Specifications
33
8.3.3 Static
It is also possible to manually assign the IP address. The Multitech DHCP server is configured to issue
addresses from the 192.168.2.2-100 range with an subnet mask set to 255.255.255.0 Since all the addresses
must be in the same subnet static addresses can be assigned in the range of 192.168.2.101-254 without
interfering with DHCP while still residing in the same subnet.
8.4 NAT -- Sharing a Single Internet Connection
The LAN cannot simply be “plugged in” to the Internet. The IP addresses used on the LAN are forbidden
on the Internet and the ISP only provides a single IP address. Network Address Translation (NAT)
provides a mechanism to translate addresses on one side to addresses on the other. When NAT is combined
with private IP addresses we have the ability to create a LAN with an unlimited number of local addresses
and map them to a single public address.
IntraLAN communication proceeds normally NAT is not required. When a request cannot be serviced
locally it is passed to the NAT router. The router modifies the address and port number to match the public
address issued by the ISP and sends it on it way. When the reply comes back the router converts the address
and port number to that of the original device and forwards it to the LAN. The NAT router can keep track
of a large number of sessions so multiple devices can use the same address.
NAT offers many of the advantages of using a proxy with the benefit that it is transparent to most
applications. For more information see RFC1631 The IP Network Address Translator (NAT).
8.4.1 Limitations of NAT
As useful as NAT is it is also controversial. It breaks the end-to-end addressing paradigm of the Internet.
The NAT device is required to maintain state information and if it fails recovery is not possible. It also
interferes with server functions and most types of VPN.
When NAT was first developed it was assumed the private address pool was private and no one but the
administrator cared about the assignment. Today in the age of VPNs these internal addresses ARE being
exposed. If a telecommuter’s LAN and office network both using private address the addresses may
overlap. In a simple case this is not a problem, the home user simply moves their LAN to a different group
of private addresses. But what happens if the home LAN must support two telecommuters. This requires
the coordination of two corporate LANs and the SOHO LAN. In this case the conflict may not be
resolvable if both corporate networks use the same address block.
By design NAT blocks all remotely originated traffic. It functions as a de facto firewall because NAT does
not know how to route traffic that originates outside the LAN. This is often touted as a major security
benefit but it causes problems if one wants to run a server. Single IP NAT makes it impossible to run
multiple servers that use the same well-known port. NAT routers provide a mechanism to map local servers
to the public IP address. However since only a single external IP address exists, incoming requests can at
most be mapped to a single physical device using the well-known port. For example the router can be
configured to map all TCP port 80 requests to a server. As far as the remote user is concerned they are
accessing the server via the public address of the network. The problem occurs if a second server needs to
be used. Since port 80 is already being mapped it cannot be used. It is trivial to select a different port,
however unless remote users are informed of the non-standard usage they will be unable to access the
second server.
This is not to discourage use of NAT it is very powerful technique. But NAT should be seen for what it is,
a short-term workaround to minimize the impact the IP address shortage, not a permanent extension to
Internet technology.
For more information see RFC 2993 Architectural Implications of NAT.