7.6. ( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services?

Proxy:  Proxy servers are available for: Win95, NT, Linux, Solaris, etc.

            Pro:    + (1) IP address ; cheap
                    + Optional caching for better performance (WWW, etc.)

            Con:    - All applications behind the proxy server must both SUPPORT 
                      proxy services (SOCKS) and be CONFIGURED to use the Proxy 
                    - Screws up WWW counters and WWW statistics

	 A proxy server uses only (1) public IP address, like IP MASQ, and acts  
	 as a translator to clients on the private LAN (WWW browser, etc.).
	 This proxy server receives requests like TELNET, FTP, WWW, 
	 etc. from the private network on one interface.  It would then in turn,
	 initiate these requests as if someone on the local box was making the
	 requests.   Once the remote Internet server sends back the requested
	 information, it would re-translate the TCP/IP addresses back to the 
	 internal MASQ client and send traffic to the internal requesting host.  
	 This is why it is called a PROXY server.  

		Note:  ANY applications that you might want to use on the 
			internal machines *MUST* have proxy server support 
			like Netscape and some of the better TELNET and FTP 
			clients.  Any clients that don't support proxy servers 
			won't work.

	 Another nice thing about proxy servers is that some of them
	 can also do caching (Squid for WWW).  So, imagine that you have 50 
	 proxied hosts all loading Netscape at once.  If they were installed 
	 with the default homepage URL, you would have 50 copies of the same 
	 Netscape WWW page coming over the WAN link for each respective computer.  
	 With a caching proxy server, only one copy would be downloaded by the 
         proxy server and then the proxied machines would get the WWW page from 
         the cache.  Not only does this save bandwidth on the Internet 
         connection, it will be MUCH MUCH faster for the internal proxied 

MASQ:	 IP Masq is available on Linux and a few ISDN routers such
 or	 as the Zytel Prestige128, Cisco 770, NetGear ISDN routers, etc.
		Pro: 	+ Only (1) IP address needed (cheap)
			+ Doesn't require special application support
			+ Uses firewall software so your network can become
			  more secure

		Con:	- Requires a Linux box or special ISDN router
			  (though other products might have this..  )
			- Incoming traffic cannot access your internal LAN
			  unless the internal LAN initiates the traffic or
			  specific port forwarding software is installed.
			  Many NAT servers CANNOT provide this functionality.
			- Special protocols need to be uniquely handled by
			  firewall redirectors, etc.  Linux has full support
			  for this (FTP, IRC, etc.) capabilty but many routers
			  do NOT (NetGear DOES). 

	 Masq or 1:Many NAT is similar to a proxy server in the sense that the 
	 server will perform IP address translation and fake out the remote server 
	 (WWW for example) as if the MASQ server made the request instead of an 
	 internal machine.  
	 The major difference between a MASQ and PROXY server is that MASQ servers
	 don't need any configuration changes to all the client machines.  Just 
	 configure them to use the linux box as their default gateway and everything 
	 will work fine.  You WILL need to install special Linux modules for things 
	 like RealAudio, FTP, etc. to work)!  

	 Also, many users operate IP MASQ for TELNET, FTP, etc. *AND* also setup a 
	 caching proxy on the same Linux box for WWW traffic for the additional 

NAT:	 NAT servers are available on Windows 95/NT, Linux, Solaris, and some 
	 of the better ISDN routers (not Ascend)	 

		Pro: 	+ Very configurable
			+ No special application software needed

		Con:	- Requires a subnet from your ISP (expensive)

	 Network Address Translation is the name for a box that would have a pool of 
	 valid IP addresses on the Internet interface which it can use.  Whenever the
	 Internal network wanted to go to the Internet, it associates an available 
	 VALID IP address from the Internet interface to the original requesting 
	 PRIVATE IP address.  After that, all traffic is re-written from the NAT 
	 public IP address to the NAT private address.  Once the associated PUBLIC 
	 NAT address becomes idle for some pre-determined amount of time, the 
	 PUBLIC IP address is returned back into the public NAT pool.  

	 The major problem with NAT is, once all of the free public IP addresses are
	 used, any additional private users requesting Internet service are out of
	 luck until a public NAT address becomes free.

For an excellent and very comprehensive description of the various forms of NAT, please see:

Here is another good site to learn about NAT, although many of the URLs are old but still valid:

Copyright © 2010-2023 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout