Network Address Translation
Overview
Network Address Translation (NAT) converts private IP addresses in your private network to
globally unique public IP addresses for use on the Internet. Although NAT was originally
implemented as a hack to make more IP addresses available to private networks, it has a
serendipitous security aspect that has proven at least as important—internal host hiding.
Network Address Translation effectively hides all TCP/IP level information about your internal hosts−
from hackers on the Internet by making all your traffic appear to come from a single IP address.
NAT also allows you to use any IP address range you want on your internal network (even if those
addresses are already in use elsewhere on the Internet, although you won't be able to reach public
servers on the public Internet that are within the range of addresses you use on your private
Internet). This means you don't have to register a large, expensive block from ARIN or your ISP or
reassign network numbers from those you simply plugged in before you connected your network to
the Internet.
NAT hides internal IP addresses by converting all internal host addresses to the address of the
firewall (or an address responded to by the firewall) as packets are routed through the firewall. The
firewall then retransmits the data payload of the internal host from its own address using a
translation table to keep track of which sockets on the exterior interface equate to which sockets on
the interior interface. To the Internet, all the traffic on your network appears to be coming from one
extremely busy computer.
Note RFC 1631 describes Network Address Translation.
NAT is actually a fundamental proxy: a single host makes requests on behalf of all internal hosts,
thus hiding their identity from the public network. Windows NT did not provide this function, however
Windows 2000 and subsequent Microsoft operating systems can provide Network Address
Translation for computers connecting through them to outside networks (and the Internet). Many
versions of Unix provide or can use publicly available IP masquerade software. All modern firewalls
provide NAT.
NAT is implemented only at the transport layer. This means that information hidden in the data
payload of TCP/IP traffic could be transmitted to a higher level service and used to exploit−
weaknesses in higher level traffic or to communicate with a Trojan horse. You'll still have to use a−
higher level service like a proxy to prevent higher level service security breaches.− −

Tip NAT is so effective at IP address re use that the implementation of IP version 6 has been−
practically stalled due to lack of interest, and the threat of IP address scarcity has been
eliminated for the foreseeable future. NAT allows an entire class A sized network to hide−
behind a single IP address.
NAT Explained
To perform Network Address Translation, firewalls maintain a table of interior sockets matched to
exterior sockets. When an interior client establishes a connection to an exterior host, the firewall
changes the source socket to one of the firewall's exterior sockets and makes a new entry in the
translation table indicating the actual interior source socket, the destination socket, and the mated
128
firewall socket.
When an exterior host sends data back to the interior hosts socket, the firewall performs the reverse
translation. If no entry exists in the translation table for the socket addressed or if the IP address of
the source is different than the address the firewall expects to see, then the packet is dropped.
This is easiest to explain with an example. Let's say that interior host 192.168.1.9 wants to establish
a web session with exterior host 10.50.23.11. Using the next available port, 192.168.1.9:1234
transmits a TCP packet to 10.50.23.11:80.
Router/Firewall (192.168.1.1 interior address, 10.0.30.2 exterior address) receives the packet, and
makes the following record in its translation table:
•
Source 192.168.1.9:1234
Public Host 10.50.23.11:80
Translation 10.0.30.2:15465
It then transmits the packet on the Internet using the translated IP address and port number, so
10.50.23.11:80 (the public host) receives a connection attempt coming from 10.0.30.2:15465 (the
firewall's exterior address). When the public host transmits back, it responds to the source that it
thinks originated the request: 10.0.30.2:15465 (the firewall's exterior address).
Upon receiving the packet, the firewall searches its translation table for a matching socket and finds
it. It then verifies that the source of the packet is the same as the public host recorded in the
translation table when the entry was made. The presence of a table entry confirms that the packet

was requested by an internal host—had the packet not been requested, no translation entry would
be present matching both the translated socket and the recorded public host socket. If no matching
entry is found, the packet is dropped and logged.
The firewall then modifies the packet with the internal source client's socket number and passes it to
the interior network for transmission to the ultimate client.
On the public host side, NAT is also being used in "port forwarding" mode—the web server in this
case is protected by another NAT, which is configured to receive connections on its public IP
address and translate them to the interior of the network. Unlike the NAT on the browser's
connection, this configuration is not automatic; the administrator must specifically configure the NAT
device for this translation.
In this example, the NAT receives an HTTP connection on 10.50.23.11:80. It examines its port
forwarding tables and sees that port 80 is mapped to the interior host 192.168.0.5:80. So the NAT
rewrites the IP address from 10.50.23.11:80 to 192.168.0.5:80 and forwards the packet. On the
return stream, it performs the inverse translation, so the packet sent to 10.0.30.2:1234 (the
browser's NAT's public IP address) from 192.168.0.5:80 is rewritten to come from 10.50.23.11:80 by
the NAT device. Figure 7.1 illustrates this process.
129
Figure 7.1: Network Address Translation
Because NAT changes the IP address in the packet, it is almost always necessary to make entries
in your routing tables to make sure translated packets reach their proper destination inside your
network.
In the case of port forwarding, no "dynamic" entry needs to be made or remembered—the IP
address rewriting is the same coming and going for every host. Port forwarding is therefore slightly
simpler and doesn't require a substantial amount of RAM on the NAT device.
Warning Since NAT performs only simple substitutions at the packet layer, it does not need to
perform complex analyses on the contained data, as application proxies must. This
means that most implementations of NAT are nearly as fast as straight routing. NAT
requires far less processor overhead than higher level application proxying. Firewalls−
performing Network Address Translation must have at least one valid public IP address,
and that address cannot be concealed.

