Network Address Translation (NAT): primary use is to conserve public IPv4 addresses.
However, NAT has an added benefit of adding a degree of privacy and security to a network, because it hides internal IPv4 addresses from outside networks. Note that translating between public and private IPv4 addresses is by far the most common use of NAT. However, NAT translations can occur between any pair of addresses.
Four types of addresses
NAT includes four types of addresses:
- Inside local address
- Inside global address
- Outside local address
- Outside global address
When determining which type of address is used, it is important to remember that NAT terminology is always applied from the perspective of the device with the translated address:
- Inside address(source) – The address of the device which is being translated by NAT, the IP address of the source device.
- Outside address – The address of the destination device.
NAT also uses the concept of local or global with respect to addresses:
- Local address – A local address is any address that appears on the inside portion of the network.
- Global address – A global address is any address that appears on the outside portion of the network.
As a result, there are combination of these kinds:
- Inside local address – The address of the source as seen from inside the network. In the figure, the IPv4 address 192.168.10.10 is assigned to PC1. This is the inside local address of PC1.
- Inside global address – The address of source as seen from the outside network. In NAT terminology, the inside local address of 192.168.10.10 is translated to the inside global address of 188.8.131.52.
- Outside global address – The address of the destination as seen from the outside network, typically the server. It is a globally routable IPv4 address assigned to a host on the Internet. For example, the web server is reachable at IPv4 address 184.108.40.206.
Most often the outside local and outside global addresses are the same.
- Outside local address – The address of the destination as seen from the inside network. In this example, PC1 sends traffic to the web server at the IPv4 address 220.127.116.11. While uncommon, this address could be different than the globally routable address of the destination.
Types of NAT
- Static address translation (static NAT) – One-to-one address mapping between local and global addresses. Static NAT is particularly useful for web servers or devices that must have a consistent address that is accessible from the Internet. They are always present in the NAT table.
- Dynamic address translation (dynamic NAT) – Many-to-many address mapping between local and global addresses. Similar to static NAT, dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.With Dynamic NAT, we also map our internal IP Addresses to real public IP Addresses, but the mapping is not static, meaning that for each session our internal hosts communicate with the Internet, their public IP Addresses remain the same, but are likely to change. These IPs are taken from a pool of public IP Addresses that have been reserved by our ISP for our public network.
With Dynamic NAT, translations don’t exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table, thus making them available for other internal hosts.
This is not ideal for multiple Public IP addresses to multiple Private Server IP addresses mapping.
- Port Address Translation (PAT) – Many-to-one address mapping between local and global addresses. This method is also known as overloading (NAT overloading). When the NAT router receives a packet from the client, it uses its source port number to uniquely identify the specific NAT translation.
PAT ensures that devices use a different TCP port number for each session with a server on the Internet. When a response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines to which device the router forwards the packets.
The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session.
There is a good chance that these port numbers may have already been attached to other active sessions. PAT attempts to preserve the original source port. However, if the original source port is already used, PAT assigns the first available port number starting from the beginning of the appropriate port group 0–511, 512–1,023, or 1,024–65,535. Theoretically be as high as 65,536 per IP address. However, the number of internal addresses that can be assigned a single IP address is around 4,000.When there are no more ports available and there is more than one external address in the address pool, PAT moves to the next address to try to allocate the original source port.
Packets without a Layer 4 Segment: The most common of these is ICMPv4. Each of these types of protocols is handled differently by PAT. For example, ICMPv4 query messages, echo requests, and echo replies include a Query ID.
ICMPv4 uses the Query ID to identify an echo request with its corresponding echo reply. The Query ID is incremented with each echo request sent. PAT uses the Query ID instead of a Layer 4 port number.
Static NAT: http://www.firewall.cx/networking-topics/network-address-translation-nat/229-nat-static-part-1.html
Dynamic NAT: http://www.firewall.cx/networking-topics/network-address-translation-nat/231-nat-dynamic-part-1.html
Advantages and Drawbacks
- NAT conserves the legally registered addressing scheme
- NAT increases the flexibility of connections to the public network.
- NAT provides consistency for internal network addressing schemes. Make it easier to manage the internal network.
- NAT provides some degree of network security. But does not replace firewall.
- Degree network performance, particularly for real time protocols such as VoIP. NAT increases switching delays.
- End-to-end addressing is lost.
- End-to-end IPv4 traceability is also lost.
- complicates tunneling protocols, such as IPsec