What is nat for dummies. What is NAT on a router? Internet channel reservation from two providers using NAT, ip sla

The rapid growth of the Internet, shortly after its appearance, brought about the problem of a shortage of addresses. Now this is partially solved by the introduction of the new IPv6 protocol, which will provide many times more available addresses for network nodes. But one protocol update is not enough. NAT technology was invented, which allowed hosts from a private network to connect to the Internet using just one external IP address. This makes scaling private LANs much easier when trying to connect them to the Internet. Now we will take a closer look at NAT technology.

How NAT works

For example, let's imagine that we have a local network that includes 3 workstations. We decided to connect the Internet. The provider allocated us 1 external one, which we must register in the settings of our router. As a result, we will get the following picture.

Our three computers will be united into a local network with the address "192.168 .."

This is how it will look:

  • Router - 192.168.1.1
  • Computer 1 - 192.168.1.2
  • Computer 2 - 192.168.1.3
  • Computer 3 - 192.168.1.4

If you are already familiar with the basics of local networks, then you should know that in the settings network cards, in the "Default gateway" field, for our computers the value should be 192.168.1.1. Thus, all requests that do not belong to our local network, we have to send to our router. Simply put, all requests to the Internet will be redirected to it.

As we have already noted, we have only one external ip. This is where the fun begins. How can three computers with different ip-addresses access the Internet if they have one external address?

This is where NAT technology comes to the rescue.

As you can see, within the network, all nodes have addresses on the same subnet. This allows them to implement data transfer. If the request is sent to the Internet, it will be forwarded to the internal interface of the router. Then, using NAT technology, the data will be slightly modified. They will be assigned an external IP address. And after that, the packets will go to the network.

Surely you already understand how the broadcast technology works. network addresses... With its help, a single external address is assigned to all internal network addresses. This allows several computers to access the network simultaneously if there is a single external address.

What you should pay attention to here. First, it doesn't have to be just one external address. There may be several of them.

Secondly, the use of NAT technology imposes some restrictions related to blocking by IP. This manifests itself when trying to access a resource on which only one host can connect from one ip. In the event that someone from your network is already connected to it, you will not be able to establish a connection.

Terminology

To understand the principle of network address translation, let's understand the basic terms.

This is the first type of implementation of this technology.

At the same time, the router remakes each internal address into an external one, focusing on the entries in the routing table. The mappings must be configured in advance when configuring the router.

Configuring on Cisco routers

  • We go into the settings of the interface, which will be located in the inner part of the network, and use the command ip nat inside
  • Further, for the external interface, the ip nat outside command
  • Next, in the global configuration mode, we need to manually set the correspondence for the addresses. We use the command ip nat inside source static inside-local inside-global... Where "inside-local" is the internal local address, "inside-global" is the internal global

Dynamic NAT

This implementation is similar to static translation. The difference is that the address translation process is dynamic, based on previously configured parameters. Now there is no static routing table. The table contains correspondences that are activated at the time of transmission of packets. In the event that all configured parameters match.

To configure, you need to set a pool of external addresses that will be used for broadcasting. And also set a pool of internal addresses by creating a new one for them.

Customization

  • Set ip nat inside for internal interfaces
  • Ip nat outside for external
  • Create an ACL with a list of internal addresses that should participate in the translation
  • We create a pool of external addresses. In the global configuration mode, we use the command ip nat pool name first-address last-address mask subnet mask... Where "name" is the name for the pool, "first-address" is the starting address, "last-address" is the last address, "subnet mask" is the subnet mask
  • We enable dynamic translation of NAT addresses. ip nat source list acl-number pool pool-name... Where "acl-number" is the previously created access control list, "pool-name" is the address pool.

PAT - port based translation

In any case, the number of available external addresses is limited. How to scale up a large local network even more in order to be able to access the Internet for all of its nodes? It is already clear that both static and dynamic NAT will require a large number of external addresses for this. But this option does not suit us.

