> Sorry, but what is a "NAT box" ?
Network address translator. It's a kind of IP router that changes
the source or destination address, or the source or destination port,
as the packets pass through. A popular kind of NAT box is one that
provides the illusion of Internet access to a private IP network,
mapping one or more external IP addresses to a number of private
IP addresses. Such boxes do not necessarily provide a one-to-one
mapping between an internal IP address and the one that appears
on the global Internet. So they sometimes change the port number,
as well as the address, to avoid conflicts between multiple
hosts using the same external address and the same port. And
the mappings between external and internal addresses may be
dynamically assigned and change from time to time.
What this means is that a client or server's notion of the IP address
or port used in the conversation, may not be the same as the server
or client's view from the other end of the connection.
Pure NAT boxes break a number of protocols that, for one reason
or another, depend on the client and server sharing the same notion
of endpoint identifiers. So real NAT boxes tend to perform
not only IP-level translation, but serve as translating proxies
for a number of higher level protocols. NATs thus share many
characteristics as firewalls, and often these functions are combined
in one box. But NAT boxes are more evil (from an application protocol
designer's point-of-view) than firewalls that don't do NAT.
Lots of us hate these things, but for a variety of reasons including
scarcity of IP address space, and commodity pricing of dialup accounts
limited to one IP address, they're widely deployed.
Keith