Eicon logo
Safepipe and security Networking with Safepipe VPN Clients
Safepipe Centre > Questions and Answers
Documentation
Printed guides
HowTo setup guides
Questions and answers
Questions and answers
Reference
Encyclopedia
Other resources
Training
Self-test courses
Download
Software and Release notes
Administration Tool
Support
Link to Eicon Networks Support



What is the difference between masquerading, NAT (Network Address Translation), and port forwarding?

Some firewall rules are based on simple regulating mechanisms, such as allowing or denying data packets access to a LAN. Other firewall rules modify the data packets that they match. The firewall on Safepipe operates with three kinds of modifying firewall rules: Masquerading, NAT (Network Address Translation), and (from release 2.2) port forwarding. Common to these three kinds of rules is that they are applied with the purpose of hiding the structure of the LAN, but they differ in a number of ways and have different applications.

Masquerading
With masquerading you can map all private IP addresses on your LAN to the same public IP address, namely Safepipe's public interface. When you make requests to outside servers from the nodes on the LAN, the data packets will go through Safepipe and appear to originate from the IP address of Safepipe's public interface, instead of the actual private IP addresses of the nodes. Thus, as the structure of your network is hidden, the network is hard to access from the Internet.
Apart from this security perspective, masquerading also has the advantage that it helps cut down on the number of public IP addresses that your company needs. When all data traffic from your LAN to the Internet is mapped to the same, single public IP address, you will have no need for several public IP addresses – no matter how many devices on your LAN need to have access to the Internet.

NAT
NAT (Network Address Translation) also allows you to use two sets of IP addresses. However, NAT differs from masquerading in the way the addresses are mapped. With masquerading, several or all of the private IP addresses on your LAN are mapped to one public IP address, while NAT is based on a one-to-one principle. This means that a particular single IP address is mapped to another single IP address, and a particular group of IP addresses, such as an entire network, is mapped to another group of exactly the same size, i.e. that has the same subnet mask. Even though NAT can handle mapping of both single and groups of IP addresses, it is primarily applicable in the latter instance. When you need to map single IP addresses, port forwarding is preferable to NAT.
NAT mapping can be static or dynamic. The static address translation entails that the original IP address is always tied to the same NAT IP address. With dynamic address translation the different private IP addresses are mapped to a pool of IP addresses, and the NAT IP depends on various runtime conditions and may be a different one for each single connection – though the one-to-one principle is still sustained. Note that SafePipe only supports static NAT.

Port forwarding
Port forwarding is used very similarly to NAT and also upholds the one-to-one principle. Port forwarding only supports mapping of single IP addresses, not groups of addresses, but it is preferable to NAT in this respect. Port forwarding creates an alias for the private IP address in question which can thus be pinged from outside your LAN. This is particularly useful in relation to e.g. Web and mail servers.
Port forwarding has the additional advantage over NAT that it allows you to change the port number when mapping IP addresses. It can forward all packets intended for one port on the gateway to a different port on one of the nodes on your internal network.

Line
© 2001 Eicon Networks