This is where the third NAT implementation comes to the rescue - PAT port-based translation. Its essence is that in addition to the "address - address" link, the "address - port" link is added. Thus, the router can activate the connection not only using the IP address, but also using a unique port number.

Taking into account the fact that 16-bit is used for port numbering, more than 65 thousand connections can be active at the same time.

Customization

The entire configuration process is similar to configuring dynamic routing. In the event that we want to include PAT, we need to add keyword overload to the configuration command. As a result, it will look like this:

ip nat source list acl-number interface interface name / number overload

Video for the article:

Conclusion

The use of NAT technology allows you to implement Internet access for any local network. With this, you only need one external IP address. This is the most commonly used option - often providers offer just such tariffs for home users or small offices.

Why look for information on other sites if everything is collected from us?

  • Step by step

2 32 or 4 294 967 296 IPv4 is it a lot of addresses? It seems that yes. However, with the proliferation of personal computing, mobile devices and the rapid growth of the Internet, it soon became apparent that 4.3 billion IPv4 addresses would not be enough. The long term solution was IPv6 but a faster solution was needed to address the shortage of addresses. And this decision was NAT (Network Address Translation).

What is NAT

Networks are usually designed using private IP addresses. These are addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 ... These private addresses are used internally by an organization or site to allow devices to communicate locally and are not routed across the Internet. To allow a device with a private IPv4 address to access devices and resources outside the local network, the private address must first be translated to a publicly accessible public address.

And just NAT translates private addresses into public ones. This allows a device with a private IPv4 address to access resources outside of its private network. NAT, in combination with private IPv4 addresses, has proven to be a useful method of maintaining public IPv4 addresses. A single public IPv4 address can be used by hundreds, even thousands, of devices, each with a private IPv4 address. NAT has the added benefit of adding a degree of privacy and security to the network because it hides internal IPv4 addresses from external networks.

NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are called the NAT pool. When a device from the internal network sends traffic from the network to the outside, a NAT-enabled router translates the internal IPv4 address of the device to a public address from the NAT pool. To external devices, all traffic entering and leaving the network appears to have a public IPv4 address.

NAT router usually runs at the border Stub-network. A stub network is a stub network that has one connection to a neighboring network, one entry and exit from the network.

When a device inside a Stub network wants to communicate with a device outside of its network, the packet is forwarded to the border router, and it performs the NAT process, translating the internal private address of the device to a public, external, routable address.

NAT terminology

In NAT terminology, an internal network is a collection of networks to be translated. Outside network refers to all other networks.

When using NAT, IPv4 addresses have different designations based on whether they are on a private network or on a public network (the Internet), and whether the traffic is inbound or outbound.

NAT includes four types of addresses:

  • Inside local address;
  • Inside global address;
  • Outside local address;
  • Outside global address;

When determining which type of address to use, it is important to remember that NAT terminology is always applied from the perspective of a device with a translated address:

  • Inside address- the address of the device that is translated by NAT;
  • Outside address- address of the destination device;
  • Local address- this is any address that appears on the inside of the network;
  • Global address- this is any address that is displayed on the outside of the network;

Let's consider this using an example of a circuit.


In the figure, the PC has an internal local ( Inside local) address 192.168.1.5 and from his point of view the web server has an external ( outside) address 208.141.17.4. When packets are sent from the PC to the global address of the web server, the internal local ( Inside local) the PC address is translated to 208.141.16.5 ( inside global). Address external device usually not translated as it is a public IPv4 address.

It is worth noting that the PC has different local and global addresses, while the web server has the same public IP address. From his point of view, traffic outgoing from the PC comes from the internal global address 208.141.16.5. A NAT router is a demarcation point between the internal and external networks and between local and global addresses.

Terms inside and outside, combined with the terms local and global to link to specific addresses. In the figure, the router is configured to provide NAT and has a pool of public addresses to assign to internal hosts.

