; To NAT or Not
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

To NAT or Not


  • pg 1
									    “To NAT or Not?”
Kent Reuber (reuber@stanford.edu)
•   What is NAT?
•   Why would you want to use NAT?
•   How NAT works
•   How NAT firewalling works
•   Things that don’t work with NAT
•   Considerations when deploying NAT
•   Q&A
           What is NAT?
• NAT = “Net Address Translation”
• Several different methods (“one-to-one”, “many-to-
  one”. For the gory details, see RFC 1613
• Most frequently encountered method is the one used
  in home broadband routers which “hide” an entire
  non-routable network range behind a single routable
  “public” IP address.
• Ref: Bill Dutcher: “The NAT Handbook” (Wiley)
   Why would you want to
        use NAT?
• Allows you to buy a single IP address from your ISP
  and share that address among a large number of
  devices. (May save $$)
• All devices on the local network can access the
  outside net (usually the Internet) at the same time,
  though the bandwidth is shared.
• Firewall: Outside hosts can *reply* to hosts behind
  the NAT router, but the inside hosts have to initiate
  the session. (Note: there are some ways around
          NAT router setup
• NAT routers are given two
  IP’s addresses:
   – 1 non-routable (LAN -- you)
   – 1 routable (WAN – ISP)
• Machines on LAN side get                QuickTime™ and a
                                      TIFF (LZW) decomp resso r
  special non-routable             are neede d to see this picture.
  addresses (usually 10.*.*.*
  or 192.168.*.*).
   – No IP addresses in these
     ranges are routed on the
           How NAT works
• Normal routers maintain
  source and destination IP
  addresses from end-to-end               QuickTime™ and a
                                      TIFF (LZW) decompressor
                                   are neede d to see this picture.
• NAT routers change IP
  addresses and port
   – Outgoing packets appear to
     come from the NAT router’s
     public address.
   – NAT routers keep track of
     each “flow” so that replies          QuickTime™ and a
                                      TIFF (LZW) decompressor
                                   are neede d to see this picture.
     can be returned.
     (Destination address
How NAT firewalling works
                                QuickTime™ an d a
                            TIFF (LZW) decomp ressor
                         are need ed to see this p icture .

• Suppose a host (either friendly or malicious sends a packet to
  the NAT router without the connection being initiated from the
  inside). Remember, it can’t send directly to the hosts on the
  other side -- they have non-routable addresses!
• Since there is no entry in the flow table, the NAT router has no
  idea where to forward it and drops the packet. Instant firewall!
    Circumventing the NAT
     firewall (if you must)
• You may want to run a server behind your NAT router. How do
  you let in some traffic?
• NAT routers have a limited ability to “port forward”, sending all
  traffic to a given computer on the internal net and bypassing the
  flow table.
• For example:
    – Send all Web traffic (port 80) to
    – Send all mail traffic (port 25) to
• You can get hacked if forwarded port is vulnerable! For
  example, if your IIS Web server isn’t patched, your firewall
  won’t help you. Always keep services with open ports patched.
What doesn’t work through
      a NAT router
• It’s best to think of NAT routers as “one way mirrors”.
   – You can see out but people can’t see in.
• Protocols that break are usually servers or protocols
  that are sensitive to tampering:
   – X Windows: Use “ssh +X” from the client side (behind the
     router) to set up your session.
   – Many VPN’s won’t allow connections through NAT. NAT
     packet rewriting looks like tampering. Stanford VPN can
     use UDP which circumvents this limitation. Other company
     VPN’s may not.
  Considerations: Should
     You Use NAT?
• It’s your only choice if you get 1 address from your
  ISP and you want to create a network.
   – For Stanford West and Welch Rd. Apts., you can get
     multiple IP addresses, so that you don’t necessarily need
• Firewall features may be appealing, but you may still
  want a publicly accessible machine.
   – May want to put one or more hosts on the public side of the
     NAT (e.g., file server).
   – You should keep most private information (e.g., bank
     accounts) on the private side.
Example home network:
Mixed public/NAT setup

              QuickTime™ and a
          TIFF (LZW) decompressor
       are neede d to see this picture.
 Can/Should you use NAT
   routers on campus?
• Usually done for a small group/lab, not an entire department.
  Use with caution. You may want to talk to Networking first.
• You must not send DHCP replies on WAN Ethernet side as this
  will disrupt other users. Disrupting network access is a great
  way to get disconnected!
• If a host behind your NAT is compromised (e.g., from being
  hacked while off-site), and attacks some host, we are legally
  obligated to shut it down the host where the attack originates.
   – The only visible address that we can disable is your NAT router.
   – This will take down your whole private net!

To top