NAT: Understanding the Mechanics of Network Address Translation

Buzz

Content

Source Device A

Source Device B

Source Device C

Source Device D

Illustration of a NAT router managing traffic between private and public networks.

Network Address Translation (NAT) enhances security by reusing IP addresses. The NAT router handles incoming and outgoing traffic between private networks and the internet. Explore more visual representations of computer networking.

If you're reading this article, chances are you're connected to the internet via the Mytour website. This means you're almost certainly using Network Address Translation (NAT) right now.

The internet has expanded far beyond anyone's expectations. While its exact size is unknown, there are over 5.35 billion active internet users today. So how does this massive scale relate to NAT? Everything! In this article, we'll explore how NAT benefits you, but first, let's dive deeper into what NAT is and how it works...

What Happens When the Global IP Address Pool Depletes?

For a computer to interact with other systems and web servers on the internet, it needs an IP address. An IP address (short for Internet Protocol) is a distinct 32-bit number that pinpoints your computer's location on a network. Think of it like your home address — it's used to determine your exact location and route information to you.

When IP addressing was first introduced, it was assumed there would be plenty of addresses to meet any demand. In theory, there were 4,294,967,296 unique addresses (2). However, the actual number of available public IP addresses is lower (around 3.2 to 3.3 billion) due to the way addresses are categorized, and because some are reserved for multicast, testing, or other specialized uses.

With the rapid growth of the Internet and the rise of home networks and business networks, there simply aren't enough IP addresses to go around. A clear solution is to update the public IP address system to allow for more addresses. This is known as IPv6, but it will take several years to implement because it requires overhauling the entire internet infrastructure.

This is where NAT (RFC 1631) steps in. Network Address Translation enables a single device, such as a router, to serve as an intermediary between the Internet (or "public network") and a local (or "private") network. This allows a single unique IP address to represent an entire group of computers. However, the scarcity of public IP addresses is just one reason to use NAT.

What is the Role of NAT?

NAT works like a receptionist in a busy office. Imagine you've instructed the receptionist not to forward any calls to you unless you specifically request it. Later, you reach out to a potential client and ask them to call you back. You inform the receptionist that you're expecting this call and to connect the client to you.

The client calls your office's main number, which is the only number they know. When the client tells the receptionist they're looking for you, the receptionist refers to a lookup table to match your name with your extension. Since you previously requested this call, the receptionist forwards the call to your extension.

Created by Cisco, Network Address Translation is a technology used by a device (firewall, router, or computer) positioned between an internal network and the broader internet. NAT has several variations and can function in different ways:

Illustration depicting how IP addresses are mapped in static NAT.

In static NAT, the computer with the IP address 192.168.32.10 will always be mapped to 213.18.123.110.

Static NAT - This method maps an unregistered IP address to a registered IP address on a one-to-one basis. It's especially beneficial when a device needs to be accessible from outside the network.

Illustration demonstrating how IP addresses are translated in static NAT.

In dynamic NAT, the computer with the IP address 192.168.32.10 will be assigned the first available address within the range from 213.18.123.100 to 213.18.123.150.

Dynamic NAT - Maps an unregistered IP address to a registered IP address chosen from a pool of available registered IP addresses.

Overloading - A type of dynamic NAT that assigns multiple unregistered IP addresses to a single registered IP address by using different ports. This technique is also known as PAT (Port Address Translation), single IP address NAT, or port-level multiplexed NAT.

Diagram illustrating how each computer maps to the same IP address in NAT overloading.

In overloading, all computers on the private network are mapped to the same IP address (213.18.123.100), but each one is assigned a unique port number.

Overlapping - Occurs when the internal network's IP addresses overlap with registered IP addresses from another network. The router must keep a lookup table for these addresses, enabling it to intercept and replace them with unique registered IP addresses. It's important that the NAT router translates both the internal addresses to registered unique ones and the external registered addresses to ones unique to the private network. This can be achieved either through static NAT or by using DNS and implementing dynamic NAT.

