Router VS NAT

AndreLAndreL Posts: 55Member ■■□□□□□□□□
I know what NAT is and I know what routing is but whats the difference.

I know NAT is more secure acting as a firewall and that it replaces the host IP address with its one (doesn't matter if the host IP address is Private or not). Can be used with more address on the private side,
Same for the Router cause routers also replace the private host with their own IP address for the other connected network.

So basically they both do the same thing but one does it on a broader scale.

What brought this question up is I was watching CBT Nuggets ICND 1 Implementing Static routing
And Jeremy has a computer connected to an ISP via a router. And the question came up when he was trying to ping an internet IP address form the pc. He was successful via the router but not with the PC witch put it to question the difference between a router and NAT. Cause I thought he would be able to ping the Internet via the PC cause the router was able to. After I did some searching online to confirm that the router replaces the host ip address with its own for the network it send the packet to.

Comments

  • advanex1advanex1 Posts: 302Member
    I guess I'm more curious in what you're asking..

    NAT works with a router to allow private IP's to be routed across a public network. A router doesn't do this on it's own, either NAT or PAT is in play there. I've never heard as NAT working as a firewall as well. NAT is also a 1 for 1 exchange, meaning only 1 private IP can use 1 public IP at any given time. So if you have 20 private IP's trying to use 1 public IP at the same time, only one host will be allowed to do so. That is where PAT comes in to allow "many to one" translation or 20 private IP's to use 1 public IP at the same time.

    Routing is the act of moving packets from one destination to another on different networks. NAT is the act of translating a private IP to a public IP to allow for the routing/communication with outside/global networks.
    Order of Certifications to come: CCNP, CCDA, CCDP

    Currently Reading: Network Warrior
  • AndreLAndreL Posts: 55Member ■■□□□□□□□□
    But in routing when moving data form on network to another in the header it replaces the host ip address and mac with its own. Right ???

    So essentially thats a feature of NAT
  • advanex1advanex1 Posts: 302Member
    No, routing is not a feature of NAT.

    The process of NAT converts the private to the public. It is then processed through the router and is routed out. After the NAT process the source IP and the destination IP stay the same.

    We can use the two together to accomplish many things, but it doesn't make them one in the same. I can route a packet from my router to another router and nothing involved with NAT would happen there. It would simply be me pinging from R1 to R2. If there is no middle man, the IP addresses would stay the same and they would both be global/public IP's. (theoretically without getting into ISP's, etc. etc.)
    Order of Certifications to come: CCNP, CCDA, CCDP

    Currently Reading: Network Warrior
  • AndreLAndreL Posts: 55Member ■■□□□□□□□□
    Sorry not getting it yet ...

    I understand routing is not NAT but when the router replaces the Host IP and MAC address from the header, as far as for the destination, all it knows is the packet came from the routers IP address. So it has now idea that it came from private or the host address. Am I right when I say that.
  • wrwarwickwrwarwick Posts: 104Member
    If a packet passes through many routers, without NATing, the source IP address does not change. For example, when you browse the Internet from home, your IP address is NATed to your public IP, then the public IP does not change though any other routers in the path (unless it is NATed again for some reason).
  • pham0329pham0329 Posts: 556Member
    AndreL wrote: »
    Sorry not getting it yet ...

    I understand routing is not NAT but when the router replaces the Host IP and MAC address from the header, as far as for the destination, all it knows is the packet came from the routers IP address. So it has now idea that it came from private or the host address. Am I right when I say that.

    I wouldn't say you know what routing/NAT is if you think they're the same thing.

    You have the NAT part down, but routing is the process of moving a packet from one subnet, to another. Unless NAT is implemented, the router does not replaces the source IP address.
  • advanex1advanex1 Posts: 302Member
    To the previous question/post before this one, the router does not replace the IP address when it moves from network to network unless it is going through another NAT process.

    So, to clarify again since you are asking what the difference is...

    Routing is a matter of checking routing tables for a path to the destination and encapsulating the IP Packets within Layer 2 headers/trailers along the way.

    NAT is the process of simply transparently changing a private IP to a public IP or one to one exchange.

