Chapter Six: Security | Network address translation 78 |
|
|
Network address translation
The DIVA LAN ISDN Modem uses network address translation (NAT) to “hide” the local LAN it creates from all external resources. The benefits of this are the ability for all connected computers to access the Internet using one Internet address and ISP account. For example, when communicating with the Internet, these four computers share the dynamically assigned address 222.182.22.39.
192.168.1.5 192.168.1.4 192.168.1.3 192.168.1.2
Internet
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| LAN interface |
|
|
| ISP profile | |||||||
192.168.1.1 |
|
|
| Address dynamically assigned by ISP | ||||||||
| DIVA |
|
|
|
|
|
|
| 222.182.22.39 | |||
| ISDN |
| Ethernet | |||||||||
|
|
| LAN ISDN Modem |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
| FAULT POWER | |||
| B1 | B2 D LINK | E1 E2 E3 E4/C | |||||||||
DIVA LAN ISDN Modem
ISP |
ISDN
Network
NAT operates transparently, translating internal addresses to a single external one for all data traffic. There is no effect on throughput.
Most applications will work with NAT. For a list of applications that have been tested by Eicon Technology, see the release notes on the DIVA LAN ISDN Modem CD.
NAT is enabled by default, and it is recommended that you do not turn it off unless you have a specific requirement to do so.
(For more information on IP addressing see “About IP addresses” on page 120.)
Security benefits
An additional benefit of NAT is increased network security. Like a firewall, NAT restricts access to the computers that reside on the local LAN. By default, no computer on the internal LAN is visible to the external network the DIVA LAN ISDN Modem is connected to. This applies to the Internet, as well as a corporate network. Computers on the internal network cannot act as FTP or web servers, nor can they share their drives using Windows Network Neighborhood. These security features can be weakened if you use NAT static mappings.
NAT static mappings
For those cases where you want to create an FTP or web server, or need a computer on the internal LAN to be visible to the external network, the DIVA LAN ISDN Modem provides a solution. You can define NAT static mappings.
How it works
NAT static mappings allow you to designate specific computers on the internal LAN to receive certain incoming network traffic. For example, you could designate a computer to receive all incoming HTTP traffic, essentially allowing it to function as a web server. However, the actual IP address of this computer is still hidden by NAT. Therefore, remote users must specify the address of the DIVA LAN ISDN Modem to gain access to the web server.
When you create a NAT static mapping, the DIVA LAN ISDN Modem routes all traffic for the protocol you specify to the designated computer. This includes traffic normally handled by the DIVA LAN ISDN Modem itself. This leads to the following restrictions:
•Remote access to the configuration interfaces on the DIVA LAN ISDN Modem via the ISDN link can be disrupted. For example, if you designate a computer to receive HTTP traffic, remote access to the web configuration interface will be disrupted. Local access via Ethernet will still be possible however.
•Only one computer on the internal LAN can be designated to receive the traffic for a specific protocol. This means, for example, you can cannot create multiple web servers or FTP servers.
