IP addresses and NATs
Discussion
A quick techie question for you if I may.
is a 'NAT' effectively an alias for an IP address, that is given to the outside world?
Is the idea that the NAT can be given out to XYZ Client but my organisation can then route traffic from that NAT to any other IP address that sits behind it?
i.e. so you can do whatever you like internally, buyt don't need to change the NAT address that the outside works sees, so to speak.
Thanks in advance
is a 'NAT' effectively an alias for an IP address, that is given to the outside world?
Is the idea that the NAT can be given out to XYZ Client but my organisation can then route traffic from that NAT to any other IP address that sits behind it?
i.e. so you can do whatever you like internally, buyt don't need to change the NAT address that the outside works sees, so to speak.
Thanks in advance
It's sort of the other way round.
Your organization will have a (or a number of) public IP addresses. The internal network will be private address space. NAT is the protocol by which traffic sent to the public address is translated to the appropriate private address. The private address ranges are 10.x.x.x and 192.168.x.x (there's another one but I forget that) for IPv4.
Without NAT we would have run out of IPv4 addresses a long time ago.
Your organization will have a (or a number of) public IP addresses. The internal network will be private address space. NAT is the protocol by which traffic sent to the public address is translated to the appropriate private address. The private address ranges are 10.x.x.x and 192.168.x.x (there's another one but I forget that) for IPv4.
Without NAT we would have run out of IPv4 addresses a long time ago.
Gotcha, thanks for the swift response.
I'm currently working on a work project where there is loads of networking jargon being bandied around amongst people (including me) who don't really understand it all, but nobody wants to put their head above the parapet to say "sorry, can you just explain this is plain English please".
Our network guy likes to talk his own language and never explains things.
I will ask a few pertinent Q's now but just want to make sure I'm on the right tack.
I'm currently working on a work project where there is loads of networking jargon being bandied around amongst people (including me) who don't really understand it all, but nobody wants to put their head above the parapet to say "sorry, can you just explain this is plain English please".
Our network guy likes to talk his own language and never explains things.
I will ask a few pertinent Q's now but just want to make sure I'm on the right tack.
carl_w said:
It's sort of the other way round.
Your organization will have a (or a number of) public IP addresses. The internal network will be private address space. NAT is the protocol by which traffic sent to the public address is translated to the appropriate private address. The private address ranges are 10.x.x.x and 192.168.x.x (there's another one but I forget that) for IPv4.
Without NAT we would have run out of IPv4 addresses a long time ago.
It’s also worth noting that generally it’s a combination of ip, port and protocol Your organization will have a (or a number of) public IP addresses. The internal network will be private address space. NAT is the protocol by which traffic sent to the public address is translated to the appropriate private address. The private address ranges are 10.x.x.x and 192.168.x.x (there's another one but I forget that) for IPv4.
Without NAT we would have run out of IPv4 addresses a long time ago.
So you may accept traffic on you external ip if it is on port xxxx and uses tcp protocol and direct that to a defined internal ip on a given port.
Edit: That’s a generalisation the protocol could be one of a number but tcp / udp are the most common, it really helps to understand the whys and risks associated with exposing internal networks to external traffic.
Generally your infosec team at work would guide you through the process of requesting any rules.
Edited by Captain_Morgan on Thursday 20th January 15:02
your work network will likely not be routable from the Internet - that means most of the devices on the network cannot be touched from the outside directly.
NAT provides a translation (that's the T) from those "private" IP addresses to one that exists on the Internet. A simple version of this is your router at home, a business setup will be more complex and likely be built differently.
Useful reading:
https://en.wikipedia.org/wiki/Network_address_tran...
https://en.wikipedia.org/wiki/Classful_network
Are you starting to use a service that you want to be limited to traffic coming from your corporate network, by any chance?
NAT provides a translation (that's the T) from those "private" IP addresses to one that exists on the Internet. A simple version of this is your router at home, a business setup will be more complex and likely be built differently.
Useful reading:
https://en.wikipedia.org/wiki/Network_address_tran...
https://en.wikipedia.org/wiki/Classful_network
Are you starting to use a service that you want to be limited to traffic coming from your corporate network, by any chance?
I have a question on this:-
I understand that when a router is handed a packet from a machine on the private side, it needs to add a port number to the outgoing packet in order that when the reply comes back from the destination (with the same port number imbedded), the router can use that port number to identify which private machine to send it back to.
