Dynamic Network
Address Translation (Part 2)
Introduction
Now that you understand the
basic idea of Dynamic Network Address Translation
we're going to take a closer look at the packets as
they traverse the
Dynamic NAT enabled
device, which can be a router, a firewall appliance
or even a PC running special software !
Don't be too troubled about what's to follow, it's
really simple and neat to know, so let's get right
into it !
How NAT translations take place
Most of the rules that apply
for Static NAT
(which we've already covered),
also apply for Dynamic
NAT and there are very
few changes between the two, making it very easy to
understand and digest :)
The actual process remains the same no matter which
device we use, e.g Firewall appliance, Linux
gateway, router etc.
Because we don't want to get
confused by using a different example, we'll stick
to the previous page's network between
Dynasoft
and its contractor -
Datapro,
but we're now focusing on
Datapro's internal network
to learn how the router
between its two internal networks (192.168.50.0
and 192.168.100.0)
will deal with the
Dynamic NAT required in
order for the new
network to gain access
to Dynasoft's
development network:
Even though the diagram
explains everything, I'm just going to point out a
few important things about the
Dynamic NAT
router. It's very important
that you understand that the IP Addresses in the
router's Pool
are reserved addresses from
the 192.168.50.0
network - this means that no device or host on that
network, apart from the router itself, is allowed to
use them.
The
dynamic mapping
that is created will be in
place only for that particular session, meaning that
once the workstation in the
new network
finishes its work on the
Dynasoft network,
or doesn't send any packets across the
Dynamic NAT
router within a given time period, then the router
will clear the dynamic
mapping and make the
IP Address
available to the next host or
workstation that needs it.
The timeout period is different for each transport
protocol (TCP/UDP) and NAT device. The ability to
modify these timeouts depends entirely on the NAT
device being used. As always, the RFCs give some
guidelines for these values but not all vendors
follow them :) You will find more interesting
information about this subject in the NAT advanced
section.
So, after getting all that out of the way, it's now
time to have a closer look at the packets as they
traverse the router to either network:
After it is determined that
this packet must traverse the router, an IP Address
is picked from the
available pool that
will be used to map IP Address
192.168.100.5.
These entries are then stored within the router's
RAM (NAT Table). As you can see, the
Source,
Destination
ports and
Destination IP
are never modified on outgoing
packets.
The router will then send the
packet on to the
192.168.50.0 network
and after a few milliseconds it receives the reply
that our workstation on network
192.168.100.0
is waiting for:
The router finds an entry
within its NAT mapping
table (don't forget
this table is stored in the router's RAM) and
replaces destination IP
192.168.50.200 with
destination IP
192.168.100.5 and then
forwards the packet to the
new network.
The
Source,
Destination
ports and
Source IP
are not modified.
In case you're wondering why the ports have changed
in comparison to the original outgoing packet, this
is not because of NAT but the way IP communications
work and happens to be way out of the scope of this
page.
One important small detail I
should bring to your attention is how the packet
reply managed to arrive at the router's interface,
which is on the
existing network. You
should know that to the
existing Datapro network,
the router is like a host with multiple IP
Addresses.
I explained how the router
maps IP Addresses on the
existing network
to the
new network,
but if someone on the
existing network
tried to send an ARP request
for 192.168.50.200,
then the router would
immediately answer with its own MAC address. This is
done to ensure that all traffic intended for
workstations on the new
network finds its way
there. The same principle would apply no matter
which NAT mode we used.
To sum up all the above while trying to keep things
simple, because sometimes no matter how much you
analyse a diagram it can still confuse you, the next
diagram is a summary of how the packets are modified
as they traverse a Dynamic NAT device which, in our
example, is a router:
It's
very easy to see that the Source IP Address (192.168.100.5)
is changed as the packet traverses the
Dynamic NAT
router to arrive at
Datapro's exist network
and then move on to
Dynasoft's network,
whereas the reply from
Dynasoft's network will
enter Datapro's
existing network and
traverse the Dynamic
NAT router and have its
Destination IP Address modified to
192.168.100.5,
thus reaching the workstation its intended to.
Believe it or not, we've come
to the end of this page, next page talks about
NAT Overload,
which is also known as Network
Address Port Translation, Port Address Translation
or IP Masquerade in the Linux/Unix world.
|
