how-to block ads
|
Comments on news posted 2000-03-07 22:28:15: NAT (Network address translation) is a fast way of packing multiple devices behind a single, public IP address. ..
| |
Anon | Re: When NAT becomes NOT
FYI: Wingate 4.0 (now in beta at »www.wingate.com) includes NAT. I have been running Wingate 3 since I was unable to get Win98 SE NAT working. Wingate's NAT is working fine for me (althought there are reports of problems, especially with ICQ) and eliminates the need to run client software on the client system. | |
Anon | There is one other way to get a VPN to work with
NAT - use dual-assignment.
While it's a little unorthodox, you can set up your NAT device, then set up a plain-jane router that is bridged ACROSS the NAT. In this scenario most internal machines use the private IP numbers and go through the NAT device. However, the few machines on the inside that must establish VPN connections to the outside, (or vis-versa) these systems use public IP numbers that are routed through the plain-jane router. On the inside net you will be running 2 IP ranges, in fact you can even set up the plain-jane router to route between these ranges, so the internal systems on the public IP range can reach other internal systems on the private range!
In this way you can get the benefit of the IP address conservation of private IP number usage through NAT, as well as run your VPN.
Also, one other thing to consider. In increasing years the shortage of IPv4 numbers will reach far higher porportions than it is today. It is going to be more and more difficult for organizations and individuals to retain large blocks of legal IPv4 IP numbers when either NAT or Proxy is possible. It is also very unlikely that IP v6 will make much difference - in all likelyhood organizations will merely implement NAT devices that not only translate between private and public IP numbers - but also translate between IPv4 and IPv6 numbers! So, even if your ISP delivers IPv6 to your organizations "doorstep", unless you are prepared to replace every single last internal device in your organization with upgraded devices that support IPv6, your going to still be running IPv4 and using NAT.
What this all boils down to is that it's a very bad idea to roll out any TCP/IP solutions at this time that depend on hard-coding the IP number in the data portion of the TCP/IP packet payload. Fancy VPN solutions are best implemented from router-to-router, and that don't involve the desktop computers. | |
Anon | Well, I'm intrigued to read that Windows 98SE ICS doesn't work with PPPoE. In fact, I have it set up on my home network, and it is working fine. This comment is being delivered via ICS and PPPoE (Bell Atlantic is my DSL provider). I didn't know that it wasn't supposed to work until after I set it up--good thing! The hardest part was installing the second NIC in the ICS computer. Once I had the ICS computer talking to my home LAN, installing ICS itself was straightforward. | |
kbgorman
join:2000-03-12
Richmond, VA
 ·Comcast
| I also am using Windows 98SE ICS on my home network without any problems (Bell Atlantic is my DSL provider, PPPoE). I started "fresh" with the host as a stand-alone machine and removed all networking. I then added the NIC for the external modem, followed BA's instructions to set up the DSL connection and made certain it was working correctly, added another NIC for the LAN (added NetBEUI attached only to the home NIC), made certain it was working, and then installed ICS (that was the easiest step!)
There is very little difference in the ICS DSL setup and regular dial-up ICS setup, just make sure you choose "#1 Dialup" in the ICS wizard as the way to connect to the internet, and the local NIC as the adapter you use to access you home network. I also have a regular dialup setup that I use as a backup when DSL is down, and ICS works with both (they both use #1Dialup).
I guess just because someone at Microsoft says it, it may not always be correct (they're just people, too!) Hopefully this misinformation can be corrected. ICS is easy, secure, and free...you can't beat it! | |
Anon | Erm...
NAT, is NOT firewall security. It's simple, very simple address translation. It doesn't prevent inbound connections. It doesn't filter all inside addresses to a singular outside address.
"That's PAT, that does that."
;said the cat in the hat!
The idea behind NAT and PAT is simply to keep publicly routable IP addresses on one side of the router (the public side), and your inside, private (non-routable) addresses on the other.
Effectively, it's as if you had a gate at the end of your street, and all the public mail addresses were given to the gate person, who then distributed them to your private street address within the gated community. A mail bomb sent to your public address will still be delivered to your private one. There is no inspection of the traffic, just forwarding. The security comes from the fact that people cannot see you directly.
(You can further obsfuscate the issue by using someone else's publicly routable address inside your private network, in effect doing an offhand form of NAT at a different layer, but should NAT on the router fail, your network will probably lose total internet connectivity.)
Requiring connections to be established from the inside network is a firewall issue, and is not part of NAT or PAT. It can't be, because if all outside queries were rejected, you'd either have to open a permanent hole in your NAT table, or you'd never give responses to DNS, email, and other queries. That's a good thing right? Umm..not if you're running a game server and want folks to connect to you!
Finally, you can't do encryption over NAT, because the source address is part of the decryption algorythim, and if it's altered, the decryption will fail.
See RFC 1631 at:
»www.faqs.org/rfcs/rfc1631.html
for more detailed info.
Regards,
-Bouncer- | |
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| The mailbomb/mailman analogy is not correct in my experience. NAT devices and NAT software that is being marketed as such do not pass on packages unless a preexisting connection has been opened to the outside party. The letter (packet) cannot be addressed to an inside address unless you've been contacted first.. the packet is dropped.
If you port scan a NAT box, no ports are open, no machines get your packets, no matter how many machines live behind it.
So it isnt a firewall (I said that in the article) but it does provide basic protection.
And the end of the article points out the VPN issues as well.
If you can point me to some documentation for a NAT box or NAT software that shows how a new connection from outside can get in without explicitly allowing it, please post! | |
Anon | Well,
We're kind of going in circles, because I just realized we're talking about two different kinds of NAT. You're referring to outbound-NAT, and I'm referring to bi-directional NAT.
(From RFC 2663: )
"With a Bi-directional NAT, sessions can be initiated from hosts in the public network as well as the private network. Private network addresses are bound to globally unique addresses, statically or dynamically as connections are established in either direction."
Pretty much sums up Bi-directional NAT in a nutshell. We'll call it a draw. (LOL)
To me, the real problem is this:
Neither out-bound or bi-directional does NAT do inspection of the packet. A firewall WILL do that, and more. In addition, out-bound packet sourcing for security isn't part of the RFC, it's more to do with propagating routing tables, and shouldn't be relied upon as the primary method of defense. I'm not down on NAT at all, I just wouldn't bet my data, or recommend you betting yours, on it.
Regards,
-Bouncer- | |
Anon | In the old days, when I had win95 and ppp, I used nat32 (»www.nat32.com), which is an excellent piece of shareware that worked fine with ppp, and which claims to beat win98 connection sharing. Then I switched to Linux, which makes a great NAT box with PPP or with an always-on connection. NAT seems to be usually called "IP Masquerade" in the Linux community. There's a HOWTO document about it (»www.linuxdoc.org/HOWTO/IP-Masque···WTO.html), and when coupled with ipchains you have a pretty decent NAT + firewall box. You can buy these off the shelf or if you have a little nerd in you you can set up your own. | |
|
