Address Translation
RFC 1918,“Address Allocation for Clandestine Internets,” specifies assertive nonregistered
IP abode ranges that are to be acclimated alone on clandestine networks and are not
to be baffled beyond the Internet.The RFC uses the appellation cryptic to accredit to
these clandestine addresses, acceptation that they are not globally unique.The reserved
ranges are:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
www.syngress.com
Introduction to Aegis and Firewalls • Chapter 1 27
The primary action for ambience abreast these clandestine abode ranges was the
fear in 1996 that the 32-bit abode amplitude of IP adaptation 4 was acceptable rapidly
depleted due to inefficient allocation. Organizations that had at best a few thousand
hosts, best of which did not charge to be attainable from the Internet, over
the years had been allocated huge blocks of IP addresses that had gone mostly
unused. By renumbering their clandestine networks with these aloof address
ranges, companies could potentially acknowledgment their allocated accessible blocks for use
elsewhere, appropriately extending the advantageous activity of IP v4.
The aciculate reader, however, will point out that if these addresses are not
routable on the Internet, how does one on a clandestine arrangement admission the Web?
The antecedent IP of such a affiliation would be a clandestine address, and the user’s
connection attack would aloof be alone afore it got actual far.This is where
Network Abode Adaptation (NAT), authentic in RFC 1631, comes into play.
Most organizations affiliated to the Internet use NAT to adumbrate their internal
addresses from the all-around Internet.This serves as a basal aegis admeasurement that can
make it a bit added difficult for an alien antagonist to map out the centralized network.
NAT is about performed on the Internet firewall and takes two forms,
static or dynamic.When NAT is performed, the firewall rewrites the source
and/or the destination addresses in the IP header, replacing them with translated
addresses.This action is configurable. First, some agreement charge to be defined. In
the ambience of abode translation, central refers to the internal, clandestine network.
Outside is the greater arrangement to which the clandestine arrangement connects (typically
the Internet).Within the central abode space, addresses are referred to as central local
(typically RFC 1918 ranges) and are translated to central all-around addresses that are
visible on the outside. All-around addresses are registered and assigned in blocks by an
ISP. For translations of alfresco addresses advancing to the inside, acumen is made
also amid local, allotment of the clandestine abode pool, and all-around registered addresses.
Outside local, as the name ability imply, is the about-face of central global.These are
addresses of alfresco hosts that are translated for admission internally. Alfresco global
addresses are endemic by and assigned to hosts on the alien network.
To accumulate these agreement straight, aloof accumulate in apperception the administration in which the
traffic is going—in added words, from area it is initiated.This administration determines
which adaptation will be applied.
Static Translation
In changeless NAT, a abiding one-to-one mapping is accustomed amid inside
local and central all-around addresses.This adjustment is advantageous aback you accept a small
number of central hosts that charge admission to the Internet and accept adequate
www.syngress.com
28 Chapter 1 • Introduction to Aegis and Firewalls
globally altered addresses to construe to.When a NAT router or firewall receives
a packet from an central host, it looks to see if there is a analogous antecedent address
entry in its changeless NAT table. If there is, it replaces the bounded antecedent abode with a
global antecedent abode and assiduously the packet. Replies from the alfresco destination
host are artlessly translated in about-face and baffled assimilate the central network.
Static adaptation is additionally advantageous for alfresco advice accomplished to an inside
host. In this situation, the destination (not the source) abode is translated. Figure
1.11 shows an archetype of changeless NAT. Anniversary bounded central abode (192.168.0.10,
192.168.0.11, and 192.168.0.12) has a analogous all-around central abode (10.0.1.10,
10.0.1.11, and 10.0.1.12, respectively).
Dynamic Translation
When activating NAT is set up, a basin of central all-around addresses is authentic for use
in outbound translation.When the NAT router or firewall receives a packet from
an central host and activating NAT is configured, it selects the abutting available
address from the all-around abode basin that was set up and replaces the source
address in the IP header. Activating NAT differs from changeless NAT because address
mappings can change for anniversary new chat that is set up amid two given
endpoints. Figure 1.12 shows how activating adaptation ability work.The global
address basin (for archetype purposes only) is 10.0.1.10 through 10.0.1.12, application a
24-bit subnet affectation (255.255.255.0).The bounded abode 192.168.0.10 is mapped
directly to the aboriginal abode in the all-around basin (10.0.1.10).The abutting system
needing admission (local abode 192.168.0.12 in this example) is mapped to the next
available all-around abode of 10.0.1.11.The bounded host 192.168.0.11 never accomplished a
connection to the Internet, and accordingly a activating adaptation access was never
created for it.
www.syngress.com
Figure 1.11 Changeless Abode Translation
Static NAT Table
Local Global
192.168.0.10 10.0.1.10
192.168.0.11 10.0.1.11
192.168.0.12 10.0.1.12
Inside
network
192.168.0.10
192.168.0.11
192.168.0.12
PIX
using
NAT
Internet
Introduction to Aegis and Firewalls • Chapter 1 29
Port Abode Translation
What happens aback there are added centralized hosts initiating sessions than there
are all-around addresses in the pool? This is alleged overloading, a configurable parameter
in NAT, additionally referred to as Anchorage Abode Translation, or PAT. In this situation,
you accept the achievability of assorted central hosts actuality assigned to the aforementioned global
source address.The NAT/PAT box needs a way to accumulate clue of which local
address to accelerate replies aback to.This is done by application altered antecedent anchorage numbers
as the tracking apparatus and involves accessible afterlight of the antecedent anchorage in
the packet header.You should anamnesis that TCP/UDP uses 16 $.25 to encode port
numbers, which allows for 65,536 altered casework or sources to be identified.
When assuming translation, PAT tries to use the aboriginal antecedent anchorage cardinal if
it is not already used. If it is, the abutting accessible anchorage cardinal from the appropriate
group is used. Once the accessible anchorage numbers are exhausted, the action starts
again application the abutting accessible IP abode from the pool.
Dynamic Abode Translation
Inside
network
192.168.0.10
192.168.0.11
192.168.0.12
PIX
using
NAT
Internet
Dynamic translation
Global abode pool: 10.0.1.10-12
Local Global
192.168.0.10 10.0.1.10
192.168.0.12 10.0.1.11