single IP address supplied by an ISP or the company System Administrator, rather than an IP
address for each workstation −− a savings of nine valuable IP addresses.
Local Network Security
Another useful feature of NAT is its ability to act as a "firewall." The workstations on the
NAT Network may freely establish connections with the External Network/Internet. The
opposite case is possible, but is controlled by NAT. NAT can allow just a few connections, or
even no connections, to be established from the External Network to the NAT Network, as
the user sees fit.
NAT Functionality
Of course NAT requires that some processor must translate the "private" network IP
addresses to the "global" Internet IP address, and vice−versa. This is where routers using
NAT come into the picture. This document explains how NAT was developed for Compatible
Systems devices on three example networks, and details how the routers are configured using
the Command Line interface to properly do Network Address Translation.
Note: The Command Line interface is currently the only way to configure the NAT
functionality. CompatiView NAT functionality is in development, but not yet available.
A Compatible Systems router with NAT functionality enabled will do one of the following to
IP packets sent through a NAT interface:
Translate an IP address and otherwise modify an IP packet if its address matches one
of the NAT IP address ranges defined for the router.
1.
Allow the router to accept and process the IP packet if that packet is addressed to the
router itself (e.g., broadcast packets, a Telnet session to the router, or pinging the
router).
2.
Allow the IP packet to be routed without modifying it, if the IP address of the packet
is within the NAT PassThru Range defined for the router.
3.
Drop the packet if none of the conditions in 1, 2, or 3 are met.4.
Conditions 1 and 2 are presented in Example One below. Condition 3 is presented in
Example Two. Condition 2 can be thought of as a default subset of Condition 3, where the
destination is the router itself rather than some local LAN configured with a global IP address
and connected to the router on an IP interface different from the one connecting the router to
the Internet.
NAT EXAMPLE NETWORKS
Example One (Figure 1): The simpler of the two NAT Examples. The IP Interface Ethernet 0 on the NAT
Router connects to the Internet. Such an IP interface is called the External NAT Port in this document.
Everything behind the NAT Router, connected to the Internal Ethernet Hub and the NAT Router, via IP
interface Ethernet 1, is part of the NAT Network. IP interfaces such as Ethernet 1 are called the Internal NAT
Port in this document.
Example Two (Figure 2): WAN 0 (the External NAT Port) is the NAT IP interface connecting to the
Internet; Ethernet 1 (the Internal NAT Port) connects to the NAT Network, but Ethernet 0 connects to an
Ethernet hub which has "global" IP addresses. Ethernet 0, and its connected hub, are in effect part of the
Internet. The Compatible Systems NAT software will allow the WAN 0 External NAT Port to pass IP packets
to both the user's (Private) NAT Network and the LAN which has "global" IP addresses. The user can limit
access to, or protect, the NAT Network while not effecting the performance of the portion of the network with
"global" IP addresses.