Diagram showing how the NAT router translates IP addresses.

The internal IP range (237.16.32.xx) is also a registered range used by another network. As a result, the router must translate the addresses to prevent a possible conflict with the other network. Additionally, it will convert the global registered IP addresses back to the unregistered local IP addresses when sending data to the internal network.

The internal network is typically a LAN (Local Area Network), often called a stub domain. A stub domain is a LAN that uses IP addresses internally. Most network traffic within a stub domain remains local, not leaving the internal network. An internal IP address can be either registered or unregistered, and the stub domain can use either type. Naturally, any devices using unregistered IP addresses will require NAT to communicate with the external world.

In the upcoming section, we will explore the various configurations available for NAT.

Thank You

We extend special thanks to Cisco for their support in creating this article.

NAT Configuration

Diagram showing the NAT router managing the flow of traffic between global and private IP networks.

IP addresses are categorized differently depending on whether they belong to the private network (stub domain) or the public network (Internet), and whether the traffic is incoming or outgoing.

NAT can be configured in various ways. For instance, in the example below, the NAT router is set to translate unregistered (inside, local) IP addresses from the private (inside) network into registered IP addresses. This translation occurs whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network.

An ISP assigns your company a block of IP addresses. These addresses are registered, unique IPs, called inside global addresses. The unregistered, private IP addresses are divided into two categories: one is a small group (outside local addresses) used by the NAT routers, while the other, the much larger group, known as inside local IP addresses, is used on the stub domain. The outside local addresses are used to map the unique IPs, known as outside global addresses, for devices on the public network.

The majority of computers within the stub domain communicate using the inside local addresses.
Some computers in the stub domain frequently communicate outside the network. These machines are assigned inside global addresses, which means they do not require translation.
When a computer with an inside local address wants to send data to the outside, the packet is directed to a NAT router.
The NAT router checks its routing table to see if it has an entry for the destination address. If the entry exists, the NAT router translates the packet and adds an entry for it in the address translation table. If the destination address is absent, the packet is discarded.
Using the inside global address, the router forwards the packet to its destination.
A computer on the public network sends a packet to the private network. The packet’s source address is an outside global address, while the destination address is an inside global address.
The NAT router consults the address translation table and finds the mapped inside global address for a computer on the stub domain.
The NAT router translates the inside global address of the packet to the inside local address and forwards it to the destination computer.

The Connections of a NAT Overload

NAT overloading takes advantage of a feature in the TCP/IP protocol stack called multiplexing, which allows a single computer to establish multiple simultaneous connections with a remote computer (or multiple computers) using different TCP or UDP ports. Each IP packet carries the following header information:

Source Address - The IP address of the sending computer, such as 201.3.83.132
Source Port - The TCP or UDP port number assigned by the sending computer for this packet, like Port 1080
Destination Address - The IP address of the receiving computer, such as 145.51.18.223
Destination Port - The TCP or UDP port number that the sending computer requests the receiving computer to open, such as Port 3021

The addresses identify the two devices involved, while the port numbers ensure that each connection between them has a unique identifier. This set of four values—source address, source port, destination address, and destination port—defines a single TCP/IP connection. Each port number is 16 bits long, allowing for 65,536 possible values. However, because different manufacturers may assign ports slightly differently, you can typically expect around 4,000 ports to be available for use.

Dynamic Network Address Translation

This is the process of dynamic NAT:

A private network (stub domain) is configured with IP addresses that were not specifically allocated by IANA (Internet Assigned Numbers Authority), the global body responsible for distributing IP addresses. These addresses are non-routable because they lack uniqueness.
The company installs a NAT-enabled router, which is assigned a block of unique IP addresses by IANA.
A computer within the stub domain attempts to make a connection with an external device, like a web server.
The router receives the data packet sent from the internal computer.
The router records the non-routable IP address of the sending computer in the address translation table. It substitutes the computer's non-routable IP with the first available unique IP from its assigned range. This creates an entry in the translation table mapping the non-routable address to a unique IP address.
When a return packet comes from the external device, the router checks its destination address. It then consults the translation table to identify the internal computer to which the packet should be sent. If a match is found, the router updates the destination address with the corresponding one from the table and forwards the packet. If no match is found, the packet is discarded.
The internal computer receives the returned packet. This cycle repeats as long as communication persists with the external system.

How NAT Overloading Operates

Here’s how overloading functions:

A private network (stub domain) is established with non-routable IP addresses that have not been assigned by IANA.
The company installs a NAT-enabled router, which is given a unique IP address by IANA.
A computer within the stub domain attempts to connect to an external device, such as a web server.
The router receives the data packet from the internal computer.
The router records both the non-routable IP address and the source port number in the address translation table. It then substitutes the non-routable IP address with the router’s own IP address and replaces the source port with the one used for that entry in the translation table. The mapping now includes both the non-routable IP address and port number, along with the router’s IP address.
When a return packet arrives from the destination device, the router checks the destination port in the packet. It looks up the corresponding entry in the translation table and updates both the destination address and port number, then forwards the packet to the appropriate computer on the stub domain.
The computer receives the packet from the router. This process repeats for the duration of the connection to the external system.
As the router now has the computer’s source address and port in the translation table, it continues using the same port number for the duration of the session. The timer for that entry is reset every time it is accessed, and if it isn't accessed before the timer expires, the entry is deleted.

In the following section, we will explore how stub domains are structured.

Stub Domains

Take a look below to understand how computers within a stub domain are perceived by external networks.

Source Device A

IP Address: 192.168.32.10

Computer Port: 400

NAT Router IP Address: 215.37.32.203

Port Number Assigned by NAT Router: 1

Source Device B

IP Address: 192.168.32.13

Computer Port: 50

NAT Router IP Address: 215.37.32.203

NAT Router Allocated Port Number: 2

Source Device C

IP Address: 192.168.32.15

Computer Port: 3750

NAT Router IP Address: 215.37.32.203

NAT Router Allocated Port Number: 3

Source Device D

IP Address: 192.168.32.18

Computer Port: 206

NAT Router IP Address: 215.37.32.203

NAT Router Allocated Port Number: 4

As shown, the NAT router records both the IP address and port number for each device. It then substitutes the original device's IP address with its own registered IP address, while replacing the source computer's port number with the appropriate port number assigned by the router. To any external network, only the NAT router's IP address and the port number given to that specific source computer will be visible on the packet.

It is also possible to have computers within the stub domain that retain static IP addresses. You can set up an access list that tells the router which devices need NAT translation, while leaving the other devices' IP addresses unchanged during transmission.

The number of concurrent translations that a router can handle is primarily determined by its DRAM (Dynamic Random Access Memory) capacity. A typical address translation entry uses about 160 bytes, meaning a router equipped with 4 MB of DRAM could theoretically manage 26,214 simultaneous translations—sufficient for most typical applications.

How IP Address Information is Categorized

The IANA has designated specific IP address ranges to be used for non-routable, internal network addresses. These addresses are classified as unregistered (for further details, refer to RFC 1918: Address Allocation for Private Internets, which defines these address blocks). No organization or individual is permitted to claim ownership of these unregistered addresses or use them on publicly accessible machines.

Routers are programmed to discard unregistered addresses rather than forward them. This means that a packet from a device with an unregistered address might successfully reach a registered destination, but the response will be discarded by the first router it encounters.

For networking purposes, each of the three main IP address classes has a designated address range:

Range 1: Class A - 10.0.0.0 to 10.255.255.255
Range 2: Class B - 172.16.0.0 to 172.31.255.255
Range 3: Class C - 192.168.0.0 to 192.168.255.255

Although the address ranges belong to different classes, you are not obligated to choose any specific range for your internal network. However, following this practice is recommended as it significantly reduces the likelihood of encountering IP address conflicts.

Security and Network Management

A diagram illustrating how Static NAT routes traffic towards a public network.

Static NAT (also known as inbound mapping) ensures that a computer within the stub domain retains a consistent address when communicating with external devices outside the network.

Enabling dynamic NAT automatically creates a protective barrier, or firewall, between your internal network and the outside world, including the Internet. With NAT, only connections originating from inside the stub domain are allowed.

In essence, this means that an external computer cannot establish a connection to yours unless you initiate the communication. You can browse the web, visit websites, and download files; however, no one can hijack your IP address to connect to a port on your computer.

In certain situations, Static NAT, also known as inbound mapping, permits external devices to initiate connections to computers within the stub domain. For example, if you need to route traffic from an inside global IP address to a specific inside local IP address assigned to your web server, Static NAT will facilitate the connection.

Some NAT routers offer advanced filtering and traffic logging features. Filtering helps your organization control the types of websites employees can access, preventing access to inappropriate content. Traffic logging allows you to record website visits and generate reports based on this data.

Information about Proxy Servers

NAT is often mistaken for proxy servers, but there are clear distinctions. NAT operates in a way that is invisible to both the source and destination computers; neither is aware of the intermediary device. In contrast, a proxy server is not transparent.

The source computer is aware that it is requesting services from the proxy server, which must be explicitly configured to allow for this. The destination computer perceives the proxy server as the source and interacts with it directly. Proxy servers typically operate at layer 4 (transport) of the OSI Reference Model or higher, whereas NAT is a layer 3 (network) protocol. Because proxy servers function at a higher layer, they tend to be slower than NAT devices in most cases.

An illustration of the OSI reference model, indicating that NAT operates at layer 3 (the Network layer).

NAT functions at the Network layer (layer 3) of the OSI Reference Model, which is the same layer where routers operate.

One significant advantage of NAT is its impact on network management. For example, if you need to relocate your Web or FTP server to another machine, you don’t have to worry about broken links. Simply adjust the inbound mapping on the router to reflect the new host. Changes to your internal network can also be easily made since only the router's external IP address or one from a global address pool is exposed externally.

NAT and DHCP (Dynamic Host Configuration Protocol) work very well together. You can designate a range of unregistered IP addresses for your stub domain and have the DHCP server assign them as needed. This setup makes scaling your network much easier as it grows. Rather than requesting additional IP addresses from IANA, you simply expand the available range in the DHCP configuration to quickly accommodate more devices on your network.

Multi-homing

As businesses increasingly depend on the Internet, having multiple connections to the Internet is becoming an essential part of their network strategy. This practice, known as multi-homing, helps prevent a disastrous shutdown in case one of the connections fails.

Beyond ensuring a reliable connection, multi-homing also facilitates load balancing by reducing the number of computers using any single Internet connection. By distributing the traffic across multiple connections, the overall performance is optimized, leading to reduced wait times.

Multi-homed networks are often linked to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or a block of addresses) to the company. Routers utilize BGP (Border Gateway Protocol), part of the TCP/IP protocol suite, to route traffic between networks that use different protocols. In multi-homed networks, routers use IBGP (Internal Border Gateway Protocol) on the stub domain side, and EBGP (External Border Gateway Protocol) to communicate with external routers.

Multi-homing proves invaluable when one of the ISP connections goes down. Once the router responsible for the failed connection detects the issue, it quickly reroutes all traffic through one of the alternative routers.

NAT can aid in scaling routing for multi-homed, multi-provider networks. For additional information on multi-homing, refer to Cisco: Enabling Enterprise Multihoming.

Mytour's content is for customer care and travel encouragement only, and we are not responsible.

For errors or inappropriate content, please contact us at: [email protected]