How it Works
Maxtor
Loading...
NAT2
Application note
3 pgs43.88 Kb0

Maxtor NAT2 Application note

Matrox
www.matrox.com/networks
networks.techsupport@matrox.com
+1 (514) 822-6090
Networks
Tech Note #2
Network Address Translation (NAT)
This document describes the use of NAT in the Matrox iSwitch. It contains the following:
A list of the products which support this feature.
A description of NAT and its features.
Applicability
This feature is available in:
All of the Matrox iSwitch product line.
NAT
What Is It?
We can classify IP addresses in two kinds: local (private) and global (public). Local IP addresses can not be used on the Internet and are mostly used on Local AreaNetworks (LANs). Public addresses are valid on the Internet and must be properly registered so information can be sent to them. NAT, described in RFC 1631, is a feature that allows local IP addresses on the LAN to be converted into global IP addresses on the Internet. This enables both worlds to exchange information. NAT is also known by other names such as IP masquerading and comes in 3 basic formats:
Static NAT: A static NAT maintains a simple one-to-one mapping between a local and global IP address for each host on the LAN. The main benefit of this type of NAT is avoiding reconfiguration of local IP addresses on each host.
Dynamic NAT: For a dynamic NAT, a host on the LAN receives a mapping between its private IP address and a global IP address allocated from a pool of available addresses. The global IP address is released when the usage is finished and then becomes available for another host. This scheme allows for more efficient usage of the available global IP addresses compared to a static NAT.
PAT: The Matrox iSwitch product line uses PAT. A Port Address Translation device maps ALL the local IP addresses into a SINGLE global IP address that can either be statically or dynamically assigned by an ISP. The PAT will perform a mapping between local port addresses and global port addresses from a pool of availble port addresses. The advantage of this scheme,
in addition to those mentioned above, is cost savings; only one ISP account and IP address is required. In addition, the PAT scheme provides privacy since the internal LAN is unavailable
to hosts on the Internet; all they can see is the single IP address interface provided by the PAT device.
© Matrox Networks 1999
TechNote #2 - NAT Page 2 of 3
How Does It Work?
When a host on the LAN makes a request to the Internet an entry is added to a NAT table in the Matrox iSwitch. This table entry contains two important pieces of information. The first piece of information is the translation from the local to the global IP address that is necessary to allow the request to go on to the Internet. The second piece of information is the translation from the port number assigned by the host to a port number randomly assigned by the iSwitch. The port modification allows the iSwitch to send the reply it receives to the correct host on the LAN (remember that all host requests have been mapped into a common IP address).
Another benefit of having table entries and randomly assigned port numbers is that data coming from the Internet can be checked to ensure that it is in response to a specific request from a host on the LAN.
What You Should Know
1. Supported Applications: The Matrox iSwitch NAT will support most “well-behaved” applications. An application that is not “well-behaved” is one that uses IP address and port information
directly. A NAT modifies IP address and port information so that any application that makes use of this information will not function correctly unless explicit support is provided. Another way in which an application is not “well-behaved” is when it attempts to open a new port rather than using the original port. This will be problematic because there is no entry in the NAT translation table for that IP address and port. Consequently, the Matrox iSwitch assumes that this is a hacker and discards the packet. The File Transfer Protocol (FTP) is a good example of an application that is not “well-behaved” since it does both. First, FTP contains the IP address in its application data but the Matrox iSwitch NAT explicitly modifies the FTP application data to be aware of the address modifications that were made. Second, an FTP server on the Internet will attempt to establish a connection from port 21 even though the LAN FTP client made a request to port 20. The Matrox iSwitch overcomes this by treating FTP as a special case and automatically adds the correct translation entry for port 21 to the NAT table.
2. Timeout considerations: Entries in the NAT table are removed after a certain period of inactivity. The default
settings are 2 minutes for a UDP-based entry and 30 minutes for a TCP-based entry. The TCP-based entry has a longer time-out since TCP is connection based and the entry is generally removed by protocol interaction (i.e. it is essentially a “watchdog” to remove entries if an error occurred in the connection termination).
3. Network Visibility: The PAT feature of the Matrox iSwitch provides enhanced privacy from the Internet by
hiding the internal details of the LAN via a single external IP address. However, if you are debugging a network configuration and/or an application, the PAT will make the use of a sniffer or packet capture application more difficult.
4. Disabling NAT: Disabling the NAT feature is NOT recommended since it also involves bypassing all
other firewall features (packet filtering, user and site control, and so on).
© Matrox Networks 1999
Loading...
+ 1 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use