> Well, the NAT I'm talking about specifically (IP NAT products like the
> ones from Checkpoint and Cisco, and probably others) work at layer 4.
> They need to understand TCP and so-forth. One could write one that
> works strictly at layer 3, but for many IP protocols it wouldn't work
> very well, and certainly wouldn't work for many-to-few NAT
One cannot write a NAT that functions only at layer 3-IP (if you are referring
to the ISO layering labels). Any change of address in the IP header cascades
into the pseudo header in UDP and TCP and must be reflected in a change in the