because other descriptions of NAT on the Internet have not explicitly said this and initially
caused confusion.
CONDITION 1: A NAT SESSION INITIATED FROM THE OUTSIDE
Let's make one change to the network of Example One − the NT workstation is now a Web
server. Is this possible with Compatible Systems NAT? If possible, is it really useful? For
security (and practicality) reasons, NAT Sessions are generated by IP packets traveling from
the NAT Network to the Internet. How could an outside user ever reach the NT Web server
on the NAT Network if the server did not first contact the user on the Internet (a highly
unlikely situation)?
This is where another part of the Compatible Systems NAT software is useful. It is called the
NAT Map Database. This database contains pairs of IP addresses (or IP address:TCP/UDP
port combinations) which allow sites on the Internet to have access through the NAT Router
to the NAT Network. The Internet sites can initialize NAT Sessions with sites on the NAT
Network.
The NAT Map Database can be displayed in the Command Line interface with the command
show nat map.
Nat_2220> show nat map
[ Nat Map Database ]
Total Number of Entries in NAT Map Database: 1
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Internal External
LineNo. <IPaddress[/Mask or :Port]> −> <IPaddress[/Mask or :Port]>
1 <10.5.3.11/32> −> <198.41.9.194/32>
The user on the Internet could now access the IP address 198.41.9.194 and the NAT Router
would allow access to the NT Station on the NAT Network at address 10.5.3.11. They can be
viewed as "one−to−one translation pairs."
Of course, the user could access everything else in the Web server with this configuration. A
more secure NAT Map Database entry would only allow the external user access to the NT
station as a Web Server. This could be done by modifying the NAT Map Database entry to
the following form:
10.5.3.11:80 −> 198.41.9.195:80
The NAT Map Database entry is always entered with the Internal IP address first, followed by
a space, followed by a "
−>
" (a single equal sign "
=
" could be used instead), followed by a
space, followed by the IP address all External/Internet users will access. See the EDIT
CONFIG NAT MAPPING section for more details.
AN EXAMPLE NAT SESSION USING A NAT MAP DATABASE ENTRY
(CONDITION 1.A)
A site on the Internet at 128.138.240.11 attempts to establish an IP session with the Web
Server at 10.5.3.11 on the NAT Network. The site at 128.138.240.11 has no information that
the NAT Web server is at 10.5.3.11; rather the NAT Map Database entry of:
10.5.3.11:80 −> 198.41.9.195:80