Nearly every Internet-connected organization uses some type of network address translation. In this video, you’ll learn how destination NAT and source NAT is used to provide Internet connectivity and to protect your internal servers from users on the Internet.
<< Previous Video: VLANsNext: Remote Access >>
A challenge that we all have when connecting to the internet, especially from a networking perspective, is we just don’t have enough IP addresses to be able to directly connect everyone to the internet, and what we’ve done is provide network address translation to solve that problem. We have hundreds or thousands of people on our network, all with private IP addressing, but when they access the internet, they’re all accessing it through a series of IP addresses that we, as security people, would probably administer.
This is a good example of this. We have a lot of people that are inside of our network on this 192.168 network. Here’s 3.22. Here’s 1.221 and 1.3. These guys are on one subnet. These guys are on another subnet. When they talk to the internet, they’re not going to talk by 192.168.3.22. They actually– you’re going to Google or something that’s out here on the internet side. They’ll send a request to Google, but before it leaves your facility, usually a router– or, in most cases, a firewall– is going to be doing a network address translation.
This is a source network address translation because it’s changing the source IP address that’s being transmitted out to the internet. So, it’s taking and saying you’re no longer 192.168.3.22. To the rest of the internet, you’re going to look as if you are 66.20.1.12. And when Google receives this request from this user, it sees that the source was 66.20.1.12, and it sends the response back to 66.20.1.12.
It’s the job of this device that’s providing that translation to keep track of who has been translated to where. So, when that response comes back from Google, that firewall looks through its table and says, now, who did I NAT out to Google to begin with? Oh, I NATed 192.168.3.22. Let me change it back to its original address and send it on its way.
It sounds like that would be a very involved process– that there would be a lot of latency and delay with it. But the reality is it occurs very, very quickly. And to the end users, it’s invisible– happens instantly. There’s really no delay at all.
Another nice part about this is that we’re not connecting our users directly to the internet. There’s no way for someone on the internet to access 66.20.1.12 directly and somehow end up at this user. The only way you would be able to do that is if that user asked Google first, and Google replied. So, there is a security component to providing that source NAT.
But what if you do have web servers and you do have email servers, and you would like people on the internet to be able to access those devices directly? Well, you do the NAT in the other direction. You do something called a destination NAT. You configure your firewall or your router to say if you ever see an IP address coming in of 66.20.1.14 and that destination port number, perhaps, is TCP 80, we could say that that should be going to our web server.
So, what we’ll do is, if we have an inbound flow and it hits our firewall and it says 66.20.1.14, port 80, well, I’m going to convert that. I’m going to do a destination NAT and change the destination IP to really be 192.168.3.22.
Since this is also usually on a firewall, you can also set security policies to that. You may only do port 80 to that device because that’s our web server. Maybe port 80 and TCP port 443– that’s the only thing you can do to that device. So, you can set up many different IP addresses that go to many different devices. You can set up one IP address and simply decide what port numbers are transmitted to what devices on the network. That’s more of a PAT, a port address translation.
There’s a lot of flexibility that you get with this. But it does provide you with a significant security advantage here because we can now decide who gets to talk into our network, how they get to talk into our network, and what specific devices they can talk to.