On Tue, 11 May 1999, John Talbot wrote:
> I can understand that NAT allows the network administrators to create a
> private addressing domain with all the internal addresses somehow being
> mapped to external addresses.
>
> This mapping between internal and external seems to take place:
> * Staticly, where one internal IP address is mapped to one external
> address
> * Dynamicly, where all the internal IP addresses are mapped to a few
> external addresses
>
> My question is how often is the addressing done dynamicly, and if it is, how
> can I have applications addressing hosts within my private addressing
> domain, if the addresses are masked by NAT.
Quite often. The typical example for "dynamic NAT" is where a network is
connected to the Internet via a point to point link (modem, cable modem,
xDSL, etc.) Point to point links are only assigned one global IP address
and thus, to allow multiple hosts on the network to access the Internet
simultanously, this address has to be "overloaded."
Today, the term NAT is somewhat confusing since it no longer is restricted
to translation of _network_addresses_ but also _transport_addresses_, i.e.
TCP and UDP ports. This leads to all kinds of technical problems since
many traditional TCP/IP applications rely on having an unique IP address.
All applications which communicate their IP-address to its peer (other end
of the link) will fail if special care is not taken.
FTP, ICQ, NetMeeting, Quake, and many other are examples of applications
which will fail. Therefore, most implementations of NAT include support
for these (and more.) FTP and H.323 (NetMeeting) also use so called
control connections which further complicates the picture, since they are
used to open TCP or UDP connections from the outside during the session.
To answer the question about how outside hosts can access hosts on the
inside, the firewall is configured to translate addresses via rules in the
form of
map any_address with protocol TCP and port http to internal_web_server
Thus, if someone on the internet tries to connect via TCP to your single
global IP address at port 80, he/she will be connected to host which you
specified in the rule (internal_web_server.) This means that you have to
decide which services you want to supply to the Internet and set up rules
to support them. All hosts providing these services are commonly placed on
a separate network called the DMZ (demilitarized zone.)
NAT also has many other uses, with "load balancing" being the most famous
one. A similar rule as the one given above is used but instead of a single
destination address a pool of addresses can be specified, say, if you have
a whole farm of web servers. The addresses can be used either in a simple
round robin scheme or according to traffic or some other parameter.
Regards,
Henrik
- --
Henrik Bergstrom Email: [EMAIL PROTECTED]
Software Engineer Voice: +46-8-628 28 28
Intertex Data AB Fax: +46-8-628 64 14
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