Since Network Address Translation changes the contents the contents of the IP header, systems
that rely on that data remaining unchanged (such as Header Authentication in IPSec, the Internet
Protocol Security suite of protocols) will not work through a NAT. Another difficulty with IPSec is that
NATs have a difficult time differentiating IPSec traffic coming from multiple interior clients, so
firewalls that perform IPSec passthrough typically only allow one interior client at a time to establish
IPSec tunnels to exterior locations.
Warning
NAT and IPSec don't mix well. Either have your firewall be the end point of your
VPN connection (in the ideal situation) or expect only one interior client at a
time to use the IPSec passthrough feature of your firewall and kiss header
authentication good bye while you're at it.−
130
Translation Modes
Many firewalls support various types of Network Address Translation. The four primary functions of
a NAT firewall are defined below in order of their popularity and availability:
• Dynamic Translation (also called NAPT, or IP Masquerade) Wherein a large group of
internal clients share a single or small group of internal IP addresses for the purpose of
hiding their identities or expanding the internal network address space. Ports on the single
public IP address can be forwarded to specified private IP addresses.
• Static Translation Wherein a specific block of public addresses are statically translated to a
same sized block of private addresses. In this mode, an internal network resource (usually a−
server) has a fixed translation that never changes.
• Load Balancing Translation Wherein a single IP address and port are translated to a pool
of identically configured servers, so that a single public address can be served by a number
of servers.
• Network Redundancy Translation Wherein multiple Internet connections are attached to a
single NAT firewall that it chooses and uses based on bandwidth, congestion, and
availability.
Warning Not every firewall supports each type of NAT. Read the firewall's documentation carefully
before you purchase it to make sure its form of NAT is the type you need.

Dynamic Translation
Dynamic translation, also referred to as IP Masquerade or just "masking," protects internal hosts by
replacing their IP address with an address that routes to the firewall. Individual hosts inside the
firewall are identified based on the port number in each connection flowing through the firewall.
Note RFC 1631 does not describe the use of port addresses to extend the applicability of a single
IP address, but every existing NAT implementation I know of uses this method. Purists call
this method NAPT, for Network Address and Port Translation.
Because a translation entry does not exist until an interior client establishes a connection out
through the firewall, external computers have no method to address an internal host that is
protected using a dynamically translated IP address. And since most firewalls create translations
that are valid only for the addressed host and port, there's no way for any computer except the
computer addressed to attack the host because no other route exists back to it.
Technically, it is possible to use the Internet Protocol's source routing feature to route through a−
NAT. Source routing allows you to specify intermediate routers through which a packet must travel.
By specifying the NAT device as an intermediate router between a public machine and an interior
private address, it is possible to route packets through a NAT. But because any NAT sold as a
security device is configured to drop any packets that are source routed, this can only be−
accomplished through simple or improperly configured NAT devices. You should test any NAT
devices you deploy to ensure that they do drop source routed packets for this reason.−
It's important to note that NAT does nothing to protect the client other than to keep external hosts
from connecting to it. If the client is seduced into connecting to a malicious external host, or if a
Trojan horse is somehow installed on the computer that connects to a specific external host, the
client can be compromised just as easily as if there were no firewall. For this reason, NAT alone is
not sufficient to protect your network.
Seducing a client into connecting to a malicious site is surprisingly easy. For example, if your boss
131
sent you e mail saying, "Check this site out. It's remarkably close to what we want to do," you'd−
probably click on the hyperlink included in the e mail without a second thought. That's all it takes,−
and forging e mail is child's play for a hacker.−
Warning