The figure shows how traffic is sent from an internal PC to an external web server, through a NAT-enabled router, and sent and translated in the opposite direction.


Internal local address ( Inside local address) is the source address visible from the internal network. In the figure, the address 192.168.1.5 is assigned to the PC - this is its internal local address.

Inside global address ( Inside global address) is the source address visible from the external network. In the figure, when traffic from the PC is sent to the web server at 208.141.17.4, the router translates the inside local address ( Inside local address) to the internal global address ( Inside global address). In this case, the router changes the IPv4 source address from 192.168.1.5 to 208.141.16.5.

Outside global address ( Outside global address) is the destination address visible from the external network. This is a globally routed IPv4 address assigned to a host on the Internet. In the diagram, the web server is available at 208.141.17.4. Most often, the external local and external global addresses are the same.

External local address ( Outside local address) is the recipient's address visible from the internal network. In this example, the PC is sending traffic to the web server at 208.141.17.4

Consider the entire path of the packet. The PC with the address 192.168.1.5 is trying to communicate with the web server 208.141.17.4. When a packet arrives at a NAT-enabled router, it reads the packet's destination IPv4 address to determine if the packet meets the criteria for translation. In this example, the source address meets the criteria and translates from 192.168.1.5 ( Inside local address) at 208.141.16.5. ( Inside global address). The router adds this local-to-global mapping to the NAT table and sends the packet with the translated source address to the destination. The web server responds with a packet addressed to the PC's internal global address (208.141.16.5). The router receives a packet with a destination address of 208.141.16.5 and checks the NAT table in which it finds an entry for this mapping. It uses this information and translates back the inside global address (208.141.16.5) to the inside local address (192.168.1.5), and the packet is forwarded towards the PC.

NAT types

There are three types of NAT translation:

  • Static Address Translation (Static NAT)- one-to-one address mapping between local and global addresses;
  • Dynamic Address Translation (Dynamic NAT)- Many-to-many address mapping between local and global addresses;
  • Port Address Translation (NAT)- multicast address mapping between local and global addresses using ports. This method is also known as NAT Overload;

Static NAT uses one-to-one mapping between local and global addresses. These mappings are configured by the network administrator and remain permanent. When devices send traffic to the Internet, their internal local addresses are translated into configured internal global addresses. For external networks, these devices have public IPv4 addresses. Static NAT is especially useful for web servers or devices that need to have a consistent address that is accessible from the Internet, such as a company web server. Static NAT requires a sufficient number of public addresses to satisfy the total number of concurrent user sessions.

A static NAT table looks like this:


Dynamic NAT uses a pool of public addresses and assigns them on a first come, first served basis. When the inside device requests access to the outside network, dynamic NAT assigns an available public IPv4 address from the pool. Like static NAT, dynamic NAT requires a sufficient number of public addresses to satisfy the total number of concurrent user sessions.

A dynamic NAT table looks like this:


Port Address Translation (PAT)

PAT translates multiple private addresses to one or more public addresses. This is what most home routers do. The ISP assigns one address to the router, but multiple family members can access the Internet at the same time. This is the most common form of NAT.

With PAT, multiple addresses can be mapped to one or more addresses, since each private address is also tracked by a port number. When a device initiates a session TCP / IP, it generates the value of the source port TCP or UDP to uniquely identify the session. When a NAT router receives a packet from a client, it uses its source port number to uniquely identify a specific NAT translation. PAT ensures that devices use a different TCP port number for each session. When a response is returned from the server, the source port number, which becomes the destination port number in the return path, determines which device the router is forwarding packets to.

The picture illustrates the PAT process. PAT adds unique source port numbers to the inside global address to distinguish translations.


Since the router processes every packet, it uses the port number (1331 and 1555, in this example) to identify the device from which the packet was sent.

Source address ( Source Address) is the inside local address with the added port number assigned by TCP / IP. Destination address ( Destination Address) is the external local address with the added service port number. In this example, the service port is 80: HTTP.

