Securing NAT Solution  «Prev  Next»

Lesson 3Allowing access with Address Pools and Special Ports
ObjectiveAllow access using Address Pools and Special Ports

Allowing access with Address Pools and Special Ports

You can allow access to specific computers and applications within the private network by reserving IP addresses from the NAT interface address pool or by creating special port mappings.

Use the default: all computers are inaccessible

By default, NAT discards any Internet-based requests to access computers within the private network. As such, all computers on the private network are inaccessible from the Internet in a NAT solution. Choose the default configuration when:
  1. Users on the private network require access to Internet sites
  2. Users on the Internet must not have access to any of the private network resource computers

In situations where the default security provided by NAT is not appropriate, select the method for exposing private network resources to the Internet. You can select the method based on the number of public addresses available to the organization.
The following table describes the strategies for enabling access to private network resources.

When the design includes... Enable access to private network resources by...
Multiple public IP addresses Reserving addresses from the address pool
Single public IP address Defining special port mappings

The following diagram shows you how to reserve addresses from the address pool and how to define special port mappings.
  1. NAT solution 1) Includes Multiple public IP addresses 2) Includes only ONE public IP address
  2. You must place the addresses in an address pool to enable private network resource access.
  3. Address pools enable NAT to examine Internet-based requests and forward the requests to resources on a server within the private network
  4. Using address pools allows access to all of the IP ports on the resource server.
  5. If the security specifications of the design requires restricted IP port access, you can use Routing and Remote Access filters to restrict port access.
  6. You must obtain and reserve a public IP address in the NAT address pool for each resource reserver on the private network.
  7. You must define special port mappings within Routing and Remote Access to enable private network resource access.
  8. Special port mappings enable NAT to examine the IP address and port number of Internet based requests.
  9. NAT is able to forward the requests to a specific IP address and port number to a resource server within the private network.
  10. For each resource that you share with the Internet, you must define separate special port mappings in Routing and Remote Access.

Defining Special Port Mappings
In the next lesson, you will learn how to improve NAT security by using VPN.