    Pham, am I really explaining this wrong? I'm double checking myself through books now, heh.
    Order of Certifications to come: CCNP, CCDA, CCDP

    Currently Reading: Network Warrior
  • pham0329pham0329 Posts: 556Member
    no, I think you explained it perfectly. All of us pretty much said the same thing!
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    NAting has nothing to do with forwarding decisions. HOWEVER sometimes based on where something is being forwarded you have to nat. At my place, the senior and I have had to do destination nats where you nat the destination and NOT the source. This is (imo) usually because of overlapping IP space.
    advanex1 wrote: »
    I guess I'm more curious in what you're asking..

    NAT works with a router to allow private IP's to be routed across a public network. A router doesn't do this on it's own, either NAT or PAT is in play there. I've never heard as NAT working as a firewall as well.


    Some people think that nat is a security feature because it hides you private ip space. It isn't. Nat doesn't give a hoot about security. Oh and if you have a long lasting nat xlation out there and someone crafts a packet to the right port what do you think they will talk to. Especially when a device doesn't follow the rfcs and happens to use some well known ports in its xlation (I am looking at you ASAs).
  • cisco_troopercisco_trooper Posts: 1,439Member ■■■■□□□□□□
    (I am looking at you ASAs).

    Crikey. Is there a known remediation for this. Googling now but you clearly already know something. ;)
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    Crikey. Is there a known remediation for this. Googling now but you clearly already know something. ;)

    Nope. Basically the TAC guy said you have to limit the source port that the devices try to go translate from to eliminate the problem. Basically an infected host was broadcasting it's subnet with traffic on port 135 and was getting xlated out to port 135. I was like this isn't possible because it should use a random port (I actually thought it would use something like 49k-65535 since that's what bsd/unix uses I believe). Nope. ASAs pretty much do there own thing. I got to level 3 tac (some CCIE:S) and explained the situation. He told me ASAs don't follow the RFC. I have the answer he gave me in a thread around here. It really pissed me off. I might just dig up the email and paste it into this post.
  • cisco_troopercisco_trooper Posts: 1,439Member ■■■■□□□□□□
    Great. I love "undocumented features."
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    If the source port is TCP/UDP 1-511, then the PIX will PAT the SRC address to one in that range.
    If the source port is TCP/UDP 512-1023, then the PIX will PAT the SRC address to one in that range.
    If the source port is TCP/UDP 1024-65535, then the PIX will PAT the SRC address to one in that range.

    That is what the CCIE told me. Maybe my understanding of NAT wasn't that high but I always assumed that the natting device chose a random, high level port.

    So what was happening is that the infected device was sending traffic out port 135 and it just so happened to choose 135 for its xlate port. We have to keep our xlates open a little longer than the default for other reasons. It is a customers network (they are hosting with us) so it wasn't that big of a deal and we were able to squash the issue pretty quickly but it was pretty annoying.
  • AndreLAndreL Posts: 55Member ■■□□□□□□□□
    advanex1 wrote: »
    encapsulating the IP Packets within Layer 2 headers/trailers along the way.

    So when routing the source IP address is not replaced but the Layer 2 Mac address is with the routers interface of the next hope, the Host IP address is always there on the packet no matter where it is routed to. Only the Mac address is changed.

    NAT is when it translates both L3 and L2 of the packet making it seem like the packet originated from the NAT device.

    Apparently I new What NAT was but was not solid on how routing worked.

    Oh yea this is between you and me and the entire world, Won't won't my future employer knowing his Network admin doesn't know about routing.

    Thanks every one for your post
  • wrwarwickwrwarwick Posts: 104Member
    AndreL wrote: »
    So when routing the source IP address is not replaced but the Layer 2 Mac address is with the routers interface of the next hope, the Host IP address is always there on the packet no matter where it is routed to. Only the Mac address is changed.

    NAT is when it translates both L3 and L2 of the packet making it seem like the packet originated from the NAT device.

    Apparently I new What NAT was but was not solid on how routing worked.

    Oh yea this is between you and me and the entire world, Won't won't my future employer knowing his Network admin doesn't know about routing.

    Thanks every one for your post

    This is pretty much correct, although it is important to understand that it is not always MAC addresses at layer 2. You cold be crossing a frame-relay cloud and be using DLCIs, for example.
  • AndreLAndreL Posts: 55Member ■■□□□□□□□□
    Does the frame-relay cloud and using DLCIs change out lay 3 addesss.
  • pham0329pham0329 Posts: 556Member
    No. FR operates at layer 2, it will not touch the L3 address. What wrwarwick is saying is that MAC is not always used at L2. It is only used on an ethernet segment.
Sign In or Register to comment.