CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.3  Security Topologies

3.3.2  VLANs (Virtual LANs) 1 Types of NAT

NAT, or Network Address Translation, allows devices on private networks to communicate with outside networks by “translating” between the network address conventions used by each. This enables you to hide your internal network from the Internet.

Typically, NAT is used by an organization connecting its internal network, using a private IP address range, to the Internet. Recall that there is a private IP address range for each Class of TCP/IP network. Since these private IP address ranges cannot be used directly on the Internet, NAT was developed to act as a go-between, mapping internal host, port and connection information, to external connections.

NAT is most commonly used in TCP/IP networks, and its operation is specified in RFC 1631³³¹. It works at OSI layer 3 (the same layer as routers).

When constructing packets to be sent out on the Internet, NAT should be applied to the packet before the IPSec encapsulation is performed. The reason for this is that IPSec relies on IP address information in each packet not changing between the time the IPSec encapsulation is applied, and the time the packet is received at the destination IPSec-enabled device. If NAT were applied after IPSec, it would change addresses in data headers and control packets, confusing IPSec.

NAT can also be used for tunnel mode IPSec, with the ESP protocol (which does not guard against the address changes that NAT devices make in the IP datagram header). For more information on combining NAT with IPSec, see this Cisco article.³³²

3.3.2  VLANs (Virtual LANs) 1 Types of NAT