IP Masquerading
IP masquerading or network address translation (NAT)
is a technique employed within a firewall,
or border gateway,
to translate, or map,
one set of IP addresses (usually private) to another (usually public).
To use NAT, the firewall connecting the internal LAN to
the external Internet will have
(at least) two network cards, each with their own IP address:
- on the Internet side,
the machine will use a fully-routable address assigned by an ISP.
- on the LAN side,
it will have an address from the non-routable addresses,
defined in RFC 1918 'Address Allocation for Private Internets':
| beginning |
ending |
subnet-mask |
| 10.0.0.1 |
10.255.255.254 |
10.0.0.0/8 |
| 172.16.0.1 |
172.31.255.254 |
172.16.0.0/12 |
| 192.168.0.1 |
192.168.255.254 |
192.168.0.0/16 |
The primary motivations for using NAT are:
- your network provider may only provide you with
a single IP address to use -
NAT permits multiple hosts to use the same IP address,
- it simplifies the later growth and re-design of a network, and
- external attackers cannot (easily) learn the topology of your internal
network unless they penetrate your firewall.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p25, 15th May 2024.
|
CITS3002