NAT FAQ - Network Address Translation
(Last modified: 07Jul2005)
This document (10011263) is provided subject to the disclaimer at the end of this document.
NAT FAQ - Network Address Translation
How do I install and configure NAT?
Are there any AppNotes on NAT?
Formerly TID 2928309
Novell NetWare 4.11
Novell BorderManager 2.1
Novell BorderManager FastCache 2.1
Novell BorderManager FastCache 3.0
Novell BorderManager 3.0
Novell NetWare 5.0
Novell NetWare 4.2
1. Q: How do you install and configure NAT?
A: See linked solution..
2. Q: Are there any AppNotes on NAT?
A: See March 1998 AppNote article "Network Address Translator (NAT) Theory and Troubleshooting"
3. Q: Where can I get NAT specifications?
A: The best document describing NAT specifications may be found within the RFC describing NAT (RFC1631).
4. Q: How is NAT packaged?
A: NAT is shipped free as a component of BorderManager and does not have a user stratification level. NAT ships with NetWare 5.0 and above. With NetWare 4.2 if you install NIAS and have the latest support pack, you will also have NAT.
5. Q: On which Novell platforms is NAT available?
A: NAT is currently available on the NetWare 4.11, 4.2 and NetWare 5.0, 5.1 platforms.
6. Q: What sort of IP addressing should I use with NAT?
A: To determine which IP address to assign to private hosts when NAT is used, use the guidelines in RFC1918. In summary, RFC 1918 explains that the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP space for private Internet:
10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
The first block is referred to as a 24-bit block, the second block as a 20-bit block, and the third block as a 16-bit block.
Note that the first block is a single class A network number, whereas the second block is a set of 16 contiguous class B network numbers and the third block is a set of 256 contiguous class C network numbers. Because the backbone routers of the Internet have filters that prevent them from forwarding packets to these network addresses, using the addresses offers additional protection for private hosts hidden by the Novell IP Gateway or NAT in the event that the gateway, NAT, or Firewall malfunctions. However, the routers used by some ISP's might not have filters for these addresses, thereby allowing access to your private hosts by any IP hosts that use the same ISP. An enterprise can use the network numbers of the address space
described in RFC 1918 without any coordination with IANA or an Internet registry. Therefore, the network numbers can be used by any enterprises. Addresses within this private address space must be unique within the enterprise, or within the set of enterprises that choose to share the address space in order to communicate with each other using their own private internet.
7. Q: What are the main differences between the IP-IP gateway and NAT?
A: Both BorderManager components are circuit level filters but there are fundamental differences between them. NAT
(client independent) can be used to allow IP hosts on your private network that do not have globally unique registered
addresses to access the Internet, as well as being able to limit the access of hosts on the public network to resources on
your private network. The IP-IP gateway (only supported in a Windows environment) works more at the user level
where we can restrict IP Gateway users access to IP services based on access control rights (ACLs) set up for that
user. Due to the fact that the IP-IP gateway works at the user level, it is less performance than NAT that works at the
network and transport layer.
8. Q: How can I use NAT to block access at the user level .
A: NAT only works at the host (IP) level. To restrict access at the user level, one has to implement the IP gateway
component. Such a component will allow you to restrict user access to IP services based on the access control rights
(ACLs) configured for that user.
9. Q: How many concurrent NAT sessions are supported in the BorderManager product?
A: NAT provides a pool of 5,000 ports for TCP connections, a pool of 5,000 ports for UDP mappings, and a pool of
5,000 ports for ICMP mappings. To establish a new conversation when all 5,000 UDP or ICMP mappings are being
used, NAT drops the oldest mapping and provides a port number to the new mapping.
10.Q: What decision process occurs when all TCP/UDP connections are in use and a new connection request comes in?
A: To establish a new conversation when all 5,000 UDP or ICMP mappings are being used, NAT drops the oldest
mapping and provides a port number to the new mapping. To establish a new TCP connection when all 5,000 connections are being used, NAT provides a port number to the new connection by dropping the oldest connection that meets the following criteria in the order shown:
+Any connection that has had no packets for more than eight hours
+Any connection that has been trying to connect for two minutes but has been unable to connect (that is, the three-way
TCP handshake has not been completed)
11. Q: Can I use NAT with Unnumbered Links?
A: No. NAT can only be linked to numbered interfaces. There is no support for NAT and unnumbered links.
12. Q: Does NAT occur before or after policy routing?
A: Routing occurs on the local addresses, which means that an public-to-private translation occurs before routing and
private-to-public translation occurs after routing. Need to check up more on this one!!!
