Basic question about how NAT works

[KingGheedora]

So with NAT, let's say I have two machines with web browsers on them hooked up to a router, and let's say NAT is enabled for these machines.

If machine 1 visits microsoft.com, the packet gos to the router, and the router rewrites the IP address in the packet, and sends it to microsoft.com. Then microsoft.com sends a packet back, and somehow the router knows to forward the packet to machine #1.

What if both machine #1 and #2 send requests to microsoft.com? How would the router know which packet coming back from microsoft.com goes to which machine?

Thanks,

 

[JackMDS]

Cause the information on the packet is more sophisticated than just having there Microsoft.com

http://en.wikipedia.org/wiki/Routing

 

[KingGheedora]

Originally posted by: JackMDS
Cause the information on the packet is more sophisticated than just having there Microsoft.com

http://en.wikipedia.org/wiki/Routing

I read that wiki page and it doesn't look like it describes what information in a packet is used to answer the question I asked. It's pretty interesting though.

 

[Pheran]

In the case you describe, TCP port numbers make the difference. Each TCP packet not only has a source and destination IP address, but a source and destination port number. The destination port numbers on the packets from the PCs will both be 80 (http) and will not be changed, but the source port numbers are random, and the NAT router may change them. Regardless, it will keep track of which source port numbers map back to which PCs, and can separate the packets coming back based on that, since they will have source port 80 and a destination port matching whatever the router NATed the source ports to.

 

[KingGheedora]

Thanks for the explanation, Pheran. Knowing that, I now would like to know what would happen in the case where you have two or more clients on your network that try to connect to a remote host that is a web server running on port 80. If the IP's for the clients on my network are NAT'ed, the router is sending some requests out with random destination ports, wouldn't only the cases where port 80 is "randomly" used actually receive return traffic from an HTTP server behind a firewall that only allows traffic on port 80?

Although, I'm not sure how common it is for sysadmins block all ports except 80 inbound/outbound. How common is it? I've only worked in environments where the standard practice was to lock down all ports and to explicitly define all allowed traffic in a strict manner that only allows the lowest possible amount of traffic necessary for the server to run a website on port 80.

 

[DisgruntledVirus]

Originally posted by: KingGheedora
Thanks for the explanation, Pheran. Knowing that, I now would like to know what would happen in the case where you have two or more clients on your network that try to connect to a remote host that is a web server running on port 80. If the IP's for the clients on my network are NAT'ed, the router is sending some requests out with random destination ports, wouldn't only the cases where port 80 is "randomly" used actually receive return traffic from an HTTP server behind a firewall that only allows traffic on port 80?

Although, I'm not sure how common it is for sysadmins block all ports except 80 inbound/outbound. How common is it? I've only worked in environments where the standard practice was to lock down all ports and to explicitly define all allowed traffic in a strict manner that only allows the lowest possible amount of traffic necessary for the server to run a website on port 80.

Originally posted by: Pheran
In the case you describe, TCP port numbers make the difference. Each TCP packet not only has a source and destination IP address, but a source and destination port number. The destination port numbers on the packets from the PCs will both be 80 (http) and will not be changed, but the source port numbers are random, and the NAT router may change them. Regardless, it will keep track of which source port numbers map back to which PCs, and can separate the packets coming back based on that, since they will have source port 80 and a destination port matching whatever the router NATed the source ports to.

When you send a "Get" request to a website (i.e. www.microsoft.com in your case) it will have the destination of: Microsoft.com (which DNS translates to an IP address) port 80. The packet will also have the source IP (i.e. PC1 or PC2), and a randomly chosen port that hasn't been used yet on the source PC.

This is a better link for NAT

Flash animation that helps with basic NAT explination <-- doesn't show PAT (Port address translation, which is what Pheran is discussing), but basically add a source and destination port to the mapping and you have PAT (obviously more complex then that, but on a high level overview that's it).

On networks where say all ports are blocked except 80 for example, the router can add unique identifiers to the packet that it maintains a table of (AFAIK).

 

[Nothinman]

wouldn't only the cases where port 80 is "randomly" used actually receive return traffic from an HTTP server behind a firewall that only allows traffic on port 80?

With TCP the destination is always the well known port, in this case 80, but the return port is always a randomly chosen high port. And the device doign the NAT (technically PAT) maintains a table of which random high ports map to which internal IP addresses and the high port they chose.

Although, I'm not sure how common it is for sysadmins block all ports except 80 inbound/outbound. How common is it? I've only worked in environments where the standard practice was to lock down all ports and to explicitly define all allowed traffic in a strict manner that only allows the lowest possible amount of traffic necessary for the server to run a website on port 80.

It's pretty much required for any place that wants to do reliable web filtering and monitoring.