NetworkClue.com
NetworkClue Home PageHome Contact UsContact ConsultingConsult
Bulletin Board
Internet Services covers Secrets to hosting websites, Hosting your own web server, and using DNS Servers.Operating Systems leads you through the decision of Linux vs. Windows, ideal installations and setups to create an efficient and redundant environment for your business, and great features to make management easier.Routing & Firewalls contains articles that will allow you to take control of your router. Learn how to protect your company with access lists and advanced firewall techniques.Hardware answers the common questions about Switches vs. Hubs, recommends SysAdmin Tools, and recommendations for adequate power protection.Utilities will cover fighting spam, using Anti-Virus programs effectively and the must haves for every administrator's software toolbox.

Firewalls
-Firewall Breakdown
-Cisco Access Lists
-DSL/Cable Routers
Cisco
Network Equipment
TCP/IP
Search
Amazon Search

Bulletin Board

NAT Firewalls

By Joshua Erdman
Digital Foundation, inc.

NAT is an acronym for Network Address Translation. This is where the router will source IP address going out from the internal private network to a public address that the Internet can access.

Public IPs vs. Private IPs

If you go to www.whatismyip.com this website will display your public IP address. Now run the IPConfig command on your local computer and note the IP address of your computer and the address listed as your computer's gateway (the router's IP address; a gateway is another word for router). Most likely your internet addressing scheme is a private address (something similar to: 192.168.1.X or 10.10.1.X). If the Internet can only see your public address, how then can your computer and the Internet communicate? This is where translation comes into play. Your Router has 2 IP addresses, the Public IP address that you found (the IP address assigned to your router on the Internet Side that you got from www.whatismyip.com) and the private IP address on the Private Network Side (that is the Gateway IP address you got with the IPConfig command).

When your computer needs to talk to a computer with an address that is not on it local network, it send the packet to its gateway (the router) who is then in charge of directing (routing) the packet to its destination. Very similar to you handing out Party invitations. Anyone in your local neighborhood, you would just drop the invitation to each house, but those invitations to a different city, you would use your postal service to handle the routing.

Translation

Here is where the translation starts, when the router gets the packet to send it out to the Intenret, it translates the private IP address listed in the packet to the public IP it was assigned. The router keeps track of all the Internet conversations and when a reply packet is sent back to the router, it then translated the destination IP address from the public IP back to the correct private IP and then forwards it to the private network.

NAT as a Firewall

NAT can be thought of more as a passive firewall, it does ot actively protect or block. The firewall characteristics come out of the way NAT works. An Internet device can only communicate to a computer on the private network, when the computer on the private network STARTS a communciation. It does not work the other way around. If an Internet coputer was to try to start talking to the assign Public IP address of the router, the router (by default) will drop the packets. The only exception is if you have port forwarding set up.

Port Forwarding

In the previous example of Outbound only connections each computer was protected behind a NAT firewall and could communicate to the Internet but not the other way. What happens if you wanted to set up a mail server at your office. E-mail is exchanged via Port 25 but with the current configuration, there is no way for the Internet to communicate with your e-mail server if it is behind this NAT firewall. This is where Port Forwarding comes into play.

Setting up Port Forwarding

For the Internet to be able to send e-mails to your mail server, you must configure your router to Port Forward. Since e-mail is exchanged via SMTP (port 25) you must configure your router to port forward all port 25 packets to your mail server. That means that you must know the Private Network address of your Mail Server and that your mail server is configured with a Static IP address to ensure that it never changes on you unexpectedly.

The specifics on configuring each router vary widely for the simple DSL/Cable Modem routers it should be pretty self explanatory (especially with a web interface), but it is a whole other monster with a Cisco router. Come back soon to read my future article on NAT and Port Forwarding for Cisco Routers.

Bigger and Better

This NAT Firewall provides basic protection but also gives a lot of freedom to your network users. There are no limitations to what connections they can initiate to the Internet (that includes network games, File swapping, Instant Message, etc.). To add these limitations you must use packet filtering. A feature not usually provided on the basic DSL/Cable Modem Routers.

Packet Filtering

Article last reviewed: 01/19/2005

Created by: Digital Foundation, inc.

Copyright © 2002-2005 Digital Foundation, inc. www.networkclue.com

All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

 

Related Articles:
Packet Filtering Firewall
Sharing your Internet
   Connection
Cisco ACL Packet Filtering
   Firewall

Books: