in the network address translation table. The private hosts configured in the network address translation table can also access any public host.

The NAT-enabled interface should be configured so that it never uses RIP to advertise the private networks to the public backbone.

NOTE: When NAT is used in static mode with a multiaccess configuration, the public router must have a static host route for each address pair defined in the NAT static mapping table. If NAT is used with a numbered point-to-point configuration, you are not required to configure static host routes.

Figure 2-23.
Static Mode Implementation of NAT

Limitations

NAT has the following limitations:

• NAT is not supported for most applications that embed the IP address in the data of the packet. However, NAT performs special processing to allow FTP to function properly. For more information about this limitation, refer to RFC 1631.
• Multicast and broadcast packets are not translated.
• The private and public address of each address pair configured in the network address translation table cannot be set to the same IP address unless the public address is used to access local services on the router running NAT. Examples of local services include an FTP server and a World Wide Web server.
• NAT cannot be enabled on two LAN or WAN interfaces that can be used to reach the same private host if that host is configured in the network address translation table.
• NAT-enabled WAN interfaces must be configured with WAN Network Mode set to Numbered Point-to-Point or Multiaccess.
• The router must be configured with IP Forwarding set to Yes.
• If Remote Router Will Dynamically Assign the IP Address is set to Yes and the assigned address is subject to change, only dynamic mode is practical.

Using Unregistered IP Addresses with NAT

To determine which IP address to assign to private hosts when NAT is used, use the guidelines in RFC 1918. In summary, RFC 1918 explains that the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP space for private internets:

10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

The first block is referred to as a 24-bit block, the second block as a 20-bit block, and the third block as a 16-bit block. Note that the first block is a single class A network number, whereas the second block is a set of 16 contiguous class B network numbers and the third block is a set of 256 contiguous class C network numbers. Because the backbone routers of the Internet have filters that prevent them from forwarding packets to these network addresses, using the addresses offers additional protection for private hosts hidden by the Novell IP Gateway or NAT in the event that the gateway, NAT, or firewall malfunctions. However, the routers used by some ISPs might not have filters for these addresses, thereby allowing access to your private hosts by any IP hosts that use the same ISP.

An enterprise can use the network numbers of the address space described in RFC 1918 without any coordination with IANA or an Internet registry. Therefore, the network numbers can be used by many enterprises. Addresses within this private address space must be unique within the enterprise, or within the set of enterprises that choose to share the address space in order to communicate with each other using their own private internet.

Filtering Rules

The types of packets that NAT filters is largely determined by the mode in which it is operating. The NAT mode is set using the Status parameter. There are four possible settings for this parameter: Disabled, Dynamic Only, Static Only, and Dynamic and Static. For more information about how to configure NAT parameters, refer to Novell Internet Access Server 4.1 Routing Configuration.

If a NAT-enabled interface is configured for Disabled, all incoming and outgoing packets are passed without any modifications to either the source or destination IP address or port. This is the default setting.

If a NAT-enabled interface is configured for Dynamic Only, the filtering rules are as follows:

• Packets that originate from the private network or services running on the Novell Internet Access Server 4.1 system have their source address and port translated and are forwarded to the destination address.
• Inbound ICMP packets of types 0, 3, 4, 8, 11, 12, 17, and 18 are allowed access. All other types of ICMP packets, including ICMP redirect (type 5), are dropped. Inbound ping request (ICMP echo) packets are answered by NAT when requests are addressed to the NAT interface IP address.
• Packets that originate from the public network and that do not correspond to requests that originated from the private network are dropped.

NOTE: NAT translates any outbound packets that pass through the interface. For a private network that has both registered and unregistered IP addresses, the registered IP addresses are translated to the registered address configured for the NAT interface.

If a NAT-enabled interface is configured for Static Only, the filtering rules are as follows:

• Only packets received from the public network with a destination address that matches one of the public addresses configured in the network address translation table are allowed access.
• Only the private hosts defined in the network address translation table are allowed access to the public network. Any packets from other private hosts are dropped.
• Packets that originate from the public network and that are not destined to any public addresses configured in the network address translation table are dropped.

NOTE: By configuring filters for a NAT-enabled interface, a secure static translation can be created by allowing only specified services, hosts, or networks access from the public network. For more information about configuring filters, refer to Novell Internet Access Server 4.1 Routing Configuration.

If a NAT-enabled interface is configured for Dynamic and Static, the filtering rules are as follows:

• Inbound packets that are not destined for one of the public addresses configured in the network address translation table or that are not translatable are dropped. Untranslatable packets are those that cannot be matched with an existing outbound dynamic flow.
• Outbound packets from any private hosts are translated. Packets from configured static private hosts are treated according to the rules for static mode, and all other packets are treated according to the rules for dynamic mode.

Deciding Whether to Use NAT or the Novell IP Gateway to Access the Internet

Using NAT to access the Internet has several advantages compared to using the Novell IP Gateway to access the Internet. Novell IP Gateway requires that special client software is installed on the hosts; NAT does not require special client software. The Novell IP Gateway can be used by Windows 3.1 and Windows 95 hosts only; NAT can be used by hosts on any platform, including Macintosh*, UNIX*, OS/2*, and Windows NT*. NAT also operates faster than the Novell IP Gateway because NAT operates at the Network layer whereas the Novell IP Gateway operates at the Session layer. However, the Novell IP Gateway has the advantage of using Novell Directory Services (NDS) and Access Control to limit connectivity to the Internet.