Operation Manual – NAT, Netstream, Policy RoutingH3C S7500 Series Ethernet Switches Chapter 1 NAT Configuration1-31.2 NAT Features1.2.1 NAT and NAT ControlAccording to the NAT procedure illustrated in Figure 1-1, when an internal host tries toaccess an external network, NAT selects a proper public address and substitutes it forthe source address in the packets from the internal host. In Figure 1-1, the IP addressof the outbound interface on the NAT server is selected. In this case, only one internalhost is allowed to access external network at a time because the NAT can provide onlyone public address. This cannot meet the needs of multiple internal hosts to accessexternal networks concurrently.To satisfy the concurrent Internet requests from internal hosts, you can have the NATserver owns multiple public IP addresses that can be assigned to internal hosts. Whenthe first internal host tries to access external network, the NAT process selects a publicaddress for it and adds a mapping record in the NAT table; when the second internalhost tries to access external network, the NAT process selects another public address,and so on.Note:Since there is little probability that all internal hosts would access external networks atthe same time, the public addresses on the NAT server can be much fewer than theinternal hosts. You can determine the number of public IP addresses that are neededdepending on the statistical number of internal hosts that may access external networkat traffic peak.You can define an address pool for your NAT server to satisfy concurrent Internetrequests. In addition, you can use access control list (ACL) to control the NAT:1) An address pool is a collection of public IP addresses for NAT. You shouldconfigure it depending on the number of available public IP addresses, the numberof internal hosts, and the practical application. During address translation, the NATprocess selects an address from the address pool to substitute the sourceaddress.2) In practice, you may want to allow some internal hosts to access the Internet andinhibit other hosts. You can use an ACL to control the NAT process to allow onlysome specific hosts to access the Internet. With an ACL, when the NAT processchecks the header of a packet, it determines whether the source IP address isallowed to access the Internet, and will not translate the address if it is not allowed.