2.6 Private IP Addresses and NAT
2.6.1 Using private addressing
This section discusses the use of private IP addresses (addresses that are not allowed on the public Internet because they are either reserved addresses or previously assigned) and network address translation (translation from one IP address to another address).

Some organizations do not need to connect to the Internet, or any other external IP network. In other situations, some organizations may have some hosts or networks that never need to make connections external to their own network. For example, if the arrival and departure display monitors in a large airport are individually addressable via TCP/IP, these displays most likely need not be directly accessible from other networks.

In these cases, you can use private addresses, as defined in RFC 1918, Address Allocation for Private Internets. This RFC specifies the following IP addresses as private:

  • Class A --- 10.0.0.0 to 10.255.255.255
  • Class B --- 172.16.0.0 to 172.31.255.255
  • Class C --- 192.168.0.0 to 192.168.255.255

Implementation Considerations

If you decide to use these private addresses, you do not need to coordinate them with the Internet registry because they will never be broadcast external networks. You should, however, do some planning before randomly assigning the addresses. Some implementation considerations are as follows:

  • Determine which hosts do not need to have network-layer connectivity to the outside. These hosts are considered private hosts. Private hosts can communicate with all other hosts within your network, both public and private, but they cannot have direct connectivity to external hosts because their routes cannot be advertised externally.
  • Routers that connect to external networks should be set up with the appropriate packet and routing filters at both ends of the link in order to prevent the leaking of the private IP addresses. You should also filter any private networks from inbound routing information in order to prevent ambiguous routing situations that can occur if routes to the private address space point outside the network.
  • Changing a host from private to public will require changing its address, and in most cases, its physical connectivity. In locations where such changes can be foreseen, you might want to configure separate physical media for public and private subnets to make these changes easier.

Accessing the Internet Using Private Addresses

If a host configured with a private IP address needed to access the Internet or other external hosts, its IP address would need to be reconfigured, and the host device would most likely need to be moved physically to a network that used a public IP address. Reconfiguring and reconnecting an entire network, building, or corporation can be a very costly venture, both in time and resources. To avoid having to renumber all hosts, an RFC --- RFC 1631, The IP Network Address Translator (NAT) --- was defined.

A NAT router or host is placed on the border of a stub domain (an internetwork that has a single connection to the Internet --- referred to as the inside network) and a public network, such as the Internet (referred to as the outside network). The NAT router translates the internal local addresses into globally unique IP addresses before sending packets to the outside network, as shown in the main figure. NAT is also used for security reasons to hide internal IP addressing.

NAT takes advantage of the fact that relatively few hosts in a stub domain communicate outside of the domain at any given time. Because most of the hosts do not communicate outside of their stub domain, only a subset of the IP addresses in a stub domain must be translated into globally unique IP addresses when outside communication is necessary.

NAT can also be used when you need to modify your internal addresses because you change ISPs. Rather than renumber your networks, use NAT to translate the appropriate addresses.

Note The private IP addresses, as defined by RFC 1918, are as follows:

Class A --- 10.0.0.0 to 10.255.255.255

Class B --- 172.16.0.0 to 172.31.255.255

Class C --- 192.168.0.0 to 192.168.255.255

One disadvantage of using NAT, however, is with network management. The IP addresses in the SNMP header do translate, but IP addresses in the data portion of an SNMP packet do not translate.

Lab Activity
  In this lab, you will learn the usage of Network Address Translation through the use of static translation.