For the source address, the router translates the inside local address to the inside global address with the appended port number. The destination address does not change, but is now referred to as the outside global IP address. When the web server responds, the path is reversed.

In this example, client port numbers 1331 and 1555 did not change on the NAT router. This is not a very likely scenario because there is a good chance that these port numbers have already been attached to other active sessions. PAT tries to keep the original source port. However, if the source port of the source is already in use, PAT assigns the first available port number, starting at the beginning of the corresponding port group. 0-511, 512-1023 or 1024-65535 ... When there are no more ports and there is more than one external address in the address pool, PAT goes to the next address to try to allocate the original source port. This process continues until there are no available ports or external IP addresses.

That is, if another host can choose the same port number 1444. This is acceptable for an internal address because hosts have unique private IP addresses. However, on the NAT router, the port numbers must be changed - otherwise, packets from two different hosts will exit with the same source address. Therefore, PAT assigns the next available port (1445) to the second host address.

Let's summarize the comparison between NAT and PAT. As you can see from the tables, NAT translates IPv4 addresses on a 1: 1 basis between private IPv4 addresses and public IPv4 addresses. However, PAT changes both the address itself and the port number. NAT redirects incoming packets to their internal address based on the incoming source IP address specified by the host on the public network, and with PAT there is usually only one or very few publicly exposed IPv4 addresses, and incoming packets are redirected based on the router's NAT table.

What about IPv4 packets containing data other than TCP or UDP? These packets do not contain a Layer 4 port number. PAT translates the most common protocols carried by IPv4, which do not use TCP or UDP as the transport layer protocol. The most common of these are ICMPv4. Each of these types of protocols is handled differently by PAT. For example, ICMPv4 Request Messages, Echo Requests, and Responses include the Request ID Query ID... ICMPv4 uses Query ID. to identify the echo request with the corresponding response. The request ID is incremented with each echo request sent. PAT uses the request id instead of the layer 4 port number.

Advantages and Disadvantages of NAT

NAT provides many benefits, including:

  • NAT preserves the registered addressing scheme, allowing the privatization of intranets. With PAT, internal hosts can share a single public IPv4 address for all external communications. This type of configuration requires very few external addresses to support many internal hosts;
  • NAT increases the flexibility of connections to the public network. Numerous pools, pools Reserve copy and load balancing pools can be implemented to provide reliable public network connections;

    • NAT provides consistency for internal network addressing schemes. On a network that does not use private IPv4 addresses and NAT, change general scheme IPv4 addresses require all hosts to be redirected to existing network... Host forwarding costs can be significant. NAT allows the existing private IPv4 addressing scheme to remain, making it easy to modify the new public addressing scheme. This means that the organization can change providers and does not need to change any of its internal customers;

  • NAT provides network security. Because private networks do not advertise their addresses or internal topology, they remain robust enough when used in conjunction with NAT to gain controlled external access. However, you need to understand that NAT does not replace firewalls;

But NAT has some drawbacks. The fact that hosts on the Internet appear to communicate directly with a NAT-enabled device rather than the actual host within the private network creates a number of problems:

  • One of the disadvantages of using NAT has to do with network performance, especially for real-time protocols such as VoIP... NAT increases switching delays because it takes time to translate each IPv4 address in packet headers;
  • Another disadvantage of using NAT is that end-to-end addressing is lost. Many Internet protocols and applications depend on end-to-end addressing from source to destination. Some applications do not work with NAT. Applications that use physical addresses rather than a qualified domain name do not reach destinations that are translated through a NAT router. Sometimes this problem can be avoided by implementing static NAT mappings;
  • IPv4 end-to-end tracing is also lost. It is more difficult to trace packets that undergo multiple packet address changes over multiple NAT hops, making troubleshooting more difficult;
  • The use of NAT also makes it difficult for tunneling protocols such as IPsec because NAT changes the values ​​in the headers that interfere with the integrity checks performed by IPsec and other tunneling protocols;
  • Services requiring the initiation of TCP connections from the external network, or stateless protocols such as those using UDP, may be disrupted. If a NAT router is not configured to support these protocols, incoming packets cannot reach their destination;

Was this article helpful to you?

