What is Network Address Translation

Before you start

Objectives: Learn what is Network Address Translation (NAT), what is Port Address Translation (PAT), and about different types of NAT.

Prerequisites: no prerequisites.

Key terms: NAT, address, IP, private, network, public, router, hosts, Internet, port, static, request


Definition

The feature which is used to address the problem of the shortage of IPv4 addresses is the Network Address Translation (NAT). NAT enables us to use a single public IP address for the entire organization, for the whole private network. This is done by translating IP addresses from our local area network to the single public IP address which is visible on the Internet. Hosts can share a single public IP address or a pool of public IP addresses. NAT is implemented on the network router which resides between the local area network and the public network. On the local area network we have hosts which are assigned a private IP address. There are three IP address ranges that are reserved for private IP configuration. We have a Class A private IP address range which goes from 10.0.0.0 to 10.255.255.255, which is over 16 million addresses. There is also a Class B private address range which goes from 172.16.0.0 to 172.31.255.255. We also have a Class C range which goes from 192.168.0.0 to 192.168.255.255. As you already know, a private IP address can’t be routed on the public network, so we can’t use those addresses on the Internet. Routers are configured to not forward to or from a private IP addresses. Private IP addresses can be used by anyone as long as they are used on a private network. The NAT router has two interfaces installed, one of which is connected to the private network and one is connected to the public network. The interface that’s connected to the private network is assigned a private IP address. The interface that’s connected to the public network is assigned a registered IP address.

 Private vs Public

Private vs Public Network

The NAT router is configured as the default gateway router for all the hosts on the private network. When a client from the private network wants to access the Internet, that request first goes to the NAT router. The NAT router then strips off the private network source address and replaces it with its own registered, public IP address. The request is then sent out to the Internet where it will be processed by some server. The server on the Internet will respond to the request and it will send an answer back to the NAT router. When the answer returns, the NAT router will change the recipient address on the packet back to private address of the host on the private network that originally made the request. The NAT router might service thousands of requests at the same time, so it has to keep track of all that information somehow.

When the NAT routers replaces the private source IP address with its public address in the packet, it will send it trough its dynamic interface which is configured with the public IP address. The NAT router keeps a table in its memory which contains all the hosts from the private network that requested some resource on the Internet, and the ports assigned by the NAT router when it makes the final request. For example, in our case the host 192.168.1.10 made the request to the server 200.200.20.20 on the Internet. In the first step the packet is send to the NAT router. In the second step the NAT router replaces the private source address with the its public one and send a packet to the address 200.200.20.20. In its NAT table it keeps record of the private address and the port on which it made the request. In our case the NAT router used the port 3000.

NAT Table

Address Translation

The device on the Internet will return the packet addressed to the NAT router. NAT router will replace the destination address with the private address of the host. Responses to Internet requests also include the port number appended by the NAT router. This allows the NAT router to forward responses back to the correct private host.

The Return

Address Translation 2

Well, NAT actually translates one IP address to another. To use multiple private IP addresses with single public IP address we also have to use Port Address Translation (PAT) feature. PAT is the feature which actually associates a port number with the translated address. If we only used NAT, we would have to have a public IP address for each private IP address. Because of PAT we can have multiple private IP addresses which all share a single public IP address. In this case each private IP address is associated with a unique port number. The thing is, all NAT routers perform port address translation, and because of this fact when we say NAT we also imply PAT.

As any other router, NAT routers operate at the network layer of the OSI model. The good thing is that NAT routers hide our entire private network from the public network, so they act as a firewall. There are some drawbacks when we use a NAT router.  Let’s say that we also have a web server on our private network. The thing is, when we have a NAT router, hosts on the public network cannot request resources from hosts on our private network. So, the NAT router acts like a security wall which is good. But if we want to share some resources, for example by using web server, this is a problem because we want people from the public network to access our web server. We can solve this problem by using the proper implementation of NAT.

NAT Implementations

So, we have several variations of NAT. The first type is a Dynamic NAT configuration. In Dynamic NAT hosts from the private network can make request to the public network, but hosts on the public network can’t request resources from the private network. In Dynamic NAT we use dynamic port assignment for private IP addresses. External hosts cannot initiate communications with internal hosts.

Another NAT configuration is a Static NAT. With Static NAT we can allow access from the public network to hosts inside our private network. With Static NAT we actually create a mapping between a private and a public IP address. For example, let’s say that our web server has a private address of 192.168.1.50. In that case, with static NAT we would map that IP address to the public address of 100.100.10.10. In this configuration when hosts on the public network try to make requests to the IP address of 100.100.10.10, our NAT router would redirect those requests to the private address of 192.168.1.50, which is our web server. With Static NAT we actually use a static port assignment for the private IP address. External hosts can contact our web server using the public IP address and the static port.

Dynamic and Static NAT can be configured together. If we use Dynamic and Static NAT, we actually have to use two public IP addresses on the public interface of our NAT router. One interface is used for Dynamic NAT, and the second IP address is used for Static NAT. Note that we configure those two IP addresses on the same interface.

When we use Static NAT, we can only map one public IP address to one private IP address. If we have more hosts on the private network that we want to make available on the public network, we would have to use more public IP addresses. To obtain the public IP address we typically contact our ISP. ISP typically receives IP addresses from Regional Internet Registry (RIR). RIR is assigned a block of addresses from Internet Assigned Numbers Authority (IANA). IANA is operated by the Internet Corporation for Assigned Names and Numbers (ICANN).