Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
|
NOTE: Using software to mass-download the site degrades the server and is prohibited. If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
|
|
|
|
IP NAT "Overlapping" / "Twice NAT" Operation
(Page 3 of 3)
Overlapping / Twice NAT Example
Let's try a new example. Suppose
our network has been improperly numbered so that it is not in the 10.0.0.0
private block but in the 18.0.0.0 block used by MIT. A client on our
private network, 18.0.0.18, wants to send a request to the server www.twicenat.mit.edu,
which has the address 18.1.2.3 at MIT. Our client can't just make a
datagram with 18.1.2.3 as the destination and send out, as the router
will think it's on the local network and not route it. Instead, 18.0.0.18
uses a combination of DNS and NAT to get the outside device address
as follows:
- The client on our local network (18.0.0.18)
sends a DNS request to get the address of www.twicenat.mit.edu.
- The (Twice-NAT compatible) NAT router
serving our local network intercepts this DNS request. It then consults
its tables to find a special mapping for this outside device. Let's
say, it is programmed to translate www.twicenat.mit.edu
into the address 172.16.44.55. This is a private non-routable RFC 1918
address.
- The NAT router returns this value,
172.16.44.55 to the source client, which uses it for the destination.
Once our client has the translated
address, it initiates a transaction just as before. NAT now will perform
both translation of the inside devices and the outside devices as well.
The outside device address must be translated because the inside device
is using 172.16.44.55, which isn't a valid address for the server it
is trying to reach. The inside device address must still be translated
as in regular NAT because 18.0.0.18 is not a valid public address for
us. It may refer to a real machine in MIT and we aren't supposed to
be using it on the Internet!
Let's say that we are still using
the pool of 20 inside global addresses from 194.54.21.1 through 194.54.21.20
for inside addresses, and let's further suppose the NAT router chooses
194.54.21.12 for this particular exchange. The transaction sequence
would be roughly as described in Table 77,
and illustrated in Figure 115.
Table 77: Operation Of Overlapping NAT / Twice NAT
Step #
|
Description
|
Datagram
Type
|
Datagram
Source Address
|
Datagram
Destination Address
|
1
|
Inside Client Generates Request
And Sends To NAT Router: Device 18.0.0.18 generates a request using
the destination 172.16.44.55 that it got from the (NAT-intercepted)
DNS query for www.twicenat.mit.edu. The datagram is sent to the
NAT router for the local network.
|
Request
(from inside client to outside server)
|
18.0.0.18
(Inside Local)
|
172.16.44.55
(Outside Local)
|
2
|
NAT Router
Translates Source Address And Destination Address and Sends To Outside
Server: The NAT router makes two translations. First, it substitutes
the 18.0.0.18 address with a publicly registered address, which is 194.54.21.12
for this example. It then translates the bogus 172.16.44.55 back to
the real MIT address for www.twicenat.mit.edu. It routes
the datagram to the outside server.
|
194.54.21.12
(Inside Global)
|
18.1.2.3
(Outside Global)
|
|
|
|
|
|
3
|
Outside
Server Generates Response And Sends Back To NAT Router: The MIT
server at 18.1.2.3 generates a response and sends it back to 194.54.21.12,
which causes it to arrive back at the NAT router.
|
Response
(from outside server to inside client)
|
18.1.2.3
(Outside Global)
|
194.54.21.12
(Inside Global)
|
4
|
NAT Router Translates Source
Address And Destination Address And Delivers Datagram To Inside Client:
The NAT router translates back the destination address to the actual
address being used for our inside client, as in regular NAT. It also
substitutes back in the 172.16.44.55 value it is using as a substitute
for the real address of www.twicenat.mit.edu.
|
172.16.44.55
(Outside Local)
|
18.0.0.18
(Inside Local)
|
Figure 115: Operation Of Overlapping NAT / Twice NAT This figure is very similar to Figure 112, except that the as you can see, both source and destination addresses are translated by the NAT router each time (shown in bold). Table 77 contains a complete explanation of the four steps in overlapping NAT. Refer to Figure 111 for an explanation of address types.
|
As you can see, in this
example the outside local and outside global addresses
are different, unlike in the preceding NAT examples. Twice NAT can also
handle an inbound transaction, by watching for datagrams coming in from
the Internet that overlap with the addresses used on the local network
and doing double substitutions as required.
Key Concept: Overlapping NAT is used in situations where both the source and destination addresses in a datagram are private addresses or otherwise cannot be used regularly on the public Internet. In this case, unlike the other types of NAT, the NAT router translates both the source and destination addresses of incoming and outgoing datagrams. On outgoing messages, inside local addresses are changed to inside global and outside local to outside global; on incoming messages, inside global addresses are changed to inside local and outside global to outside local. |
If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|