Virtual Private Networking

Previous Topic Next Topic

VPNs and Network Address Translators

A network address translator (NAT) is an IP router with the ability to translate the IP address and TCP/UDP port numbers of packets as they are forwarded. Consider the small business wanting to connect multiple computers to the Internet. It normally has to obtain a public address for each computer on the small business network. With a NAT, however, the small business does not need multiple public addresses. It can use private addresses (as documented in RFC 1597) on the small business network segment and use the NAT to map the private addresses to one or more public IP addresses as allocated by an ISP. NAT functionality is documented in RFC 1631.

For example, if a small business is using the 10.0.0.0/8 network for its private network, and has been granted the public IP address of w.x.y.z by the ISP, the NAT statically or dynamically maps all private IP addresses used on network 10.0.0.0/8 to the IP address of w.x.y.z.

For outgoing packets, the source IP address and TCP/UDP port numbers are mapped to w.x.y.z and a possibly changed TCP/UDP port number. For incoming packets, the destination IP address and TCP/UDP port numbers are mapped to the private IP address and original TCP/UDP port number.

By default, a NAT translates IP addresses and TCP/UDP ports. If the IP address and port information is only in the IP and TCP/UDP headers, the application protocol can be translated transparently, such as with HyperText Transfer Protocol (HTTP) traffic on the World Wide Web.

However, some applications and protocols store IP address or TCP/UDP port information within their own headers. FTP, for example, stores the dotted decimal representation of IP addresses in the FTP header for the FTP PORT command. If the NAT does not properly translate the IP address within the FTP header, connectivity problems can occur. In addition, some protocols do not use TCP or UDP headers but use fields in other headers to identify data streams.

When the NAT component must additionally translate and adjust the payload beyond the IP, TCP, and UDP headers, a NAT editor is required. A NAT editor properly modifies otherwise non-translatable payloads so that they can be forwarded across a NAT.

© 1985-2000 Microsoft Corporation. All rights reserved.