207.139.221.11 207.139.221.2Src Addr Dst Addr DataIP HeaderOnce reply packet reaches NATdevice, NAT wll occur to change thedestination address in the IP header tothe address of the "inside" device.
Public, Global, and External Networks
A public, global, or external network is an address realm with a unique
network address assigned by the Internet Assigned Numbers Authority or
an equivalent address registry.
NOTE
Do not confuse public, global, and external networks with the term out-
side network. Outside is more of a generic term to describe a destination
Network Address Translation (NAT) • Chapter 3 105network in which NAT must occur in order to communicate with that
network. Outside networks may refer to networks using global IP
addresses, but they also may refer to the destination network in a situa-
tion where both networks use private IP addresses.
Private and Local Networks
A private or local network is an address realm independent of external net-
work addresses. A private or local network uses IP addresses specified in
RFC1918. These addresses are private—they should never be used glob-
ally. Transparent routing between hosts in a private realm and external
realm is made possible by a NAT device.
Do not confuse private and local networks with the term inside network.
As with the term outside network, inside network is more of a generic
term to describe the source network in which NAT must occur in order
for two hosts to communicate. An inside network may refer to a net-
work that uses the private IP addresses (RFC1918), but it may also refer
to the source network in which both networks use global IP addresses
but must communicate through a NAT device.
Application Level Gateway
Not all protocols are easily translated by NAT devices, especially those that
include IP addresses and TCP/UDP ports in the data portion of the packet.
Simple NAT may not always work with certain protocols; this is why most
modern implementations of NAT include built-in Application Layer
Gateway functionality. Application Level Gateways (ALGs) are application-
specific translation agents that allow an application on a host in one
address realm to connect to another host running a translation agent in a
different realm transparently. An ALG may interact with NAT to set up
state, use NAT state information, alter application specific data, and perform
whatever else is necessary to get the application to run across different
realms.
For example, recall that NAT and NAPT can alter the IP header source
and destination addresses, as well as the source and destination port in
the TCP/UDP header. RealAudio clients on the inside network access TCP
https://traloihay.net
port 7070 to initiate a conversation with a real-audio server located on an
outside network, and to exchange control messages during playback such
as pausing or stopping of the audio stream. Audio session parameters are
embedded in the TCP control session as a byte stream. The actual audio
traffic is carried in the opposite direction (originating from the real-audio
server, destined for the real-audio client on the inside network) on ports
ranging from 6970–7170.
As a result, RealAudio will not work with a traditional NAT device. One
work-around is for an ALG that will examine the TCP traffic to determine
the audio session parameters and selectively enable inbound UDP sessions
for the ports agreed upon in the TCP control session. Another work-around
could have the ALG simply redirecting all inbound UDP sessions directed
to ports 6970–7170 to the client address on the inside network.
ALGs are similar to proxies in that both ALGs and proxies aid applica-
tion-specific communication between clients and servers. Proxies use a
special protocol to communicate with proxy clients and relay client data to
servers, and vice versa. Unlike proxies, ALGs do not use a special protocol
to communicate with application clients and do not require changes to
application clients.
NAT Architectures
Many variations of NAT aid different applications. The following headings
outline some of the variations of NAT.
Traditional or Outbound NAT
Traditional NAT is a dynamic translation that allows hosts within the
inside network to transparently access hosts in the outside network. In a
traditional NAT, the initial outbound session is unidirectional (one-way),
outbound from the private network. Once a session has been established
with a device on the outside network, bidirectional communication will
occur for the duration of that session.
IP addresses of hosts in the outside network are unique. IP addresses
of hosts in the inside network use RFC1918 private IP addresses. Since the
IP addresses of the inside network are private and cannot be used globally,
they must be translated into global addresses.
The traditional NAT router in Figure 3.2 would allow Host A to initiate a
session to Host Z, but not the other way around. Also, the address space
from the global address pool used on the outside is routable, whereas the
inside address space cannot be routed globally.
Figure 3.3 shows the reply packets sent by Host Z to Host A. Since
Host A originated a session from inside, any packets originating from Host
Z in response to Host A will be permitted provided that the security rules
Network Address Translation (NAT) • Chapter 3 107on the NAT device permit it. If Host Z attempted to initiate a session with
Host A, traditional NAT will not permit this because Host A has a private
IP address. This IP address is reserved for private networks and will there-
fore never be routed globally. From the perspective of Host Z, Host A’s IP
address is 207.139.221.2 (the translated address). If Host Z attempts to
initiate a session with this IP address, the NAT device will not be able to
associate 207.139.221.2 with an inside IP address with traditional NAT. In
order to allow Host Z to initiate a session with Host A, static NAT
(explained later) will need to be configured.
Figure 3.2 A diagram of traditional NAT.
Bạn đang xem 207. - Syngress Managing Cisco Network Security
