More Important Points on NAT
The following are some additional notes on NAT of which you should be aware:
• If no available addresses exist in the NAT pool because all are in use, NAT is not able to support any more translations, in this situation, the router drops fill packets it cannot transjate and sends an Internet Control Message Protocol (ICMP) "Host Unreachable" message back to the privately addressed host. To remedy this, you can try one or more of the following measures:
— Use the overload option.
— Increase the size of the NAT pool.
Decrease the NAT timers so addresses are returned to the pool more often.
Special
• Privately addressed hosts and publicly addressed hosts can coexist in your network, and you can configure Ihe router to translate addresses for the privately addressed hosts only.
• NAT is not restricted to translating RFC 1918 private addresses. It can also be used to translate IP addresses that were deployed "illegally"—that is, public addresses that are used within an organization but the organization is not the registered owner of those addresses. This might have been done at a time when the organization had never planned to connect to the Internet and probably before reserved private addresses were defined by RFC 1918 in 1996.
• Your organization has the responsibility to filter privately addressed routes so they don't get advertised to the Internet by your routing protocols. Route filtering is covered in Chapter 3.
• If you are translating many concurrent hosts and find NAT causes too much load on your router, you might investigate using dedicated NAT hardware such as Cisco's PIX firewall.
• NAT hides the identity of the internal hosts for which it is translating; therefore, it enhances security to a degree. This in no way substitutes for the security of a full-featured firewall, but it can be a favorable by-product of NAT.
• RFC 1631 also describes NAT
Post a comment