193

Many hosts in different networks can use the same private space addresses. Packets using these addresses as the source or destination should not appear on the public Internet. The router or firewall device at the perimeter of these private networks must block or translate these addresses. Even if these packets were to make their way to the Internet, the routers would not have routes to forward them to the appropriate private network.

Because packets with private space destination addresses are not routable across the Internet, services to translate packets from hosts using private addresses are required. As represented in Figure 6-10, these services, called Network Address Translation (NAT), can be implemented on a device at the edge of the private network. At the perimeter router, NAT changes the private space addresses in the IPv4 packet header to a public space address.

Figure 6-10     NAT on the Perimeter Device

Private                           Public

Address                       Address

Internal Local Network

Internet

Network Address

Translation required to

allow Internet access

for private addresses.

By “borrowing” a public address, these hosts in the private network can communicate to out-side networks. While there are some limitations and performance issues with NAT, clients for most applications can access services over the Internet without noticeable problems.

Note

NAT will be covered in detail in the Accessing the WAN course and companion book.

The addresses in the IPv4 unicast host range are designed for hosts that are publicly acces-sible from the Internet. Even within these address blocks, many addresses are designated for other special purposes, as described in the next section.