Please tell me why?

We are sorry that the article was not useful for you: (Please, if it does not make it difficult, indicate why? We will be very grateful for a detailed answer. Thank you for helping us become better!

Good day, dear readers! Well, let's talk about NAT.

Today we will touch upon a topic that is somewhat painful and rather incomprehensible, but more incomprehensible than painful.

To a greater extent, this problem concerns those who play multiplayer games, and in short this problem sounds something like this: "WHY DOES NO ONE COME TO ME?" For others, this problem looks a little different, namely:

  • Why doesn't the torrent download?
  • Why can't users / friends / acquaintances / unknown persons connect to FTP, WEB, VOIP (TS, Mamble, bucket) and other servers that you have been trying to configure for so long and even checked that everything works for you?
  • Why is your personal home server empty? Maybe this is a universal conspiracy?

But, however, there is no conspiracy, the culprit of all these troubles is next to you and slyly winks at you with light bulbs, and his name is ... a router, yes, the one that distributes you the Internet to all yours (and maybe neighbors) devices.

In short, Internet users simply cannot connect to you because your router will not let them in, but it does this not just out of a whim, but because it does not know that all these people want to connect to you. So he thinks that they want something from him.

Yes, I just sketched you for what NAT is for. And now about what it is.

General definition

NAT (Network Address Translation) is a mechanism that allows the router to determine which services are behind the router and must be accessible from the Internet so that users can use these services from there (I did not take the definition from the wiki, because it is abstruse and not everyone understands).

NAT is present in all routers and server operating systems in one form or another. In routers, this is usually called port forwarding, in Linux iptables, on Windows servers - in special equipment. Now let's talk about different types NAT.

Type one, Static NAT

Static NAT is not required for home, but is needed if the provider has allocated several IP addresses (external or "white" addresses) for your company, and you need some servers to be always visible from the Internet, while their addresses would not change ...

Those. there is a translation of addresses 1-1 (one external IP is assigned to one internal server). With this setup, your servers will always be accessible from the Internet on any port.

  • The advantage of this method is that you open access from the Internet for a specific program on a specific computer / server, all other ports of the computer / server remain closed;
  • The disadvantage is that you need to open all ports manually (sometimes programs do it for you using UPnP technology, but this is not always the case).

Afterword

It turned out a little chaotic, and the topic is rather complicated, but I hope now you will not be shivering at the word NAT :)

As always, if you have any questions, thoughts, additions and all that stuff, then welcome to the comments on this post.

PS: For the existence of the article, a special thanks to a friend of the project and a member of our team under the nickname “barn4k“

The principle of operation of a router (router)

Reading this article, I think everyone understands what a router is and why it is needed, but has anyone thought about how it works? In this article I will try to tell you the basic principles of router operation in the most accessible language. This article will be useful and system administrators and ordinary users.

The main function that works in any router is NAT

NAT- Network Address Translation is used to replace IP addresses. In local networks, addresses like 192.168.1.XXX or similar are mainly used, and this creates a routing problem in global network Internet, since IP addresses on the network should not be duplicated. The solution to this problem is NAT - computers on the local network are connected to local interface router, receive IP addresses and a gateway from it (the router serves as the gateway), and the WAN interface of the router connects to the Internet.

Now let's look at the principle of NAT translation:

  • A request is made from any computer in the local network, for example, you are trying to access any site - the computer sends this request to the address of the gateway, that is, our router;
  • The router, having received this request, records your computer as the initiator of the connection, after which a copy of your packet is created and sent to the destination address, but on behalf of the router, and with its IP address, and your packet is simply destroyed;
  • The server to which the request was sent processes it and sends a response, naturally to the address of the router. And the router was already waiting for this, since it created a record that a response should come to your computer's request, and sends it to your computer. As you can see, according to this scheme, only a computer from the local network can be the initiator of the connection, and the response from the server will get to the computer only if the router is waiting for it (response to the request). In other words, all attempts to connect from outside will stop at the router, and will be successful only if the router provides a resource on the requested port or has Port Forwarding rules configured, which we will talk about now.