13. Q: What types of packets does NAT filter?
A: The types of packets that NAT filters is largely determined by the mode in which it is operating. The NAT mode is
set using the Status parameter. There are four possible settings for this parameter: Disabled, Dynamic Only, Static Only,
and Dynamic and Static.
If a NAT-enabled interface is configured for Disabled, all incoming and outgoing packets are passed without any
modifications to either the source or destination IP address or port. This is the default setting.
If a NAT-enabled interface is configured for Dynamic Only, the filtering rules are as follows:
+ Packets that originate from the private network or services running on the Novell Internet Access Server 4.1 system
have their source address and port translated and are forwarded to the destination address.
+ Inbound ICMP packets of types 0, 3, 4, 8, 11, 12, 17, and 18 are allowed access. All other types of ICMP packets,
including ICMP redirect (type 5), are dropped. Inbound ping request (ICMP echo) packets are answered by NAT
when requests are addressed to the NAT interface IP address.
+ Packets that originate from the public network and that do not correspond to requests that originated from the private
network are dropped.
NOTE: NAT translates any outbound packets that pass through the interface. For a private network that has
both registered and unregistered IP addresses, the registered IP addresses are translated to the registered
address configured for the NAT interface.
If a NAT-enabled interface is configured for Static Only, the filtering rules are as follows:
+ Only packets received from the public network with a destination address that matches one of the public addresses
configured in the network address translation table are allowed access.
+ Only the private hosts defined in the network address translation table are allowed access to the public network. Any
packets from other private hosts are dropped.
+ Packets that originate from the public network and that are not destined to any public addresses configured in the
network address translation table are dropped.
NOTE: By configuring filters for a NAT-enabled interface, a secure static translation can be created by allowing
only specified services, hosts, or networks access from the public network.
If a NAT-enabled interface is configured for Dynamic and Static, the filtering rules are as follows:
+ Inbound packets that are not destined for one of the public addresses configured in the network address translation
table or that are not translatable are dropped. Untranslatable packets are those that cannot be matched with an existing
outbound dynamic flow.
+ Outbound packets from any private hosts are translated. Packets from configured static private hosts are treated
according to the rules for static mode, and all other packets are treated according to the rules for dynamic mode.
14. Q: What kind of routing performance can I expect when I use NAT?
A: NAT is fast-switched on all supported Novell platforms. A low number of NAT translations will affect performance less than a high number of translations. For most applications, degradation of performance due to NAT should be negligible.
15. Q: Is it possible to build a configuration with both static and dynamic NAT translations?
A: Yes this is possible. NAT can be configured to operate simultaneously in both dynamic and static mode. This
combination mode is used when your private network has hosts that want to access the Internet and has resources that
you want to be accessed by public hosts. To use dynamic and static mode, the locally bound (primary) IP address will
be used as the public address for the dynamic translation. One public address (secondary) must be configured for each
private host being made accessible to the public.
16.Q: What happens with NAT configured in dynamic mode when a private host, by chance, initiates a connection on a port that is in use by another host?
A: If this happens, the local port will be translated as well as the source address.
17. Q: Can NAT be applied to any type of interfaces?
A: Yes. Source and/or destination NAT translations can be applied to any interface configured through INETCFG.
Note that the NetWare Connect Interfaces (dialup interfaces) are configured through NWCCON and therefor cannot
be NAT enabled.
18. Q: Can NAT be used to provide redundant links to an ISP?
A: No. In this scenario, the standby router wouldn't have the translation table of the active router, so when the cut over
happens, connections time out and fail.
19. Q: Does NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound
translations on the Ethernet side?
A: Yes to both questions.
20. Q: Can a single NAT-enabled router allow some users to utilize NAT and allow other users on the same Ethernet
interface to continue with their own IP addresses?
A: No, in dynamic mode. All communication going through the NAT enabled interface will be translated by the NAT.
This includes valid registered Internet IP addresses located on the private network that also pass through the NAT
enabled interface. Yes in 'static' or 'static and dynamic' mode. This is done by configuring the non translated IP address as the same public and private IP address in the mapping mode.
21. Q: What is dynamic NAT?
A: When NAT is enabled in dynamic mode, all (local) private addresses are translated to a single public (usually
registered) IP address. Unique port numbers on each translation are used to distinguish between the conversations.
With NAT running in dynamic mode, a translation entry containing full address and port information is created. A port
translation may be created if another translation is using that port number with that outside/global address. This is
necessary in order to eliminate any ambiguity about which translation needs to be applied to each packet traversing the
22. Q: When configured for dynamic NAT, what is the maximum number of translations that can be made with one
public IP address?
A: Theoretically, because the port number is encoded in 16 bits, you have 65,536 possible values. In practice, our
NAT only supports 5000 translations for each TCP, UDP, and ICMP mapping. We use a range of high port numbers
to support dynamic mode translation.
