Nortel 4134 Guia Do Utilizador
NAT Overview
29
Forward NAT is when the translation happens on traffic going from the
inside network (trusted) to the outside network (untrusted). With Forward
NAT, NAT is applied to an outgoing firewall policy and the source IP address
of the packet gets translated.
inside network (trusted) to the outside network (untrusted). With Forward
NAT, NAT is applied to an outgoing firewall policy and the source IP address
of the packet gets translated.
Reverse NAT is when the translation happens on traffic going from the
outside network (untrusted) to the inside network (trusted). With Reverse
NAT, NAT is applied to an incoming firewall policy and the destination IP
address of the packet gets translated.
outside network (untrusted) to the inside network (trusted). With Reverse
NAT, NAT is applied to an incoming firewall policy and the destination IP
address of the packet gets translated.
The following sections describe the various types of NAT, as well as features
of NAT.
of NAT.
Static NAT
Static NAT is a direct mapping of traffic from an unregistered address to a
registered address on a one-to-one basis. This can be used to translate
traffic going from the trusted side to the untrusted side or vice versa. It
is particularly useful when a device on the inside network needs to be
accessible from the outside network.
registered address on a one-to-one basis. This can be used to translate
traffic going from the trusted side to the untrusted side or vice versa. It
is particularly useful when a device on the inside network needs to be
accessible from the outside network.
Dynamic NAT
Dynamic NAT is a dynamic many-to-many mapping of traffic from
unregistered addresses to a pool of external registered IP addresses.
Typically, the range of external IP addresses is less than the number of
internal addresses on the trusted side. Each time a request is made from a
host on the private network, the router chooses an external IP address that
is currently unused, and then performs the translation. Dynamic NAT picks
external IP addresses in a round robin fashion to perform the translation.
Dynamic NAT can only be used for traffic initiated from an internal host.
unregistered addresses to a pool of external registered IP addresses.
Typically, the range of external IP addresses is less than the number of
internal addresses on the trusted side. Each time a request is made from a
host on the private network, the router chooses an external IP address that
is currently unused, and then performs the translation. Dynamic NAT picks
external IP addresses in a round robin fashion to perform the translation.
Dynamic NAT can only be used for traffic initiated from an internal host.
PAT
Port Address Translation (PAT), also know as Network Address Port
Translation (NAPT), is a form of Dynamic NAT. With PAT, multiple internal
hosts can share the same public IP address. PAT maps multiple unregistered
IP addresses to a single registered IP address by using different port
numbers. The firewall keeps a listing of assigned port numbers to track
which sessions belong to which hosts. With PAT enabled, theoretically up to
64K hosts can share a singe IP address.
Translation (NAPT), is a form of Dynamic NAT. With PAT, multiple internal
hosts can share the same public IP address. PAT maps multiple unregistered
IP addresses to a single registered IP address by using different port
numbers. The firewall keeps a listing of assigned port numbers to track
which sessions belong to which hosts. With PAT enabled, theoretically up to
64K hosts can share a singe IP address.
Port Restricted Cone NAT
The type of PAT supported on the SR4134 is port restricted cone NAT. In this
case, all requests from the same internal IP address and port are mapped to
the same external IP address and port number. An external host can send a
packet, with source IP address X and source port P, to the internal host only
if the internal host had previously sent a packet to IP address X and port P.
case, all requests from the same internal IP address and port are mapped to
the same external IP address and port number. An external host can send a
packet, with source IP address X and source port P, to the internal host only
if the internal host had previously sent a packet to IP address X and port P.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.