The problem I have is that these port numbers are as I understand it, also used to define which application within a host needs to deal with the packet. For example if a machine sends out a packet with a port number of 80 (the standard port for HTTP), the far end machine knows to pass it up to the HTTP application. And when the far end machine sends the response back, it has a port number of 80 to route the packet back up to the requesters HTTP application.
So it seems the port number is doing 2 things but I don't see how that can work. Are there two different port numbers, one for network routing and one for application defining?
Cheers
I understand that when a router is handed a packet from a machine on the private side, it needs to add a port number to the outgoing packet in order that when the reply comes back from the destination (with the same port number imbedded), the router can use that port number to identify which private machine to send it back to.
The problem I have is that these port numbers are as I understand it, also used to define which application within a host needs to deal with the packet. For example if a machine sends out a packet with a port number of 80 (the standard port for HTTP), the far end machine knows to pass it up to the HTTP application. And when the far end machine sends the response back, it has a port number of 80 to route the packet back up to the requesters HTTP application.
So it seems the port number is doing 2 things but I don't see how that can work. Are there two different port numbers, one for network routing and one for application defining?
Cheers
I have a question on this:-
I understand that when a router is handed a packet from a machine on the private side, it needs to add a port number to the outgoing packet in order that when the reply comes back from the destination (with the same port number imbedded), the router can use that port number to identify which private machine to send it back to.
The problem I have is that these port numbers are as I understand it, also used to define which application within a host needs to deal with the packet. For example if a machine sends out a packet with a port number of 80 (the standard port for HTTP), the far end machine knows to pass it up to the HTTP application. And when the far end machine sends the response back, it has a port number of 80 to route the packet back up to the requesters HTTP application.
So it seems the port number is doing 2 things but I don't see how that can work. Are there two different port numbers, one for network routing and one for application defining?
Cheers
I understand that when a router is handed a packet from a machine on the private side, it needs to add a port number to the outgoing packet in order that when the reply comes back from the destination (with the same port number imbedded), the router can use that port number to identify which private machine to send it back to.
The problem I have is that these port numbers are as I understand it, also used to define which application within a host needs to deal with the packet. For example if a machine sends out a packet with a port number of 80 (the standard port for HTTP), the far end machine knows to pass it up to the HTTP application. And when the far end machine sends the response back, it has a port number of 80 to route the packet back up to the requesters HTTP application.
So it seems the port number is doing 2 things but I don't see how that can work. Are there two different port numbers, one for network routing and one for application defining?
Cheers
The source port and destination port are not related. The destination service doesn't care what the source port is, only that it was received on tcp port 80. The source port on your client will typically be a random high number somewhere below 65536.
The response doesn't go back to port 80 on the client but the high numbered source port originally used to establish the socket connection.
It's also important to remember the difference between routing and network address translation, which have been muddled somewhat by the rise of home broadband where the router is also performing network address translation in the vast majority of cases, which I think is what you mean by your question.
The response doesn't go back to port 80 on the client but the high numbered source port originally used to establish the socket connection.
It's also important to remember the difference between routing and network address translation, which have been muddled somewhat by the rise of home broadband where the router is also performing network address translation in the vast majority of cases, which I think is what you mean by your question.
Edited by eltawater on Friday 11th October 20:04
eltawater said:
The source port and destination port are not related. The destination service doesn't care what the source port is, only that it was received on tcp port 80. The source port on your client will typically be a random high number somewhere below 65536.
The response doesn't go back to port 80 on the client but the high numbered source port originally used to establish the socket connection.
It's also important to remember the difference between routing and network address translation, which have been muddled somewhat by the rise of home broadband where the router is also performing network address translation in the vast majority of cases, which I think is what you mean by your question.
Ahhh, thank you so much, that has made the penny drop. I just couldn't piece it together. There's a source AND destination port for each message in each direction of course. Wow I've been Googling this all day and you have solved it for me in 5 lines, cheers for that. The response doesn't go back to port 80 on the client but the high numbered source port originally used to establish the socket connection.
It's also important to remember the difference between routing and network address translation, which have been muddled somewhat by the rise of home broadband where the router is also performing network address translation in the vast majority of cases, which I think is what you mean by your question.
Edited by eltawater on Friday 11th October 20:04
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff