> I distinguish 3 types of NAT (Cisco, for one, supports all of these):
>
> 1. Static NAT
>
I refer to this as 1:1 NAT (or n:n NAT). This implementation has all the
application-level protocol problems (such as IP addresses and ports embedded
in application protocol data), but doesn't require connections to be
initiated on the 'hidden' side, so protocols like X-Windows work.
> 2. Dynamic NAT
>
Basically static NAT for a larger pool of machines than addresses are
available for, so NAT is performed as requested. The difference to static
NAT, as you say, is that 'connections' must be initiated from the side with
the higher amount of addresses. Since this method of NAT is so uncommon, I
don't think you'll see people talking about it very often.
> 3. PAT (port address translation)
>
This is what we're talking about most of the time when we say NAT. I like to
call it 'n:1 NAT', since n IP addresses are NATed to 1. It is also the type
of NAT that Linux folks talk about, since IP Masquerading is n:1 NAT (though
it should be possible to perform (static) n:m NAT on a Linux box by using IP
aliasing and masquerading based on TCP/IP header information).
> And there are certainly other types of NAT in use which are some
> combination of those listed above. A typical example is where all inbound
> traffic to port 25 is statically mapped to a single internal address.
> This
> acts like static NAT for that particular port (while all the other traffic
> may be using PAT).
>
I refer to that as 'port forwarding'.
> It would be helpful if those discussing NAT make clear what type of
> translation they are intending. It usually makes a substantial
> difference.
>
I believe that we have been discussing PAT so far. Ben Nagy has more of a
Cisco background, mouss is a BSD/ipfilter guy and my NAT experience stems
mainly from Linux. I think we're trying to remain general in our
argumentation, though, and not focus on specific products and their
implementations.
Cheers,
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
