Sunday, September 5, 2010

network basics: how NAT works

source: http://en.wikipedia.org/wiki/Port_address_translation
 

In A Nutshell : Example

  • A host at private IP address 192.168.0.2 on the private network may ask for a connection to a remote host on the public network.
  • The initial packet has the address 192.168.0.2:15345.
  • The PAT device (which we assume has a public IP of 1.2.3.4) may arbitrarily translate this source address:port pair to 1.2.3.4:16529, making an entry in its internal table that port 16529 being used for a connection by 192.168.0.2 on the private network, with port 15345.
  • When a packet is received from the public network by the PAT device for address 1.2.3.4:16529 the packet is forwarded to 192.168.0.2:15345.

Port Address Translation (PAT)

Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between hosts on a private network and hosts on a public network. It allows a single public IP address to be used by many hosts on a private network, which is usually a Local Area Network or LAN.
A PAT device transparently modifies IP packets as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host, (the PAT device) on the public network.

Translation of the Endpoint

With PAT, all communication sent to external hosts actually contain the external IP address and port information of the PAT device instead of internal host IPs or port numbers.
  • When a computer on the private (internal) network sends a packet to the external network, the PAT device replaces the internal IP address in the source field of the packet header (sender's address) with the external IP address of the PAT device. It then assigns the connection a port number from a pool of available ports, inserting this port number in the source port field (much like the post office box number), and forwards the packet to the external network. The PAT device then makes an entry in a translation table containing the internal IP address, original source port, and the translated source port. Subsequent packets from the same connection are translated to the same port number.
  • The computer receiving a packet that has undergone PAT establishes a connection to the port and IP address specified in the altered packet, oblivious to the fact that the supplied address is being translated (analogous to using a post office box number).
  • A packet coming from the external network is mapped to a corresponding internal IP address and port number from the translation table, replacing the external IP address and port number in the incoming packet header (similar to the translation from post office box number to street address). The packet is then forwarded over the inside network. Otherwise, if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it.
PAT will only translate IP addresses and ports of its internal hosts, hiding the true endpoint of an internal host on a private network.

No comments: