Masquerade (hide) NAT
Masquerade (hide) network address translation (NAT)
enables you the actual address of a personal computer private. NAT routes traffic from your personal computer to your system, which essentially makes the system the gateway for your personal computer.
Masquerade NAT allows you to translate multiple IP addresses to another single IP address. You can use masquerade NAT to hide one or more IP addresses on your internal network behind an IP address that you want to make public. This public address is the address to which the private addresses are translated and has to be a defined interface on your system. To be a defined interface, define the public address as a BORDER address.
Hiding multiple addresses
To hide multiple addresses, you specify a range of addresses that NAT should translate through the system. Here is the general process:
- The translated IP address replaces the source IP address. This occurs in the IP header of the IP packet.
- The IP source port number (if there is one) in a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header is replaced with a temporary port number.
- An existing conversation is the relationship between the new IP source address and port number.
- This existing conversation enables your NAT server to untranslate IP datagrams from the outside system.
When you use masquerade NAT, an internal system initiates traffic. When this happens, NAT translates the IP packet as it passes through the NAT server. Masquerade NAT is a great choice because external hosts cannot initiate traffic into your network. As a result, your network gains additional protection from an outside attack. Also, you only need to purchase a single public IP address for multiple internal users.
The following list highlights the features of masquerade NAT:
- Private IP address or range of IP addresses are bound behind a public IP address on the NAT workstation.
- Masquerade NAT can only be initiated by the internal network.
- Port numbers are associated with random port numbers. This means that both the address and the port number are hidden from the Internet.
- The registered address on the NAT workstation is a usable interface outside of NAT.
If parameters are not set to fit your environment,
the address translation might not function as expected. For example, the IP addresses in the packets are not translated or the packets might be discarded.
However, it will not cause any hardware or system damage. If you want to adjust the values of the parameters, consider the following items:
- You must set MAXCON high enough to accommodate the number of conversations you want to use. For example, if you are using File Transfer Protocol (FTP),
your personal computer will have two conversations active. In this case, you need to set MAXCON high enough to accommodate multiple conversations for each personal computer. You need to decide how many concurrent conversations you want to allow in your network. The default value is 128.
- You must have TIMEOUT (a HIDE rule statement) set high enough to allow enough time for conversations between personal computers and server.
For Hide NAT to occur properly, there must be an internal conversation in progress. The timeout value tells the code how long to wait for a reply to this internal conversation. The default value is 16.
- Masquerade NAT supports only the following protocols: TCP,
User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
- Whenever you use NAT, enable IP forwarding. Use the Change TCP/IP Attributes (CHGTCPA) command to verify that you set IP datagram forwarding to YES.
Parent topic:
Network address translation
Related concepts
IP packet header Scenario: Hiding IP addresses using masquerade NAT