I was thinking up a scenario today but got stuck along the way. I imagined a scenario where I use the NAT Overload (port address translation) for NAT. What is the step by step resolution of the address if ip address 192.168.20.1 on Network A wishes to communicate with 192.168.20.1 (same ip address) on Network B (a different network)?

I want to know how the switch resolves this address and knows it is outbound before it forwards frames to the Router.

:confused:

It resolves the addresses by using the subnet mask. The subnet mask tells how many of the 32 bits are used for the network address and how many are used for the node addresses. For more info about subnetting please see this article:
http://www.akadia.com/services/ip_routing_on_subnets.html

Wait, it just struck me that I may not have answered your question. The main job of the NAT firewall is to tack a single source IP address onto all outgoing packets (among other things), protecting the identity of the source host. On the receiving side, where the 2nd machine with the private address 192.168.20.1 is awaiting the packet, only the receiving router knows for whom the packet is intended (since it is also acting as a NAT firewall for the 2nd host. All of this is the job of the routers in question.

In summary, Router A (sender) knows the source address and destination address (only the router B). Router B (receiver) knows only the receiving address and the address of the sending router.

Wow, I am even confusing myself, so I'll wait for someone to explain this in a little bit simpler terms....:)

As a packet leaves the first network (192.168.20.1) it is striped of that IP and given some routable IP, and it already knows its destination. When it gets to the destination, one of two things will happen. A computer on the receiving side will have requested the packet, then the router at the remote location knows where to send it. Why? Because when it sent the request for the packet the router made note of the destination it was sending the packet to. So when it sees a packet from that destination coming in, it will know which local PC requested it.

If a PC at the remote location didn't request the packet then it might be denied, or passed along, depending on how the router is configured. If we are talking about a secure or average home network it will probably just deny any unrequested traffic. If it is on a network that hosts a website for example, it will be configured to forward requests to certain computers. So lets say that on this network you have a webserver. HTTP traffic is on port 80, so you configure the router to forward port 80 traffic to 192.168.20.1.

After reading this thread earlier today I happened to be reading some stuff about packets later on and it brought this thread to mind.

Well I noticed that every packet has the MAC address attached to it of the source NIC and destination NIC. Is that how you would get around the same IP address on two different networks? Is that what you mean by "the router knows the destination"? Or am I totally missing something?

Sorry if I am way off. My knowledge of the particulars of networking is still very slim.

Well I can get into this quit deeply. Lets just leave it at routers don't know or care about MAC addresses. MAC addresses are used by switches, and IP addresses are used by routers.

Routers keep the traffic seperated in NAT (which is technically PAT (Port Address Translation) on the LAN side in the common home setup) by using ports. All NAT does is translate a non routable LAN IP to a public routable IP. PAT allows multiple computers inside of that NAT connection to access the world through the single public IP. So the router knows which packets go to which LAN IP by using ports.

When I send a request for this website for example I am sending it to port 80 as the destination port. The port that receives it on my PC can be any of the many higher numbered ports without a reserved purpose. My PC will pick a port (1983), and send a request to port 80 at IP 209.68.14.80. When the website sends information back to my PC the router will have kept a log saying that PC with 192.168.1.100 is sending packtes to 209.68.15.80 on port 1983. So when a packet destined to my WAN addrss comes from 209.68.15.80 and is destined for port 1893, the router knows to send it on to my PC at 192.168.1.100.

OK, so since it's actually port address translation is doesn't really make a difference what the IP is. Even if it is on two different networks, it goes into one router, sent to the port that goes to the other router, which sends it to the correct port that the requesting machine is on.

Is that right, at least sort of, or am I still off?

Thanks for the info Erik. :)

I imagined a scenario where I use the NAT Overload (port address translation) for NAT. What is the step by step resolution of the address if ip address 192.168.20.1 on Network A wishes to communicate with 192.168.20.1 (same ip address) on Network B (a different network)?


Heres the skinny on this question ....

PC-A has IP address 192.168.20.1 on network A it wants to send a packet to PC-B on network B which also has the IP address of 192.168.20.1, first PAT alone can not accomplish this, you must have NAT or port forwarding on the routers also. Now in this scenerio you have two routers one on network A and one on network B both running PAT and port forwarding that hides the private addresses of both machines so lets follow the flow...

Router A has an outside address of 10.0.0.1 and a port forwarding entry saying packets destined for 10.0.0.1 on port 80 send to 192.168.20.1 port 80, It also has PAT enabled that says all internal 192.168.20.0 traffic use its outside IP address of 10.0.0.1

Router B has an outside address of 10.0.0.2 and a port forwarding entry saying packets destined for 10.0.0.2 on port 80 send to 192.168.20.1 port 80
It also has PAT enabled that says all internal 192.168.20.0 traffic use its outside IP address of 10.0.0.2


PC-A can not send to 192.168.20.1 because it is 192.168.20.1 and it would not leave the PC, so we tell it to send to Router B's outside address of 10.0.0.2 port 80, now PC-A sees that it is not on the 10.0.0.0 network by looking at its own IP address and mask and sends an ARP request to its default gateway this is because a NIC sends data by MAC and not IP, the router replies with its MAC address so PC-A can send the packet to the router, now the router gets the packet and changes the source address of 192.168.20.1 in the packet to its outside interface IP address of 10.0.0.1 and changes the source port to 1024+n the router then creates a table that says any traffic destined to port 1024+n send to 192.168.20.1, it then forwards the packet to router B that sees the packet with a source IP of 10.0.0.1 and source port of 1024+n and destination of 10.0.0.2 port 80, it then nows by the port forwarding statement that 10.0.0.2 port 80 should be forwarded to 192.168.20.1 port 80 on its internal network, so it sends an ARP request for 192.168.20.1 and PC-B replies with its MAC and the router forwards the packet to PC-B. Now this happens in reverse order except PC-B is sending to 10.0.0.1 port 1024+n so when the 10.0.0.1 router gets it, it sees a packet from 10.0.0.2 port 80 that needs to go to 10.0.0.1 port 1024+n, it then looks in its port translation table and sees 1024+n traffic belongs to 192.168.20.1 and it passes it on, the point is PC-A thinks PC-B is 10.0.0.2 and PC-B thinks 10.0.0.1 is PC-A neither PC realy knows the true IP address of the other, as well PAT uses a port to IP translation table to keep track of the internal hosts instead of an IP to IP translation table that NAT would use.

higher level note..
If you read carefully you will notice that router A will send all traffic for port 1024+n to the internal host 192.168.20.1 while this entry is in the table which means you need a stateful firewall that only allows responses in, in other words PAT alone is not so secure. also you may ask why I use 1024+n that is because ports 1 - 1024 are reserved and used by protocols so it uses a free port above this nymber hopefully randomly, as well PAT can host 65535 - 1024 internal hosts as 65535 is the computers magic number meaning thats all the ports it supports.