cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
0
Helpful
12
Replies

I am in trouble with NAT explained by Forouzan

Ub
Level 1
Level 1

Can someone explain me why the book states: "two private-network hosts cannot access the same external server program (e.g. HTTP or TELNET) at the same time" and "no private-network host can access two external server programs (e.g. HTTP and TELNET) at the same time"? Thank you. IMG_20190416_202730.jpg

 

IMG_20190416_202601.jpg

 

IMG_20190416_202439.jpg

 

IMG_20190416_200507.jpg

 

1 Accepted Solution

Accepted Solutions

"On the other hand, the "No private-network host can access two external server programs (e.g., HTTP and TELNET) at the same time" might be correct due to the absence of port numbers in translation table which allow to distinguish different sessions between client and server programs. "

As long as the NAT doesn't touch port numbers, again, it should be okay. My second example shows a 1:1 exchange of internal host source IPs with the NAT pool IPs. As the former (i.e. original packets) should work fine (except for possibly using private IPs), the latter (i.e. NATted IPs) should too. Jon appears to agree. (BTW, Jon, thanks for joining the thread, very nice to have another set of eyes on this!)

Also again, the only issue I recall ever having with "ordinary" NAT, using a pool of IPs, is running out of pool IPs.

View solution in original post

12 Replies 12

shaps
Level 3
Level 3
It would appear the author is trying to convey the differences between PAT and NAT, the former uses a combination of port and IP addresses which are used in the translation table, this allows for more granularity as opposed to using pure NAT which only maps against certain IP and does not take into account the port information.
I would imagine the next chapters will go into detail on this point

I think the focus is different because the author is talking about the possibility to use a pool of ip addresses within the NAT, not the PAT.

The author is explaining the limitation of NAT using just one global address and using a (small, in this case 4) pool of global addresses. NAT runs into problems when there's a conflict/overlap of IP addresses (non-pool) or UDP/TCP ports (pool). For this reason, most modern NAT implementations are actually PAT, where UDP/TCP ports are dynamically reassigned. Unfortunately, PAT has its own issues, in that some protocols "embed" port number usage. For those, a "good" PAT implementation will modify the contents of the packet (beyond the IP and UDP/TCP headers). Also, PAT is limited to the number of concurrent flows due to the limitation of the size of the port number, although it's unusual to bump into that limitation.

Please can you explain better which issues can occur using NAT referring to my question?

The author appears to well explain the IP overlap and/or (UDP/TCP) port number overlap issues, until you use PAT (NB: which the author doesn't refer to as PAT, I believe in what's shown in your OP, but that's what's being described in the section started with "Using Both IP Address and Port Addresses".) What, specifically, do you believe needs better explanation?

For example, in the case of a single global IP, looking at figure 4.43, if two of the internal hosts tried to communicate to the same destination IP at the same time, and your translation table only has IPs, how to you tell to which internal host return traffic is for, as the return traffic will have the same destination and source IPs? The problem, then, is you cannot.

If you also kept track of port numbers, and if the two hosts used different port numbers, then you would be okay, but if they don't, i.e. both hosts used the same port numbers, again you cannot tell to which internal host return traffic should be directed.

The issue is, although the NAT router can tell the internal host apart by their internal IPs, all internal IPs map to the same global IP, so the NAT router needs something "else" to tell the traffic, for different internal hosts, apart. This might be different external host IPs or it might be different port numbers. However, if multiple internal hosts create external packets that look alike (after they are NATted), then you cannot, again, tell to which internal host that traffic belongs.

Thank you. But if I think, let's say, the router NAT uses a pool of IPs to distinguish two internal hosts, (according to what the book is stating) now I can suppose the router NAT can recognize two different communications thanks to two different public ip addresses of pool. In fact the public IPs can map two internal IPs and the hosts can comunicate with the same server without problems.

Yes, the book notes you can have multiple connections to the same external host, when using a pool, but you're limited to the number of connections in the pool.

You write "In fact the public IPs can map two internal IPs and the hosts can comunicate with the same server without problems. ", which appears to disagree with the book, but reading more carefully what the book says, I don't agree with it too.

For a pool of IPs it says "No private-network host can access two external server programs (e.g., HTTP and TELNET) at the same time." This would only be true if the NAT was mapping those internal host's source port to be the same port number. As I understand NAT, it should leave port assignment alone and only change the source IP. If so, what the author says here that shouldn't work should work.

e.g.
172.18.3.1 1.1.1.1 49152 80 => NAT (pool) => 200.24.5.8 1.1.1.1 49152 80
172.18.3.1 1.1.1.1 49153 23 => NAT (pool) => 200.24.5.8 1.1.1.1 49153 23

The author continues with "And, likewise, two private-network hosts cannot access the same external server program (e,g., HTTP or TELNET) at the same time." Here too, with a different pool IPs assigned, the distinction between different private-network hosts can be maintained, so also again, I would say it should work.

e.g.
172.18.3.1 1.1.1.1 49152 80 => NAT (pool) => 200.24.5.8 1.1.1.1 49152 80
172.18.3.2 1.1.1.1 49153 80 => NAT (pool) => 200.24.5.9 1.1.1.1 49153 80

If the above is what you question, I believe it may be incorrect. (Sorry, I didn't read what the author was saying more carefully, earlier. I thought you were just questioning why the NAT with one IP, or even with a pool of IP, might be problematic. From experience, I can say I don't recall ever having an issue with NAT using a pool of IPs, at long as you don't run out of pool IPs. I've had issues with PAT, especially earlier Cisco implementations, when it doesn't mitigate application embedded port numbers.)

Thank you. You answer is so interesting. Anyway I think the author does not include in his reasoning the mapping of the source ports by NAT router. But, although this was true, you are right and you can distinguish two communications by using a pool of IPs and so the "And, likewise, two private-network hosts cannot access the same external server program (e,g., HTTP or TELNET) at the same time" might be incorrect. On the other hand, the "No private-network host can access two external server programs (e.g., HTTP and TELNET) at the same time" might be correct due to the absence of port numbers in translation table which allow to distinguish different sessions between client and server programs.

 

Just to add I am with Joe on this one and think both should work assuming the use of a NAT pool. 

 

As long as each internal host is mapped to a different IP in the pool then ports don't really matter because they are not modified so all traffic (doesn't matter what application is being used) is simply sent back to the internal client. 

 

Jon

Thank you Jon. This is what I actually think.

"On the other hand, the "No private-network host can access two external server programs (e.g., HTTP and TELNET) at the same time" might be correct due to the absence of port numbers in translation table which allow to distinguish different sessions between client and server programs. "

As long as the NAT doesn't touch port numbers, again, it should be okay. My second example shows a 1:1 exchange of internal host source IPs with the NAT pool IPs. As the former (i.e. original packets) should work fine (except for possibly using private IPs), the latter (i.e. NATted IPs) should too. Jon appears to agree. (BTW, Jon, thanks for joining the thread, very nice to have another set of eyes on this!)

Also again, the only issue I recall ever having with "ordinary" NAT, using a pool of IPs, is running out of pool IPs.

Thank you. We all are very kind.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: