Network Computingwww.networkcomputing.com

Additionally, with address space so tight, obtaining a registered IP address from your service provider can be difficult, not to mention expensive. IPv6 will resolve the address-space crunch (see "'Six' Appeal," at www.networkcomputing.com/ 916/916f1.html), but many organizations have committed to using unregistered addresses for their networks, and the move from IPv4 to IPv6 won't happen overnight.

So, if you are planning to get onto the Internet now, you will need registered address space from your provider. NAT (Network Address Translation) can soothe some of your headaches.

NAT resolves IP address conflicts by replacing unregistered addresses with registered ones in IP packets (though the fact that NAT changes IP addressing in the packets leads IP purists to consider NAT an ugly hack).

NAT functionality is built into devices such as network routers, firewalls, ISDN routers and standalone NAT devices. NAT devices maintain state tables that map unregistered IP addresses on one side of the devices to registered addresses on the other side.

Each packet that is part of the NAT and passes through the device is translated to the proper address before being moved to the next hop. While this necessitates some processing overhead, the hit on most networks is negligible, unless you are applying NAT to a large number of hosts on a very fat pipe.

Be aware that NAT is not a security scheme and delivers no safeguards to your network. NAT masquerades IP addresses on the external interface, but this won't stop covert tricks to snoop on connections, steal sessions or otherwise compromise your network. Security such as packet filtering, tunneling and firewalling are provided by other mechanisms.

But at the same time, NAT is becoming more common on devices that examine IP packets, such as firewalls and routers; since these devices are already in the packet, the processing to swap addresses is minimal.

There are three kinds of NAT: static NAT, pooled NAT and port-level NAT (sometimes referred to as Port Address Translation, or PAT). Static NAT is the simplest to set up. Each host on the internal network is permanently mapped to an address on the external network. Pooled NAT defines a pool of addresses on the external network that are allocated dynamically to internal hosts. PAT maps internal connections to a single IP address on the external network, but with a TCP port number selected by the NAT device. Depending on what you want to accomplish, each strategy has advantages and disadvantages.

We used all three NAT methods with great success, both in test beds at Network Computing's Syracuse University Real-World Labs® and on production networks. Now, let's take a look at the finer points of NAT and see how it can be deployed.

Making It Happen The router or NAT device listens for packets that it knows about and translates the source or destination addresses as needed before passing them out another interface. This allows privately addressed machines to access resources otherwise unavailable. We have successfully mixed static NAT and pooled NAT on our Cisco Systems 4700 router.