NAT
Issues
Chapter 5 covered the various forms of NAT and the
implementation for routers. NAT is also used on PIX firewalls, as covered in Chapters 17, 18, and 19. NAT is the process of altering the IP header of a packet, so
the source local address of the internal host is replaced in the header by real
global addresses. In some cases, the destination address might also be modified.
This swapping process is performed by a NAT device, usually on the network
perimeter. The NAT server then maintains a table of the translations, which
allows returning packets to be addressed with the correct internal address.
Static NAT involves permanent, one-to-one address translations.
This implementation is typically reserved for devices that must be accessed from
the outside, such as shared servers. Dynamic NAT involves temporary address
translations to allow inside hosts—often with private IP addresses—to use global
addresses, while connecting with the outside world. While NAT works well, it can
require a large number of global addresses, often at some monthly cost, to meet
the needs of a large number of inside hosts that require global “real”
addresses.
Port Address Translation (PAT) involves allowing multiple
inside hosts to connect to the outside or to use the Internet as a vehicle to
reach a corporate network, while using a single IP address. This one-to-many
translation is accomplished by the NAT/PAT device using unique port numbers
associated with the IP address to differentiate the sessions. The problem is
IPSec won’t work with PAT. The next few sections explore Cisco’s solutions to
this problem.
Sections
Comments (0 posted)
Syndication
