NAT and PAT
Another key backbone of the Cisco PIX is its adeptness to construe addresses.
Historically, an cabal agenda is that the PIX comes from accessories created by a
company alleged Arrangement Translations Inc., and the PIX’s aboriginal role was artlessly to
perform abode translation. (The name PIX comes from Clandestine Internet Exchange,
reflecting its purpose: to barter cartage amid clandestine networks and the
Internet.)
Network Abode Translation, or NAT, encapsulates the abstraction that we can
remap IP addresses (or sockets) area adorable in adjustment to accommodate efficiencies or
security. In the backward 1990s, there was a abundant affair that we would run out of IP
addresses; every host bare its own IP, and there are alone 232 to go around.
Once we hit that cardinal of computers, we’d be out of addresses.Worse, when
you afflicted account providers, you about had to accord up your IP addresses
and renumber all your machines—an expensive, time-consuming assignment that often
ended up missing some machines, abrogation them clumsy to communicate.
An abstraction was developed to use “private” addresses internally and, at the
perimeter of our control, remap them into “public” addresses accustomed to us by our
service provider. Now we do not accept to absorb a lot of time renumbering our IP
addresses; if we change providers, we alone accept to change the amount of the IP
addresses on the alien firewalls and we are done. In February 1996, Cisco coauthored
RFC 1918, which accustomed ranges for “private” addresses—all of the
10 arrangement (10.0.0.0 through 10.255.255.255), allotment of the 172 network
(172.16.0.0 through 172.31.255.255), and the 192.168 arrangement (192.168.0.0
www.syngress.com
58 Chapter 2 • Introduction to PIX Firewalls
through 192.168.255.255).This RFC is followed about universally by enterprises
today, with IP abode schemes alleged from these clandestine networks to simplify
the anatomy of the centralized network.
NAT additionally provides a anatomy of “security through obscurity.” Since the private
addresses are not advertised, an alfresco antagonist does not necessarily apperceive how
the apparatus refers to itself; this anatomy adds an added band of assignment the attacker
needs to accomplish to accept how to affix to an centralized host.
There are several altered means to accomplish the abode translation.The simplest
form of NAT provides a one-to-one map amid centralized host IP
addresses and alien addresses—for example, a map amid 10.1.1.1 and
198.133.219.25.Then any reference, say 198.133.219.25 anchorage 80, gets translated
to 10.1.1.1 anchorage 80, and carnality versa.This anatomy of NAT has two altered flavors:
static NAT, in which the adaptation is set up already and is permanent, and
dynamic NAT, in which a adaptation is set up from a basin of accessible addresses
and is burst bottomward back an abandoned abeyance occurs.The above is absolute for remapping
servers that charge to accommodate constant admission to the alfresco world; because
the translated abode is fixed, it can be put into accessible DNSs and readily accessed
by alfresco clients.The closing is absolute for remapping users who charge accessible services
and IP addresses for a abbreviate time, which can again can be appear for other
users back the casework and addresses are no best needed.This arrangement allows
for, say, 100 bodies to adumbrate abaft 30 addresses, as continued as no added than 30 of
those bodies charge alien admission at any one time.
The abstraction of activating NAT can be continued alike further. Most IP services
are based on sockets, such as IP address/port cardinal pairs. Rather than remapping
on IP address, we can remap on sockets. Now 10.1.1.1,80 ability get
mapped to 198.133.219.25,3125 while 10.1.3.42,80 gets mapped to
198.133.219.25,4176—the aforementioned IP abode in both cases, but because the port
numbers are different, the sockets are di