23. Q: What is static NAT?
A: In static mode, NAT is configured with a table of IP address pairs. Each table entry contains a pair of IP addresses
for each host that public hosts are permitted to access. The first IP address in each pair is a public IP address to which
the private address is mapped; the second address is the address of the host on your private network. Because public
hosts can access private hosts only by using the public IP address, public hosts can access only those hosts that have
their IP addresses defined in this network address translation table. In a LAN environment, users will need to add
secondary IP addresses for the public IP address in order make accessible more than one private host to the public
users. In addition, once a private IP host has an entry configured in the network address translation table, it has full access to public IP hosts. To use static mode, one public IP address must be configured for each private host.
24. Q: When configured for static NAT, is it possible to map the private IP address to the public IP address?
A: The private and public address of each address pair configured in the network address translation table cannot be
set to the same IP address unless:
+ the public address is used to access local services on the router running NAT (Examples of local services include an
FTP server and a World Wide Web server) or;
+ users do not want those particular IP addresses to be translated. This implies that NAT can support a mixed private
network that have both registered and unregistered IP addresses.
25. Q: When configured for static NAT can I map multiple private hosts to the same public IP address?
A: No. The private/public IP address mapping needs to be unique. In cases where you have more than one host on the
private network that you want to 'make visible' to the public network, you will have to add secondary IP addresses to
your public interface. Note that NAT doesn't support one-to-many or many-to-one mapping in this release.
26. Q: When configured for static NAT, how can I setup my NAT to make more internal hosts visible to the public network?
A: This will have to be done through multihoming. Multihoming enables a system to assume multiple IP addresses on the
same network. A secondary IP address can be configured on the same interface that has the primary IP address, or a
secondary address can be configured on a different interface. When multiple interfaces exist, the secondary address is
associated with the interface that is bound to an address that is on the same network. Add a secondary IP address by
entering the following command at the system console:
"add secondary ipaddress x.x.x.x "
27.Q: Is there a limit to the number of secondary IP addresses one can configure per interface with the 'add secondary IP Address' command?
A: There is no hard coded limit to the number of secondary IP addresses that one can configure on a per interface basis.
The actual limit is based on two conditions:-
1. the amount of memory the server has can handle the addition of secondary IP addresses. (Every new secondary IP
address that is configured takes up an additional 8 Bytes of memory).
2. that you haven't reached the maximum number of nodes for your network. (You cannot configure 300 secondary IP
addresses for a class C address!)
28. Q: When the router uses IPCP to automatically obtain an IP address from an ISP, how will NAT handle the assigned addresses?
A: If "Remote Router will dynamically Assign the IP Address" is set to Yes and the assigned address is subject to
change, only dynamic mode is practical. If the IP address assigned is subject to change then all static mappings, specific
to a fixed IP address, will NOT be consistent when the assigned IP address changes. Do not use the static mode the
public interface does not have a fixed IP address! If the IP address that is assigned by the remote router is fixed, any of the NAT modes will work.
29. Q: Will a NAT router properly handle ICMP Redirects?
A: No. Inbound ICMP packets of types 0, 3, 4, 8, 11, 12, 17, and 18 are allowed access. All other types of ICMP
packets, including ICMP redirect (type 5), are dropped. Inbound ping request (ICMP echo) packets are answered by
NAT when requests are addressed to the NAT interface IP address.
30.Q: Does NAT support queries that embed IP addresses in the DATA field?
A: With the current version of NAT, there is limited support for applications that embed IP addresses in the DATA
field. Examples of such applications include realaudio, SMTP, HTTP, DNS, NFS, BOOTP. With the next release of
NAT, most of these issues will be addressed.
31. Q: Will a NAT router properly handle FTP sessions?
A: NAT performs special processing to allow FTP to function properly when a client is on the private side and a server is on the public side. In dynamic mode, NAT supports all FTP requests (PASV, PORT) when going from the private to the public network. Normally, NAT would disturb this process (see details in RFC 1579 for more information on the problem). However, in this ONE instance, Novell's NAT will look inside the data portion of the PORT command packet and translate the private address (and port, if dynamic NAT is being used), thus allowing the public server to make it's data connection back to the private client. This is the ONLY scenario in which Novell's NAT translates information within the data portion of a packet. Without this feature, the public server would be given the client's private address, but not be able to route to it. These is another concern with FTP and NAT. It occurs when a public client is trying to reach a private FTP server. NAT is running in static mode to allow connection to the server via a static mapping. In this scenario, if the client is set up to make a 'passive open', the session will fail. Passive mode causes the server to send data to client containing the address and port number which the client should use to establish the data connection. This data (unlike the PORT data in the example above) does NOT get translated, therefore the attempted connection fails.
