Network Address Translation

Network address translation 033enables a Screen to translate an internal network address to a different public network address. As it passes packets between an internal host and a public network, the addresses in the packet are replaced with new addresses transparently, checksums and sequence numbers are corrected in both the IP header and the TCP or UDP header, and the state of the address translation is monitored. You specify when a packet using ordered NAT is applied based on source and destination addresses.

SunScreen NAT gives you fine-grain control by adding ordered NAT translations, allowing table entries to intersect, and enabling you to specify when to have NAT translate the source or destination addresses.

Be sure to configure your NAT rules so they do not perform address translation while an internal host is attempting to communicate directly with the Screen

Services such as FTP also carry IP address information. These packets must also be changed, ensuring that the checksums and sequence numbers are correct. All of this is done inside the Screen's kernel to ensure high-speed processing and transparency to the end user and applications. NAT is stateful, which increases the efficiency of lookups in the address translation table by using address hashings and checksum adjustments that use differential checksum calculations.

NAT is typically used when:

• Renumbering all the hosts in your network is not feasible.

• The current private network uses a set of unregistered (private) IP addresses owing to a lack of available public addresses, or to simplify renumbering hosts should you change ISPs.

• You have a very large network to connect, but your ISP allotted you a limited range of IP addresses.

• You want to hide the addresses on the current private network from the outside world.

  ---

  Note -

  Using NAT to hide addresses differs from tunneling in that NAT does not rely on the use of encryption and decryption and, consequently, does not require an encryption-decryption device or software at each end of the connection over the public network.

  ---

NAT lets you use unregistered Internet addresses to number your internal networks and hosts and still maintain full connectivity to the Internet. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

• 10.0.0.0-10.255.255.255 (Class A address range, which supports about 16 million addresses)

• 172.16.0.0-172.31.255.255 (Class B address range, which supports about 65,000 address)

• 192.168.0.0-192.168.255.255 (Class C address range, which supports 254 addresses)

With this approach, you can use a registered (public) Class C address space, which offers about 254 externally routable addresses, to provide connectivity for an unregistered Class B network, which supports approximately 65,000 hosts or 255 networks of 254 hosts (internally).