Masquerade NAT

This topic describes how masquerade NAT works in a network.

Masquerade NAT is used to allow your private network to hide behind, as well as be represented by, the address bound to the public interface. In many situations, this is the address that has been assigned by an Internet service provider (ISP), and the address can be dynamic in the case of a Point-to-Point Protocol (PPP) connection. This type of translation can only be used for connections originating within the private network destined for the outside public network. Each outbound connection is maintained by using a different source IP port number.

Masquerade NAT allows workstations with private IP addresses to communicate with hosts on the Internet using iSeries™ server. iSeries server has an IP address assigned by the local ISP as its Internet gateway. The term locally attached machine is used to refer to all machines on an internal network regardless of the method of attachment (LAN or WAN) and regardless of the distance of the connection. The term external machines is used to refer to machines located on the Internet. The following figure illustrates how Masquerade NAT works.

To the Internet, all of your workstations appear to be contained within your iSeries server; that is, only one IP address is associated with both your iSeries server and your workstations. When a router receives a packet intended for your workstation, it attempts to determine what address on the internal LAN should receive the packet and sends it there.

Each workstation must be set up so that iSeries server is its gateway and also its default destination. The correspondence between a particular communication connection (port) and a workstation is set up when one of your workstations sends a packet to iSeries server to be sent to the Internet. The masquerade NAT function saves the port number so that when it receives responses to your workstation's packet over that connection, it can send the response to the correct workstation.

A record of active port connections and the last access time by either end of the connection is created and maintained by masquerade NAT. These records are periodically purged of all connections that are idle for a predetermined amount of time based on the assumption that an idle link is no longer in use.

All communication between your workstation and the Internet must be initiated by locally attached machines. This is an effective security firewall; the Internet knows nothing of the existence of your workstations, and it cannot broadcast those addresses to the Internet.

A key to masquerade NAT implementation is the use of logical ports, issued by masquerade NAT to distinguish between the various communication streams. TCP contains a source and a destination port number. To these designations, NAT adds a logical port number.

• Inbound masquerade NAT processing (response and other)
  This process, which is the partner of outbound masquerade NAT processing, unfolds the corresponding outbound message to get right source workstation information.
• Outbound masquerade NAT processing
  This process replaces the source port of an outbound message with a unique logical port number when the message is sent from the private LAN to the Internet.