32. Q: Why doesn't NAT support SNMP traffic?
A: The SNMP packet format depends on the particular MIB being used and is not self-describing. There is no single
format for SNMP requests and responses that can be processed in a general fashion.
33. Q: Does NAT support DNS queries?
A: No, the current version of NAT will not translate the address(es) which appear in DNS responses to name lookups
(A queries). Thus, if an outside host sends a name-lookup to a DNS server on the inside, and that server responds with
a local address, the NAT code will not translate that local address to a global address.
34. Q: Can I use NAT to restrict access to internal EMAIL (SMTP, POP3) servers?
A: Yes, but the NAT module should be used in conjunction with the IP Filtering modules so that only certain hosts can
access the EMAIL servers on the private network.
35. Q: What does the 'SET NAT dynamic mode to pass THRU = ON' do?
A:When this parameter is set to ON, all applications that may be running locally on the NAT enabled router will be
accessible. When the parameter is set to OFF, none of these applications eg. FTP, HTTP server, will be accessible.
36. Q: With NAT configured in Static mode only, the Border Manager server running NAT is no longer able to communicate with any host on the public network. Why is this so?
A:The main reason for this is that the NAT table does not contain an entry for the IP address that you are trying to PING. When the PING request (from the NAT enabled router to the public network) goes out on the NAT enabled interface, it forces a lookup of the NAT table. The NAT table does not contain an entry for the public IP address we are trying to PING and discards the request. The end result is that the request never goes out the public interface.
37. Q: What happens when NAT is configured in static mode and the public/private IP address mapping is the same address?
A:With the above mentioned setup, no translation will take place. When the request comes into the NAT enabled interface and the public/private mapping is to the same IP address, the packet is forwarded without any translation whatsoever.
38. Q: Is it possible to setup NAT in dynamic mode on the private interface when the public interface is an unnumbered WAN connection?
A:No, this is not possible because the public interface in the BorderManager server doesn't have an IP address assigned ie. real unnumbered link. When the packets go out the WAN interface, the NAT_Send routine is called but there is no IP
address associated with that interface. If we enable the NAT on the private interface (where there's a registered IP address), the NAT Send routine is called to translate the private IP address of the Workstation's to the NAT enabled IP
address. Once the translation has taken place, the next step should be to send the packet out that interface via
TCPIP.NLM calls. However to get to the public network, the packet has to be forwarded to another internal interface
within the server ie. the unnumbered interface. This is why it will not work ... in dynamic mode, NAT thinks it is the final
interface in the Border Manager server before passing the packets to another host on the internet.
39. Q: When configured for static NAT, do I need to specify a subnet mask for the IP addresses?
A: Currently not. The subnet mask is normally used to sanity-check the addresses if it is allocated from a pool of
addresses (so we don't allocate the subnet broadcast address, for example). The subnet mask must match the size of
the subnet into which you are translating. We do not have a Pool of addresses to allocate from and therefor no mask is
required. With Novell's version of NAT, the INETCFG utility checks to make sure that the configured public address,
in static mode, is on the same net/subnet as the locally bound IP address. If an inconsistency is found, the administrator
will be prompted. This implies that NAT uses the net mask from the configured local(primary) IP address.
40. Q: Does NAT support Realaudio?
A: Realaudio works in TCP mode THRU our NAT, but not in UDP (default) mode. This is the standard case with
Realaudio in a Firewall environment.
41. Q: Can NAT secure my private Network completely from intruders?
A: No! NAT enabled hosts provide security to private networks by hiding the topology of the private network. However, the NAT host is still directly accessible from the public network and therefor needs to be secured from potential intruders. This may be done by adding some network and packet layer filters to that host so that only certain configured hosts/networks can access the NAT server. Administrators can also turn on filter logging to capture potential intruders.
42. Q: What effects does NAT have on NDS/eDirectory performance and Synchronization?
A: Inside a fully natted environment none, if all servers can communiate between each other using the natted address assigned to them. If a server that sits outside the NAT tried to communicate with server with an address of 10.0.0.1 then that communication will fail because there is no way for that server sitting outside the NAT to discover the route to 10.0.0.1. The server sitting within the NAT can initiate a communication with the server sitting outside the firewall, but once that reply is made back to the natted server, then the server outside the NAT no longer can rediscover the natted address again. So with this in mind other items like synchronization cannot occur, and timesync will not be able to be configured properly..
|Document Title:||NAT FAQ - Network Address Translation|
|Novell Product Class:||Connectivity Products|
Novell BorderManager Services
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.