Network Address Translation and Port Address Translation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:03
>> Now for our next section,
00:03
we want to talk about two very closely related services
00:03
called NAT and PAT.
00:03
NAT and PAT stand for
00:03
network address translation
00:03
>> and port address translation.
00:03
>> There's an extension beyond
00:03
an older technology called Internet Connection Sharing,
00:03
so we'll look at both of those and
00:03
we'll talk about the problems that they solve.
00:03
Let's start out by talking
00:03
about Internet Connection Sharing
00:03
and I'm going to take us back to the olden days.
00:03
My son refers to anything prior to
00:03
the year 2010 as the olden days.
00:03
That's nice around the house. Thanks son.
00:03
But anyway, back in the olden days,
00:03
and I bet many of you can remember the days of modems.
00:03
I remember my first computer it
00:03
had like 50 megs of hard drive space,
00:03
two megs of RAM,
00:03
and I was thrilled with that computer.
00:03
It was the fastest game
00:03
in town at the time that I got it.
00:03
If you remember connecting up to
00:03
the Internet and if you close your eyes,
00:03
I bet many of you can still hear that modem connecting,
00:03
that sound, and then you
00:03
connect in maybe to America Online.
00:03
You've got mail.
00:03
You could have been connected to
00:03
MindSpring or EarthLink or whatever.
00:03
But back in those days,
00:03
computers were so expensive that
00:03
by the time they came down
00:03
to be expensive enough to
00:03
have or cheap enough to have a home computer,
00:03
maybe $3,000 $4,000,
00:03
we then have to make sure our system
00:03
had a modem in it and
00:03
we would use that modem to
00:03
take the digital information in our systems,
00:03
translate it to analog so that it could go
00:03
across the analog phone lines up
00:03
to the Internet to our Internet service provider.
00:03
What happened with that?
00:03
Maybe we pay 1995
00:03
for MindSpring or EarthLink or whatever.
00:03
Then what happened is the price of computers started
00:03
going down lower and lower and lower.
00:03
So many of us decided,
00:03
"Hey, let me get a second computer.
00:03
This one maybe is for the kids or whatever."
00:03
Now, when I wanted a second computer,
00:03
when I had a second computer, of course,
00:03
I wanted to connect it to the Internet as well,
00:03
so I call America Online and I would say,
00:03
"Hey, I want a second computer connected to AOL."
00:03
They said, "Great, here's what you do.
00:03
Call the phone company and get a second phone line,
00:03
then pay us another 19.95 a month,
00:03
and voila, you're connected
00:03
to the Internet with two computers."
00:03
Well, I don't want a second phone line,
00:03
and I certainly don't want to pay
00:03
another 20 bucks a month.
00:03
Microsoft at that time with Windows 98,
00:03
said, "Don't do that.
00:03
Here's what you do.
00:03
You take that computer you've been using
00:03
and you install a second network card in it.'
00:03
Network card for like 15,
00:03
20 bucks, very cheap,
00:03
and you connect computer B to computer A with
00:03
a crossover cable so that all traffic from
00:03
computer B goes through
00:03
computer A before it goes to the Internet."
00:03
What happens is you have
00:03
two network cards in your first computer.
00:03
One has a public IP address connected to the Internet,
00:03
the other has an internal IP address
00:03
connected to computer B.
00:03
Everything that came from
00:03
computer B goes through computer A.
00:03
Computer A strips off the true source address and
00:03
replaces that true source address
00:03
with its own external interface.
00:03
That way, no matter who the traffic is from,
00:03
it looks like all the traffic is
00:03
>> coming from computer A.
00:03
>> That is Internet connection sharing.
00:03
You have two hosts,
00:03
one connected to the Internet, the second,
00:03
since all traffic through that connected host,
00:03
and we only have to pay for one subscription to AOL.
00:03
We don't need a second phone line. There you go.
00:03
Now what we've really done is turn
00:03
computer A into a router.
00:03
It's got two interfaces to two different networks.
00:03
Internet connection sharing was the first exposure that
00:03
many people had to what's called
00:03
network address translation or NAT.
00:03
Network address translation is
00:03
a service that runs on proxy servers.
00:03
It runs on routers,
00:03
it runs on firewalls if you install it.
00:03
If you look in the middle at
00:03
the NAT device, it's a router.
00:03
You see one port on the router is connected to
00:03
the internal network, that 192.168.0.1,
00:03
and then the other interface is connected out
00:03
to the public Internet with
00:03
an IP address that
00:03
the Internet service provider
00:03
has assigned that NAT device.
00:03
This is what's going on at home when you
00:03
have your cable modem,
00:03
for instance, which is really a router,
00:03
you have a line from your Internet service provider
00:03
coming in with a public IP address
00:03
that's assigned to that interface,
00:03
and then everything else connected
00:03
into your router is on an internal IP address,
00:03
and it's probably on the 192.168.0.1 network.
00:03
Now that NAT device acts like a DHCP allocator,
00:03
it provides IP addresses to
00:03
all your internal computers on the same network.
00:03
As I continue to connect hosts,
00:03
that internal interface of my router says, okay,
00:03
your IP address is 192.168.0.11 or 0.10,
00:03
and so on and so forth.
