NAT Configurations
You can configure NAT in several different ways. Each configuration method provides a solution for different configuration requirements. These methods include:
Traditional NAT
Traditional NAT (sometimes called outbound NAT) is the most common method of using address translation. Its primary use is translating private addresses to legal addresses for use in an external network. When configured for dynamic operation, hosts within a private network can initiate access to the external (public) network, but external nodes on the outside network cannot access the private network.
Addresses on the private network and public network must not overlap. Also, route destination advertisements on the public network (for example, the Internet) can appear within the inside network, but the NAT router does not propagate advertisements of local routes that reference private addresses out to the public network.
Two types of traditional NAT exist — basic NAT and NAPT.
Basic NAT
Basic NAT provides translation for IP addresses only (called a "simple" translation) and places the mapping into a NAT table. In other words, for packets outbound from the private network, the NAT router translates the source IP address and related fields (for example, IP, TCP, UDP, and ICMP header checksums). For inbound packets, the NAT router translates the destination IP address (and related checksums) for entries that it finds in its translation table.
|
NAPT
Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an "extended" translation). This process combines the transport identifiers and addresses of any number of private hosts into one transport identifier of one or more external addresses.
Similar to basic NAT, for outbound packets, NAPT translates the source IP address, source transport identifier, and related checksum fields. For inbound packets, NAPT translates the destination IP address, destination transport identifier, and checksum fields.
Bidirectional NAT
Bidirectional (or two-way) NAT uses traditional NAT in conjunction with the Domain Name System - Application Level Gateway (DNS-ALG). When using bidirectional NAT, hosts can initiate sessions from both the private network and the public network.
The translation, installed by DNS, maps private network addresses to globally unique addresses, statically or dynamically, as hosts establish connections in either direction. Hosts in the public network can access hosts in the private network by using DNS address resolution. This requires an end-to-end unique fully qualified domain name (FQDN) for each host. In other words, the NAT router intercepts any DNS message (using the DNS-ALG) and assigns a global address to reach the intended host.
When a public (outside) host initiates a session with a private host, the NAT router intercepts the packet and substitutes the advertised public address with the actual private (inside) address. On the return path the NAT router replaces the local private address (now the source) with the advertised public host address.
Some additional configuration may be required to allow public access from the Internet to a DNS server that resides in the private domain (see Bidirectional NAT Example on page 4-17).
The same address space requirements and routing restrictions apply to bidirectional NAT as were described for traditional NAT. The difference between these two methods is that the DNS exchange may create entries within the translation table.
Twice NAT
In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. For example, you would use twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public).