Port forwarding

Port forwarding- this is essentially the same as NAT, but in the other direction, and therefore only static NAT, that is, certain requests only to certain computers, because in the global network they cannot know the IP addresses behind the router. For example, you created an FTP or HTTP server on your computer and want to provide access to these resources, for this you need to register this rule in the router, which will indicate that all incoming packets to the desired port (21 or 80 in our case) will be transmitted to The IP address of our computer to a specific port (the port can be changed).

NAT - DMZ

NAT - DMZ- this is absolutely the same as Port Forwarding, but with the difference that you do not need to write a rule for each port, you just need to configure NAT - DMZ, which will transmit to required computer all incoming requests to the router's WAN. Of course, it is no longer possible to change ports.

Routing

To simplify the idea of ​​what it is, we can say that it is the same as NAT, but only in both directions. With this scheme, the router must have more than 2 LAN interfaces (not ports, but interfaces), with different address spaces, for example, one IP interface has 192.168.0.1, and the other has 192.168.1.1. Therefore, computers on one network will receive IP type 192.168.0.XXX, and on another network 192.168.0.XXX, and their gateways will be 192.168.0.1 and 192.168.1.1, respectively. This is how you get two-way routing.

Don't forget to leave

Internet router, access server, firewall. The most popular is Source NAT(SNAT), the essence of the mechanism of which consists in replacing the source address (source) when the packet passes in one direction and reverse replacing the destination address (destination) in the response packet. Along with source / destination addresses, source and destination port numbers can also be swapped.

Besides SNAT, i.e. providing users of a local network with internal addresses of access to the Internet, often also used Destination NAT when requests from the outside are broadcast by a firewall to a server in the local network that has an internal address and therefore is not directly accessible from the external network (without NAT).

The figures below show an example of how NAT works.


Rice. 7.1.

A user on the corporate network sends a request to the Internet, which arrives at the internal interface of the router, access server or firewall ( NAT device ).

The NAT device receives the packet and makes an entry in the connection tracking table, which manages address translation.

It then replaces the source address of the packet with its own external public IP address and sends the packet to its destination on the Internet.

The destination host receives the packet and sends the response back to the NAT device.

The NAT device, in turn, having received this packet, looks for the sender of the original packet in the connection tracking table, replaces IP address destination to the corresponding private IP address and forwards the packet to source computer... Since the NAT device sends packets on behalf of all internal computers, it changes the original network port and this information stored in the connection tracking table.

There are 3 basic concepts translations of addresses:

  • static (SAT, Static Network Address Translation),
  • dynamic (DAT, Dynamic Address Translation),
  • masquerade (NAPT, NAT Overload, PAT).

Static NAT maps local IP addresses to specific public addresses on a one-to-one basis. It is used when the local host must be accessible from the outside using fixed addresses.

Dynamic NAT maps a set of private addresses to a set of public IP addresses. If the number of local hosts does not exceed the number of available public addresses, each local address will be guaranteed to match a public address. Otherwise, the number of hosts that can simultaneously access external networks will be limited by the number of public addresses.

Masquerade NAT(NAPT, NAT Overload, PAT, Masquerading) is a form of dynamic NAT that maps multiple private addresses to a single public IP address using different ports. Also known as PAT (Port Address Translation).

There can be several mechanisms of interaction between the internal local network and the external public network - it depends on the specific task of providing access to the external network and back and is prescribed by certain rules. There are 4 types of network address translation defined:

  • Full Cone
  • Restricted Cone
  • Port Restricted Cone
  • Symmetric

In the first three types of NAT, the same external port is used to communicate between different IP addresses on the external network with addresses from the local network. The fourth type - symmetric - uses a separate external port for each address and port.

