Network address translator

A network address translator (NAT) reassigns the IP addresses of SafeLinx Clients who connect through an MNI that is configured to use NAT. The real source address of a SafeLinx Client packet gets assigned to the NAT address and the NAT maps the packet to a specific port. You can use a NAT to redirect traffic through a specified subnetwork that is represented by an MNI.

NAT enables the SafeLinx Server to act as an agent between a public network and a private network. Based on RFC 1631, NAT enables the use of IP addresses in a stub domain regardless of whether the addresses are duplicated in other stub domains. In stub domains, such as in corporate networks that route traffic between internal nodes only, most IP addresses do not have to be globally unique. Rather, a single, unique IP address can represent an entire group of computers to the Internet.

A NAT defines a range of unique IP source addresses, and randomly assigns each originating packet to a port number (1024 - 65535). The NAT maintains the mapping of the packet to the port number in a translation table during a TCP session. Or, the NAT maintains this mapping until a timeout occurs for a TCP session or UDP connection.

When you create a NAT, you specify:
  • A descriptive name
  • The IP addresses that identify the NAT address. When more than one address is specified, the IP addresses are assigned in a continuously repeating round-robin fashion.
  • The amount of time in minutes of inactivity that determines a TCP and UDP session timeout
  • The source and destination packet data that addresses information that filters whether the NAT can process a packet. If you do not specify any source or destination addresses, the NAT applies to the all traffic connected through the MNI.
  • A packet mapping group if you want to add the NAT to a group. Make sure to create a packet mapping group first, then add the NAT to it.

Using NAT, traffic that is destined to the NAT address is routed into the MNI subnet so that the SafeLinx Server process receives it. To accomplish this routing, the SafeLinx Server adds a route to the MNI address in the routing table to forward packets that are destined to the NAT address.

To make sure that traffic is routed to the workstation where the SafeLinx Server is installed, the SafeLinx Server binds to a network adapter. The SafeLinx Server then uses address resolution protocol (ARP) if necessary. It is not necessary for you to run an ARP command to associate the NAT address with the MAC address of the workstation. NAT addresses need to be routable in the same physical subnetwork as the network adapter. If not, then your network router needs to be configured to accept this traffic.

For example, a SafeLinx Client makes an HTTP request for a web page:
  • SafeLinx Client IP address = 34.34.130.3
  • NAT using single IP address = 48.48.130.9
  • HTTP server IP address = 129.42.16.99

The HTTP request packet from the SafeLinx Client has a source address and port pair of 34.34.130.3@32771 and a destination address and port pair of 129.42.16.99@80. When the packet reaches the NAT, the NAT reassigns the source address to its own IP address and assigns a random port number. The NAT sends the packet to the HTTP server with a source address and port pair of 48.48.130.9@6022. The destination address and port pair remains 129.42.16.99@80. When the web page is retrieved, the HTTP server responds with a packet that has a source address and port pair of 129.42.16.99@80. The destination address and port pair from the HTTP server is 48.48.130.9@6022. The NAT receives the packet and maps the destination address and port back to the SafeLinx Client at 34.34.130.3@32771.