NAT translating overlapping addresses

FIGURE 3 . 5 NAT translating overlapping addresses
NAT Router
Inside Host
221.68.20.48
www.sybex.com
221.68.20.47
DNS Server
124.1.8.14
Internet
SA = 221.68.20.48 DA = 10.12.1.2
221.68.20.48 message to www.sybex.com
SA = 124.1.8.14 DA = 221.68.20.48 A = 10.12.1.2
DNS response from 124.1.8.14
SA = 221.68.20.48 DA = 124.1.8.14
DNS request for www.sybex.com address
SA = 124.1.8.14 DA = 169.1.45.2 A = 221.68.20.47
DNS response from DNS Server
SA = 169.1.45.2 DA = 124.1.8.14
DNS request for www.sybex.com address
SA = 169.1.45.2 DA = 221.68.20.47
169.1.45.2 message
to www.sybex.com
221.68.20.48 169.1.45.2
221.68.20.47 10.12.1.2
Inside Local
IP address
Inside Global
IP address
Outside Global
IP address
Outside Local
IP address

The following steps are performed when translating overlapping addresses:
1. The host on the inside network at IP address 221.68.20.48 tries to open a connection to a
web server on the outside network by using its fully qualified domain name. This request
triggers a name-to-address lookup query from the host to a domain name server (DNS) at
IP address 124.1.8.14.
2. The NAT border router translates the outgoing request to a pool of outbound IP addresses;
in this case, it chooses 169.1.45.2. The router then intercepts the returning DNS reply and
detects that the resolved IP address inside the reply (221.68.20.47) matches the inside range
of IP addresses for which it is translating traffic. This address would appear local to the
inside host that requested the address. So it’s not the appropriate address for the inside host
to try to communicate with. It is a potentially overlapping IP address with another host on
the inside of the network.
3. To allow the inside host to communicate with the host on the outside network and not accidentally
put it in touch with the incorrect host on the inside, the NAT border router creates
a simple translation entry that maps the overlapping IP address to an address from a pool
of outside local IP addresses. In this case, it is IP address 10.12.1.2.
4. The NAT border router replaces the IP address inside the DNS reply with this outside local
address allocated from the pool and forwards the reply to the original requester at inside
local IP address 221.68.20.48.
5. The host on the inside of the network initiates a connection to the web server on the outside
using outside local IP address 10.12.1.2. The router translates the inside local source IP address
to the inside global address 169.1.45.2 and the outside local destination IP address to the outside
global address 221.68.20.47, which receives the packet and continues the conversation.
6. For each packet sent from the inside host to the outside host, the router performs a NAT
table lookup, replaces the destination address with 221.68.20.47, and replaces the source
address with 169.1.45.2. The replies go through the reverse process.
There are two pools involved here—one for the inside-to-outside traffic and one for
the outside-to-inside traffic. The inside device must use the DNS-supplied outside local IP
address of the outside device—10.12.1.2—for the overlapping NAT to work. The inside
device cannot use the outside global IP address of the outside device—221.68.20.47—
because it is potentially the same address as another host on the inside network, and the
inside device would ARP to find that device’s MAC address, believing that they share
the local subnet. This would result in the incorrect association of the outside global IP
address with the MAC address of an inside device. The intended recipient would never
be reached, because the router would not receive packets to be routed.