Full Cone, the external port of the device (router, access server, firewall) is open for requests coming from any addresses. If a user from the Internet needs to send a packet to a client located behind NAT, he only needs to know the external port of the device through which the connection is established. For example, a computer behind a NAT with an IP address of 192.168.0.4 sends and receives packets on port 8000, which are mapped to an external IP address and port as 10.1.1.1:12345. Packets from the external network arrive at the device with an IP address: port 10.1.1.1:12345 and then are sent to client computer 192.168.0.4:8000.

Only the transport protocol is checked in incoming packets; destination address and port, source address and port do not matter.

When using NAT type Restricted con, the external port of the device (router, access server, firewall) is open for any packet sent from the client computer, in our example: 192.168.0.4:8000. And a packet coming from an external network (for example, from a computer 172.16.0.5:4000) to a device with an address: port 10.1.1.1:12345 will be sent to a computer 192.168.0.4:8000 only if 192.168.0.4:8000 previously sent a request to the IP address of the external host (in our case, to the computer 172.16.0.5:4000). That is, the router will only translate incoming packets from a specific source address (in our case, computer 172.16.0.5:4000), but the source port number can be anything. Otherwise, NAT blocks packets from hosts to which 192.168.0.4:8000 did not send a request.

NAT mechanism Port restricted con almost similar NAT mechanism Restricted Cone. Only in this case, NAT blocks all packets coming from hosts to which the client computer 192.168.0.4:8000 did not send a request to any IP address and port. The router pays attention to the source port number match and ignores the source address. In our example, the router will translate incoming packets with any source address, but the source port must be 4000. If the client sent requests to the external network to several IP addresses and ports, then they will be able to send packets to the client at the IP address: port 10.1 .1.1: 12345.

Symmetric NAT differs significantly from the first three mechanisms in the way it maps an internal IP address: port to an external address: port. This mapping depends on the IP address: the port of the computer to which the request is sent. For example, if the client computer 192.168.0.4:8000 sends a request to computer # 1 (172.16.0.5:4000), then it can be displayed as 10.1.1.1:12345, while if it sends from the same port (192.168. 0.4: 8000) to a different IP address, it is displayed differently (10.1.1.1:12346).

  • Allows you to prevent or restrict external access to internal hosts, leaving the possibility of access from the internal network to the external. When a connection is initiated from within the network, a broadcast is created. Response packets coming from outside match the generated broadcast and are therefore skipped. If there is no corresponding translation for packets coming from the external network (and it can be created at connection initiation or static), they are not passed.
  • Allows to hide certain internal services of internal hosts / servers. In fact, the same translation indicated above is performed on a specific port, but it is possible to replace the internal port of an officially registered service (for example, TCP port 80 (HTTP server) for external 54055). Thus, outside, on the external IP-address after the translation of addresses to the site (or forum) for knowledgeable visitors, it will be possible to get to the address http://dlink.ru:54055, but on the internal server located behind NAT, it will work on the usual 80th port.

    • However, the disadvantages of this technology should also be mentioned:

    1. Not all protocols can "traverse" NAT. Some fail if there is address translation in the path between the communicating hosts. Certain firewalls that translate IP addresses can correct this flaw by appropriately replacing IP addresses not only in IP headers, but also at higher layers (for example, in FTP commands).
    2. Due to the translation of addresses "many to one", additional difficulties arise with the identification of users and the need to store full translation logs.
    3. DoS attack from a host performing NAT - If NAT is used to connect many users to the same service, it can create the illusion of a DoS attack on the service (many successful and unsuccessful attempts). For example, an excessive number of ICQ users behind NAT leads to a problem with connecting to the server for some users due to exceeding the allowed connection speed.
    2021 wisemotors.ru. How it works. Iron. Mining. Cryptocurrency.