Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide


NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Get The TCP/IP Guide for your own computer.
The TCP/IP Guide

Custom Search







Table Of Contents  The TCP/IP Guide
 9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)
      9  TCP/IP Internet Layer (OSI Network Layer) Protocols
           9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)
                9  IP Network Address Translation (NAT) Protocol

Previous Topic/Section
IP NAT Port-Based ("Overloaded") Operation: Network Address Port Translation (NAPT) / Port Address Translation (PAT)
Previous Page
Pages in Current Topic/Section
12
3
Next Page
IP NAT Compatibility Issues and Special Handling Requirements
Next Topic/Section

IP NAT "Overlapping" / "Twice NAT" Operation
(Page 3 of 3)

“Overlapping” / “Twice” NAT Example

Let's try a new example. Suppose our network has been improperly numbered so that it is not in the 10.0.0.0 private block but in the 18.0.0.0 block used by MIT. A client on our private network, 18.0.0.18, wants to send a request to the server “www.twicenat.mit.edu”, which has the address 18.1.2.3 at MIT. Our client can't just make a datagram with 18.1.2.3 as the destination and send out, as the router will think it's on the local network and not route it. Instead, 18.0.0.18 uses a combination of DNS and NAT to get the outside device address as follows:

  1. The client on our local network (18.0.0.18) sends a DNS request to get the address of “www.twicenat.mit.edu”.

  2. The (Twice-NAT compatible) NAT router serving our local network intercepts this DNS request. It then consults its tables to find a special mapping for this outside device. Let's say, it is programmed to translate “www.twicenat.mit.edu” into the address 172.16.44.55. This is a private non-routable RFC 1918 address.

  3. The NAT router returns this value, 172.16.44.55 to the source client, which uses it for the destination.

Once our client has the translated address, it initiates a transaction just as before. NAT now will perform both translation of the inside devices and the outside devices as well. The outside device address must be translated because the inside device is using 172.16.44.55, which isn't a valid address for the server it is trying to reach. The inside device address must still be translated as in regular NAT because 18.0.0.18 is not a valid public address for us. It may refer to a real machine in MIT and we aren't supposed to be using it on the Internet!

Let's say that we are still using the pool of 20 inside global addresses from 194.54.21.1 through 194.54.21.20 for inside addresses, and let's further suppose the NAT router chooses 194.54.21.12 for this particular exchange. The transaction sequence would be roughly as described in Table 77, and illustrated in Figure 115.


Table 77: Operation Of “Overlapping” NAT / “Twice NAT”

Step #

Description

Datagram Type

Datagram Source Address

Datagram Destination Address

1

Inside Client Generates Request And Sends To NAT Router: Device 18.0.0.18 generates a request using the destination 172.16.44.55 that it got from the (NAT-intercepted) DNS query for “www.twicenat.mit.edu. The datagram is sent to the NAT router for the local network.

Request (from inside client to outside server)

18.0.0.18
(Inside Local)

172.16.44.55
(Outside Local)

2

NAT Router Translates Source Address And Destination Address and Sends To Outside Server: The NAT router makes two translations. First, it substitutes the 18.0.0.18 address with a publicly registered address, which is 194.54.21.12 for this example. It then translates the bogus 172.16.44.55 back to the real MIT address for “www.twicenat.mit.edu”. It routes the datagram to the outside server.

194.54.21.12
(Inside Global)

18.1.2.3
(Outside Global)

 

 

 

 

 

3

Outside Server Generates Response And Sends Back To NAT Router: The MIT server at 18.1.2.3 generates a response and sends it back to 194.54.21.12, which causes it to arrive back at the NAT router.

Response (from outside server to inside client)

18.1.2.3
(Outside Global)

194.54.21.12
(Inside Global)

4

NAT Router Translates Source Address And Destination Address And Delivers Datagram To Inside Client: The NAT router translates back the destination address to the actual address being used for our inside client, as in regular NAT. It also substitutes back in the 172.16.44.55 value it is using as a substitute for the real address of “www.twicenat.mit.edu”.

172.16.44.55
(Outside Local)

18.0.0.18
(Inside Local)



Figure 115: Operation Of “Overlapping” NAT / “Twice NAT”

This figure is very similar to Figure 112, except that the as you can see, both source and destination addresses are translated by the NAT router each time (shown in bold). Table 77 contains a complete explanation of the four steps in “overlapping” NAT. Refer to Figure 111 for an explanation of address types.

 


As you can see, in this example the outside local and outside global addresses are different, unlike in the preceding NAT examples. Twice NAT can also handle an inbound transaction, by watching for datagrams coming in from the Internet that overlap with the addresses used on the local network and doing double substitutions as required.

Key Concept: “Overlapping” NAT is used in situations where both the source and destination addresses in a datagram are private addresses or otherwise cannot be used regularly on the public Internet. In this case, unlike the other types of NAT, the NAT router translates both the source and destination addresses of incoming and outgoing datagrams. On outgoing messages, inside local addresses are changed to inside global and outside local to outside global; on incoming messages, inside global addresses are changed to inside local and outside global to outside local.



Previous Topic/Section
IP NAT Port-Based ("Overloaded") Operation: Network Address Port Translation (NAPT) / Port Address Translation (PAT)
Previous Page
Pages in Current Topic/Section
12
3
Next Page
IP NAT Compatibility Issues and Special Handling Requirements
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.