00:03
It manages, if you will,
00:03
the IP address assignment of
00:03
>> all these internal hosts and
00:03
>> all traffic going through
00:03
that router has the true source address stripped,
00:03
and all traffic, all those source addresses are
00:03
replaced by the external router's interface.
00:03
Every bit of traffic on the network
00:03
looks like it's coming
00:03
from 137.186.57.8 all of it,
00:03
regardless of who really initiated the communication.
00:03
Now what that does is it allows me to have
00:03
my own internal addressing scheme that's
00:03
hidden from external users out on the Internet,
00:03
and it also prevents users
00:03
out on the Internet from directly connecting
00:03
into internal hosts if
00:03
they're the ones initiating the connection.
00:03
No one's going to know how to get through
00:03
my network to a specific server.
00:03
Also it allows me to use a specific range of
00:03
IP addresses that are set aside
00:03
for internal public use only.
00:03
I'm going to look at those in just one second.
00:03
But you can see here 192.168.
00:03
That's one of those public address ranges that
00:03
you can only use inside your network.
00:03
I just want you to see we've
00:03
got an internal network on the left,
00:03
we have a NAT device that has
00:03
an interface on the internal network,
00:03
we have an external interface
00:03
connected up to my Internet service provider,
00:03
and every bit of traffic that
00:03
>> comes through going out to
00:03
>> the network has the external
00:03
>> interface of the NAT device.
00:03
>> Now here's the problem though.
00:03
If I have 30 different internal hosts,
00:03
or even two or three internal hosts,
00:03
when they send out a communication
00:03
to this server in the upper right,
00:03
and it's destination is 1.23.28.43,
00:03
all traffic has the true source address stripped,
00:03
and the NAT device replaces
00:03
the true source with its own external IP address.
00:03
When that server responds back,
00:03
it responds back to the 137.86.57.8 IP address.
00:03
How does that NAT device then know to send it
00:03
to computer 1 versus computer 2 versus computer 3?
00:03
The answer is with just NAT, it doesn't know.
00:03
NAT was designed for use with
00:03
one internal host and one external interface.
00:03
One internal interface, one external.
00:03
It was only designed to hide
00:03
an internal IP address from the outside.
00:03
For every internal IP address,
00:03
you would have had to have had an external IP address.
00:03
What we use now is called
00:03
packed port address translation.
00:03
What happens is as
00:03
computer 1 goes through the NAT device,
00:03
the NAT device strips computer 1's IP address,
00:03
replaces it with its public IP address,
00:03
and then it appends an arbitrary port number,
00:03
in this case 5689.
00:03
Then it keeps a list of that in its port table that
00:03
says computer 1 is using port number 5689.
00:03
That way when the Internet host sends traffic back,
00:03
that traffic will be addressed to
00:03
137.186.57.8, port 5689.
00:03
That comes to the NAT device.
00:03
It says, oh, 5689 is computer 1.
00:03
Let me forward that traffic to computer 1.
00:03
Long story short, true NAT is a one-to-one mapping.
00:03
Port address translation is what
00:03
we need to have a one-to-many mapping,
00:03
one external IP address,
00:03
and many internal hosts.
00:03
Now I've mentioned the other benefit
00:03
here is that we can use
00:03
internal private IP addresses that
00:03
cannot present themselves out on the public Internet.
00:03
Internet routers will drop anything with
00:03
a source or destination of these IP address ranges.
00:03
That helps prevent spoofing,
00:03
that helps us understand what's
00:03
internal and what's external traffic,
00:03
and that keeps our hosts from going out to
00:03
the Internet in some unauthorized fashion,
00:03
or at least that helps against it.
00:03
There was a specific RFC request for comment 1918 that
00:03
said these three address ranges will be
00:03
set aside and reserved for internal use only.
00:03
Traffic on the 10 network,
00:03
traffic on the 172.16 network through
00:03
117.31 through the 172.31 network,
00:03
and then the last is the 192.168 network.
00:03
Those three addresses are reserved so that we can have
00:03
a set defined addressing
00:03
scheme for inside versus what's outside.
00:03
Now of course, if we're looking at having
00:03
many internal hosts for a single external address,
00:03
we got to think about this
00:03
>> being a potential bottleneck.
00:03
>> Because I might have 200 internal hosts all
00:03
trying to use the same external interface,
00:03
and that may not work.
00:03
We've got to consider about performance.
00:03
Also, this isn't anything that's going to protect us
00:03
against bad content or malware,
00:03
but it is a way of hiding our internal IP addresses.
00:03
In this video, we talked
00:03
about Internet connection sharing,
00:03
which came out in Windows 98, 2nd edition,
00:03
that allowed us to hide
00:03
a computer behind another one so that we could
00:03
take advantage of the Internet connection and
00:03
share it between two hosts.
00:03
Network address translation and
00:03
port address translation,
00:03
really are kind of extensions of that,
00:03
which NAT allows me to have
00:03
a hidden internal IP address while PAT allows
00:03
me to have multiple hidden internal addresses.
Up Next