This is a new blog post in my series called Interviewing for an IT Job. If you have not read the series announcement and my previous posts, please do so.

 

Index of Related Posts:
1. Interviewing for an IT Job
2. What You Need to Know When Interviewing For a Job in IT
3. What to Expect When Going Through the Technical Interview
4. What You Should Know about Headhunters and Recruiters
5. Tips for Networking Success
6. 5 Tips for Successful Webcam Interviews
7. The Basics of Troubleshooting – Part 1 – Ping
8. The Basics of Troubleshooting – Part 2 – Traceroute
9. The Basics of Troubleshooting – Part 3 – Firewalls
10. The Basics of Troubleshooting – Part 4 – NAT
11. The Basics of Troubleshooting – Part 5 – PAT
12. The Basics of Troubleshooting – Part 6 – 1:1 NAT
13. The Basics of Troubleshooting – Part 7 – Port Forwarding

Last week I introduced you to Port Address Translation (PAT) and today we are going to talk about another type of NAT (Network Address Translation), One-to-One NAT.

What is One-to-One NAT (Network Address Translation)?

One-to-One NAT (1:1 NAT), also known as Static NAT, is a type of NAT that maps a unique public IP address to a private IP address.

So How Does One-to-One NAT Work?

Compared to PAT (Port Address Translation), One-to-One NAT is much simpler.

If you remember, PAT requires a device to start a conversation on a port number, then the firewall (or router) has to do quite a bit of work to assign a dynamic port to that device, keep track of the source and destination of the traffic and translate the packets back and forth.

When running One-to-One NAT, the firewall creates and uses a static translation table to forward traffic between the internal (private) IP address and external (public) IP address.

One-to-One NAT

The picture above illustrates how One-to-One NAT works. Notice that we have two One-to-One NAT rules in our firewall.

  • Inbound Internet traffic coming to IP address 8.1.4.21 will be forwarded to the device 192.168.1.21.
  • Inbound Internet traffic coming to IP address 8.1.4.22 will be forwarded to the device 192.168.1.22.
  • Inbound Internet traffic coming to IP address 8.1.4.20 will be forwarded to either device 192.168.1.10 or 192.168.1.11, following the address translation table created by the firewall. Traffic will only be sent to these devices if they have initiated the conversation – I will explain this better later in this article.
  • Outbound traffic to the Internet leaving from IP address 192.168.1.21 will be seen by devices on the outside as coming from the IP address 8.1.4.21.
  • Outbound traffic to the Internet leaving from IP address 192.168.1.22 will be seen by devices on the outside as coming from the IP address 8.1.4.22.
  • Outbound traffic to the Internet leaving from IP addresses 192.168.1.10 or 192.168.1.11 will be seen by devices on the outside as coming from the IP address 8.1.4.20, by using Port Address Translation (PAT), as I explained in my last article.

Important Differences Between PAT and One-to-One NAT

There are a few differences between these two types of Network Address Translations (NATs).

The most important difference is that when using One-to-One NAT the firewall creates a static address translation table that will be used to forward all traffic between the mapped public and private IP addresses. That’s why One-to-One NAT is also called Static NAT.

Also, the devices behind the firewall do not need to initiate a conversation to the Internet to be added to the address translation table.

This feature allows us to place a server behind the firewall knowing that the server will be listening on a certain port number (for example TCP 80 or 443 for web server) and the firewall will forward incoming requests to that server regardless of whether the server has initiated any traffic to the Internet or not.

On the other hand, when using Port Address Translation (PAT), devices in the local network behind the firewall must initiate traffic to the Internet before a device on the Internet can connect to them.

Remember that PAT is a dynamic type of NAT, and ports are assigned randomly by the firewall or router, which is not suitable for servers.

Using One-to-One NAT

One-to-One NAT is usually employed in situations when a server in a private IP address range needs to be accessible by users in the Internet. One-to-One NAT is widely used by corporations to host their servers behind firewalls.

Also keep in mind that when using One-to-One NAT, by definition, you are allowing traffic to be forwarded on all ports inside and out.

In practice, however, when you setup One-to-One NAT on your firewall, by default the firewall will not allow any traffic to flow between the external and internal IP addresses unless you create a specific rule to allow it.

How Do You Know If One-to-One NAT is Working?

Let’s assume that you have a web server running WordPress (10.116.200.231) that has been setup on the firewall using One-to-One NAT. The public IP address used for this rule is 6.226.239.245.

 

One-to-One NAT Rule

 

As I mentioned before, you also need to setup a firewall rule to allow the traffic to the web server.

 

One-to-One NAT Firewall Rule

 

Now that we have setup the rule, we can easily check if we have setup our One-to-One NAT rules correctly and if the website can be reached from the outside.

First, let’s make sure we have mapped it correctly to the external IP address.

In this case, we are testing an Ubuntu server, so we are going to open a console session and type the following:

>curl checkip.dyndns.org

The response should be:

<html><head><title>Current IP Check</title></head><body>Current IP Address: 6.226.239.245</body></html>

Awesome! The response from the dyndns.org is our external IP address.

If you have a Windows server, log on at the console, open a web browser and type the URL http://checkip.dyndns.org.

The response should be:

Current IP Address: 6.226.239.245

As you can see, our One-to-One NAT is working as expected.

Don’t forget to open a browser from a computer on the Internet and test the external IP address: http://6.226.239.245.

Wrapping Up

One-to-One NAT is a type of Network Address Translation (NAT) that is used on most corporate networks. Knowing when to use this type of NAT and how to test the firewall rules are also important if you are going to work with servers.

Resource List

Below is a list of links to important concepts and information that you should be familiar with.

Local Area Network (LAN) – http://en.wikipedia.org/wiki/LAN
Wide Area Network (WAN) – http://en.wikipedia.org/wiki/Wide_area_network
Fully Qualified Domain Name (FQDN) – http://en.wikipedia.org/wiki/FQDN
Domain Name System (DNS) – http://en.wikipedia.org/wiki/DNS
Uniform Resource Locator (URL) – http://en.wikipedia.org/wiki/URL
Router – http://en.wikipedia.org/wiki/Router_(computing)
Network Switch – http://en.wikipedia.org/wiki/Network_switch
Firewall – http://en.wikipedia.org/wiki/Firewall_(computing)
Ping – http://en.wikipedia.org/wiki/Ping_(networking_utility)
Nslookup – http://en.wikipedia.org/wiki/Nslookup
Traceroute – http://en.wikipedia.org/wiki/Traceroute
Ping-of-Death – http://www.cert.org/advisories/CA-1996-26.html
Denial-of-Service (DoS) Attack – http://en.wikipedia.org/wiki/Denial-of-service_attack
Network Address Translation (NAT) – http://www.cisco.com

What’s Next?

In my next article, I am going to explain how Port Forwarding works and how to use it.

Don’t miss it!

Cheers!

Fabio.