The paragraph above was originally written just days before the Explore.Zip
worm wreaked havoc upon corporate networks using exactly that strategy. You
should strongly consider filtering executable files from HTTP down loads and−
e mail attachments.−
Reality Check: Forging E Mail to Gain Control−
Forging e mail to gain control of a computer is easy if the intended victim views their e mail in− −
HTML format and has JavaScript enabled (which is the default configuration for both Outlook and
Outlook Express). In this case, the e mail can contain Java Script event triggers that will− −
automatically start your web browser and pull up the page of the attacker's choice, which would
subsequently allow the malicious website operator to perform every heinous act listed on Microsoft's
support site when you search on "malicious web site operator."
Worse, if you've ever selected the option to automatically open executable down loads and the−
attacker points your web browser at an executable file, your web browser will automatically
download it and then execute it, all without asking you anything. To show how simple this exploit is
to perpetrate, import the following HTML/JavaScript code into an Outlook Express e mail using the−
import text feature (the import is a bit tricky and doesn't just work by cutting and pasting), then send
the e mail to yourself. If you have JavaScript enabled and view your e mail as HTML, the Outlook− −
Express will open Google's search page automatically when you close the e mail message.−
<html>
<head>
<title>This is funny!</title>
</head>
<body onunload="Leave()">
<script language="JavaScript">
var leave=true;
function Leave()
{if (leave)
open("");}
</script>
Hi Folks, This is funny.<p>

</Body>
</html>
Some protocols do not function correctly when the port is changed. These protocols will not work
through a dynamically translated connection. Any protocol that relies upon the ability to establish a
separate reverse connection to the source client will only work correctly if the firewall is designed to
make exceptions for that specific protocol.
When you use dynamic translation, you must establish an IP address to translate the internal
addresses to. This is the address that will be visible to the outside world for outbound connections.
Most firewalls allow you to use the firewall's own address or another address that routes to the
firewall and for which the firewall will answer using ARP.
Each IP address can only support a theoretical maximum of 65,536 (or 2
16
) connections because
the port address pool used for multiplexing the client connections is only 16 bits wide. Most firewalls
are further limited to about 50,000 connections because many ports are reserved for other uses.
132
Linux's default IP Masquerade settings make only 4096 ports available for translation, but that
number can be easily modified.
In any case, the number of ports is large and shouldn't cause a problem unless your users maintain
hundreds of simultaneous Internet connections while they work. If you do find yourself running out
of ports, you'll have to have more than one IP address behind which to hide hosts.
Static Translation
Static translation is used when you have resources inside your firewall that you want to be publicly
available or (in rare cases) when you use a protocol that must have certain port or IP addresses to
operate.
Static translation can be used to map a range of public IP addresses to the same sized block of−
internal private addresses. For example, you could translate 128.110.121.0–128.110.121.255 to the
internal range 10.1.2.0–10.1.2.255. The firewall performs a simple static translation for each of the
IP addresses in the range.
Port forwarding is a type of static translation that refers to the process of forwarding just a specific

port, rather than an entire IP address or block of addresses. Let's say your e mail server's IP−
address is 10.1.1.21, and your firewall's external IP address is 10.0.30.2. You can statically map
socket 10.0.30.2:25 to address 10.1.1.21:25. This static connection will cause the firewall to
translate any connections to its SMTP port to the e mail server inside your firewall.−
Port forwarding can be used to establish a number of different complex services on a single IP
address. For example, you could have an e mail server statically translated on the SMTP and POP−
ports, a web server statically translated on the HTTP port, and a news server on the NNTP port.
Since the translations can specify any IP address, these services can be split among many
machines inside your firewall.
Load Balancing
Some firewalls support IP load balancing using the static NAT facility. This allows you to spread the
load of one very popular website across a number of different servers by using the firewall to
choose which internal server each external client should connect to on either a round robin or−
balanced load basis. This is somewhat similar to dynamic translation in reverse—the firewall
chooses which server from among a pool of clones each connection attempt should go to.
To choose based on load, the servers in the pool must have some facility to transmit their load
levels to the firewall. Since there is no standard way to do this, your firewall must implement a
proprietary method. For that reason, many simpler firewalls assume that each connection creates
about the same amount of load and assign connections to the next server in the list. Other more
sophisticated load balancing firewalls attempt to average the number of simultaneous connections−
to each interior host or attempt to average the amount of network bandwidth exchanged with each
interior host.
IP load balancing only works with protocols that are stateless or maintain their state on the client.
For websites, IP load balancing is perfect because the server does not maintain any information
about the client between page transmittals, so it doesn't actually matter if a specific client gets the
same server each time they load a page. Consider the problem with mail, though. If a firewall
provides load balancing for a number of e mail servers, each of a user's e mail messages would− −
arrive on any on the of the servers depending on which server the firewall selected for the SMTP
133