Username   Password       Register

NAT (Network Address Translation)

NAT (Network Address Translation) is a technique for preserving scarce Internet Glossary Link IP addresses.

Why NAT?

The current Internet uses IP addresses in the form xxx.xxx.xxx.xxx. A sample Glossary Link IP address might be 202.187.4.212.

Because of the way these IP addresses are allocated, there started to be a shortage of available IP addresses.

The current revision of IP (Internet Glossary Link Protocol) in use on the Internet is Glossary Link IPv4. IPv6 is largely a response to this potential IP address shortage.

Unfortunately, IPv6 is going to take decades to implement. A much quicker fix was needed, and that fix was NAT.

Private Address Space for NAT

To conserve IP address space, networks which are not directly connected to the Internet are often given private address space.

Private address space are ranges of IP address which cannot be routed over the Internet.

Private address space is often called "RFC 1918" space, because private address space is defined in RFC 1918 - Address Allocation for Private Internets.

RFC 1918 defines three sets of private address space:

Start End Network Size
10.0.0.0 10.255.255.255 /8
172.16.0.0 172.31.255.255 /12
192.168.0.0 192.168.255.255 /16

The use of private address space conserves IP addresses because any person or company can use the same provate address space over and over again.

I have a 10.0.0.x network in my house. IBM has a 10.0.0.x network. HP has a 10.0.0.x network. Apple has a 10.0.0.x network. We're all using the same range of IP addresses.

The limitation is that private address space is non-routable. This means that any computer on these private IP addresses cannot (directly) connect to the Internet.

Network Address Translation to the Rescue!

The solution to work-around this limitation is NAT (Network Address Translation).

A NAT device, usually a Glossary Link firewall or a Glossary Link router, is placed between the private network and the Internet.

When computers on the private network want to communicate on the Internet, the NAT device quickly and silently modifies the packets they send to have a normal IP address.

When systems on the Internet send reply packets, the NAT device routes those reply packets back to the correct system on the private network.

In this way, hundreds or thousands of computers on the private network can share just one IP address on the public Internet.

For example, you might have 250 computers on the 192.168.1.x network and one firewall providing NAT services on the IP address 216.17.138.210. Any time one of the hosts communicates across the Internet, the NAT firewall changes the IP address of the packets to 216.17.138.210. When reply packets come from the Internet, the NAT firewall sorts them out and sends them to the correct internal host.

Types of NAT

The type of NAT just described is called One-to-Many NAT. This is because one IP address is shared by many hosts.

It is also possible to implement One-to-One NAT. This is where a host with a private IP address is given a dedicated public IP address in the NAT device. One-to-One NAT is used to support some poorly designed protocols which do not work well over NAT.

How NAT Works

When a computer running NAT receives a Glossary Link packet from an internal client, it replaces the packet header and translates the client's port number and internal IP address to its own port number and external IP address. It then sends the packet to the destination host on the Internet, and keeps track of the mapping information in a table, so that it can route the reply to the appropriate client computer. When the computer running NAT receives a reply from the Internet host, it again replaces te packet header and sends the packet to the client. Both the client computer and the Internet host appear to be communicating directly with each other.

For example, a client computer with the IP address 192.168.10.2 wants to contact a Web server with the IP address 131.110.30.4. The client is configured to use 192.168.1.1 as the default Glossary Link gateway, which is the internal IP address of the computer running NAT. The external IP address of the computer running NAT is 131.110.5.1. In this example, the NAT process occurs as follows:

  • The client computer sends a packet to the computer running NAT. The packet header indicates that the packet originates from port 1074 on the computer with the IP address 192.168.10.2, and has a destination of port 80 on 131.110.30.4.
  • The computer running NAT changes the packet header to indicate that the packet originates from port 1563 on host 131.110.5.1, but does not change the destination. The computer running NAT then sends the packet to the Web server over the Internet.
  • The external Web server receives the packet and sends a reply. The packet header for the reply indicates that the packet originates from port 80 on 131.110.30.4, and has a destination of port 1563 on host 131.110.5.1.
  • The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate a destination of port 1074 on 192.168.10.5, and then sends the packet to the client. The source of the packet remains as port 80 on 131.110.30.4, which is the IP address of the Web server.

Discuss NAT (Network Address Translation) in the forums.