Cisco Systems EDCS-154011 What is NAT?, Implementing NAT for use with in-bound H.323 traffic

What is NAT?

Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT can operate on the PIX or a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into globally unique addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security, effectively hiding the entire internal network from the world. NAT has the dual functionality of security and address conservation and is typically implemented in remote access environments.

There are three types of NAT available to the PIX.

-Static NAT – Static NAT is when each host on the internal network is permanently or statically mapped to an address on the external network. Because this in not a dynamic assignment process, a certain amount of administrative overhead is involved with this method.

-Dynamic NAT – Dynamic NAT intercepts traffic from a host on the internal network and maps it to an externally registered Internet Protocol (IP) address available from a pool of addresses maintained by the PIX Firewall. All translations are stored in a table to allow the traffic to make its way back to the internal host.

-PAT – Think of PAT as the port traffic version of NAT. Traffic is identified and routed through a single IP address assigned to an external interface on the firewall. PAT maps the source address of internal host connections to a single IP address on the external interface. The PIX Firewall selects and assigns the packets a new (TCP or UDP) source number. The port remapping is tracked by the PIX Firewall to ensure that traffic has a circuitous route.

Implementing NAT for use with in-bound H.323 traffic

For the purpose of this paper we will look at using a Static NAT environment, since this will allow outside callers to easily connect to systems on the inside of the firewall. The reason for choosing this is simple. If we were to use Dynamic NAT, after a user- configurable timeout period, during which there have been no translated packets for a particular address mapping, the entry is removed from the translation table and that address is freed for use by another inside host. By contrast, if we use Static NAT, you will give an inside host a permanent outside address and no time outs will occur. This will be especially useful for gatekeeper interaction.