3.3.3 NAT (Network Address Translation)
NAT, or Network Address Translation, allows devices on private networks to communicate with outside networks by translating between the network address conventions used by each. This enables you to hide your internal network from the Internet.
Typically, NAT is used by an organization connecting its internal network, using a private IP address range, to the Internet. Recall that there is a private IP address range for each Class of TCP/IP network. Since these private IP address ranges cannot be used directly on the Internet, NAT was developed to act as a go-between, mapping internal host, port and connection information, to external connections.
NAT is most commonly used in TCP/IP networks, and its operation is specified in RFC 1631331. It works at OSI layer 3 (the same layer as routers).
When constructing packets to be sent out on the Internet, NAT should be applied to the packet before the IPSec encapsulation is performed. The reason for this is that IPSec relies on IP address information in each packet not changing between the time the IPSec encapsulation is applied, and the time the packet is received at the destination IPSec-enabled device. If NAT were applied after IPSec, it would change addresses in data headers and control packets, confusing IPSec.
NAT can also be used for tunnel mode IPSec, with the ESP protocol (which does not guard against the address changes that NAT devices make in the IP datagram header). For more information on combining NAT with IPSec, see this Cisco article.332
332. Phifer, Lisa, The Trouble with NAT, http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.