The Cisco PIX firewall does it like this:
clientA: 10.0.0.1===>(PIX)123.4.5.6:5677====>Server
clientB: 10.0.0.2===>(PIX)123.4.5.6:5678====>Server
What I'm trying to say here is that, where there are a limited number of
valid Internet addresses available to the outside (Internet) interface of
the NAT, then it sends data to the Internet server as if that data was
coming from the same IP address but different ports. This is known as Port
Address Translation in the Cisco world. So basically the NAT translates two
different internal addresses (10.0.0.1/2) into the same external address but
with different ports. The difference between this and your suggestion is
that it is the NAT box which provides the different port numbers.
The Cisco PIX firewall is basically a NAT box with added security features,
and this method of doing things does not necessarily apply elsewhere. This
scheme cannot be used with streaming protocols, according to Cisco; I've
never tried.
Chris
=======================================
Chris Slater-Walker BA(Hons) CCNA CCDA MCSE
Cisco, Windows NT, Linux, Samba, DNS
French & German Spoken
=======================================
[EMAIL PROTECTED]
http://www.slater-walker.net/
==================================
----- Original Message -----
From: "Randy Kramer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, July 23, 2001 8:51 PM
Subject: Re: [newbie] Proxy and NAT
> TinyHoffman wrote:
> > How does the NAT distinguish between sessions with clients who
> > whish to talk to the same port on the same IP ?
> >
> > My Theory: The NAT or the Foreign IP server will issue a unique port
number
> > for each session, and the NAT will then reverse-translate the unique
> > ports to the port that the client expects...
>
> I don't know -- suspect it is one of those details that the devil is in
> ;-)
>
> It does seem to work properly -- I've browsed the same sites from
> adjacent machines, and never seemed to have a problem that I could
> attribute to the data coming to the (my) wrong client machine.
>
> Maybe somebody else can answer your question.
>
> regards,
> Randy Kramer
>
>
