NAT: Network Address Translation Explained

Network Address Translation is like a window over the Internet

Share This Post

IPv4 is the dominant technology on the Internet. Even if we run out of addresses a few years ago (check the IPv4 addressing guide) we can still use private addresses. However, we can’t use these addresses to talk over the Internet. Not directly, at least. If we want to do so, we need to convert them into public addresses somehow. NAT, Network Address Translation, is the technology for that. In this article, we are going to understand why it is so important, and how does it work. With this precious knowledge, you will be able to connect any network to the Internet.

Why NAT?

Understanding the need for NAT

IPv4 is an old yet stable protocol, it wasn’t designed to meet today’s needs. Now, we have more devices connected to the Internet than ever. On top of that, we designed IPv4 thinking that only 20% of the traffic was for the Internet. It turns out that now 80% of the traffic is to and from the Internet, if not 100%. As a result, we all need IP addresses that we can use over the Internet.

This type of address is known as a Public IP address. The Internet “knows” about all public IP addresses, and so anyone on the Internet can reach them. This effectively enables communications but has a major problem: public addresses aren’t infinite.

On the other hand, we have Private IP addresses. These addresses are valid within the same domain: the same company, the same house. However, the Internet just doesn’t know about them, and can’t reach them. We are talking about three networks, the 10.0.0.0/8, the 172.16.0.0/12 and the 192.168.0.0/16. Considering that we reserve these addresses for use within a company, we have plenty of addresses. If we sum all three networks, we have almost 18 million addresses. That’s more than enough for the same company!

So, we can start by assigning only private addresses to our devices. Then, we need to find a way to make some of those devices appear with a public IP address when they send traffic to the Internet. This is where NAT comes in.

An overview of NAT

Private IP addresses are for use within the same company. Since the Internet does not deal with these addresses, two or more companies can use the same addressing space. They will still remain unrelated, as they don’t talk with each other using these addresses. As a result, if we imagine a picture of the Internet, it will look a lot like below.

The need for NAT in IPv4 comes from several devices with the same IP address
The need for NAT comes from any devices having the same IP address.

Each company or house has its own private addresses, as many as their number of devices. Purchasing a dedicated IP address for each device would be such a waste. Think about that: not all devices need to talk over the Internet at the same time. What if we can re-use the same IP address on many devices, assigning it to them only when needed? With NAT, we can.

We can push this even further. Modern communication systems use either UDP or TCP, that both have port numbers. If a device is communicating over the Internet using a specific port, a lot more ports are available. What if we can dynamically distribute sockets (the combination of IP and Port) as devices need them? This is what NAT does.

How NAT works

NAT Fundamentals

We know that NAT stands for Network Address Translation. This means rewriting addresses, but where does it happen? We can’t manually modify the addresses on each of our devices. We also cannot have a centralized management panel that pushes the configuration to all our devices. This would require each device to support this kind of feature, and we can’t grant that. So, NAT was designed to work as transparent as possible.

This means that devices might not even know that there is NAT taking place. In fact, NAT is a configuration we do on edge routers (the ones with at least an interface “inside” the Internet). We don’t rewrite the addresses on devices: we rewrite the addresses inside the packets they send. A device sends an IP packet with a certain source and destination addresses, but then the router changes them.

Example of Network Address Translation (NAT), simple and static
Example of NAT operation

Let’s have a look at what’s happening. Our PC on the left wants to communicate with a server over the Internet. While the server has a public IP address (8.96.3.114), our PC has a private one (192.168.1.11). For our PC, this is not a problem. It will create a packet for the public server and send it anyway. Then, this packet arrives on the router. Our edge router has some rules and knows it must NAT the packet. So, it changes the source IP address with its public IP address (87.211.31.67) and sends the packet to the Internet.

The same happens for the return traffic. The public server sees a request coming from 87.211..31.67, so it replies to this IP address. However, when the packet arrives to the router, it knows that the address has to change. This time, the router modifies the destination address (because the packet is flowing in the opposite direction).

The NAT Table

NAT is not a simple task for a router, and it requires some kind of intelligence. The router must know which addresses to replace, and when to replace them. But it doesn’t stop there. The router must also keep track of the addresses already replaced, has it needs to create a router for response traffic coming back. With a NAT, the router can modify the following items:

  • Source IP address
  • Destination IP address
  • Source TCP or UDP port
  • Destination TCP or UDP port

Now, depending on the configuration, we can modify some or all of them. As a result, in the table, we need to keep an entry showing these values before and after NAT. If we use the example above, it will create a single entry in the NAT table. Here’s what it would look like.

Pre-NAT Source IPPre-NAT Source PortPre-NAT Destination IPPre-NAT Destination PortPost-NAT Source IPPost-NAT Source PortPost-NAT Destination IPPost-NAT Destination Port
192.168.1.118.9.3.11487.211.31.678.96.3.114
NAT Table

When a packet comes in as a reply, the router tools for existing entries in the NAT table. If an entry exists, the router can perform NAT on the reply. On the other hand, if a packet comes in from the inside, a new row in the table may be created.

The types of NAT

We now know that we can completely modify the header of an IP packet, and also TCP and UDP ports with NAT. This adds a lot of flexibility, and as a result, we can use NAT for different purposes. Before diving into them, you should focus on remembering these terms:

  • Inside, from a NAT perspective, means addresses and ports before the translation
  • Outside, from a NAT perspective, means addresses and ports after the translation
  • Source NAT is the type of NAT that modify source IP and/or port
  • Destination NAT modifies destination IP and/or port

So, you can combine these terms to create definitions. For example, inside source NAT is the one that modifies the inside source IP address on a packet.

NAT Overload

This type of NAT is extremely popular because it is the one for clients. In fact, you probably have this NAT on your domestic router. The concept behind it is simple: re-use the same public IP address for multiple devices. As a result, you are effectively overloading that IP address. Multiple devices will appear over the Internet with a single IP address, at the same time.

Since the public IP is just one, we need to add more variables to the picture. In fact, NAT Overload utilizes TCP and UDP port numbers to keep track of the connections in the NAT table. Here we have an example.

NAT Overload alows multiple clients to share the same IP address
Example of NAT Overload functionality.

We can analyze what’s happening. When a packet comes in from the inside network, the router performs NAT. It will always replace the source IP address with its own public address. Then, it replicates the same source port in the “Post-NAT” part of the table. However, since multiple devices are using the same public IP, that port may be already in use.

In that case, the router generates a new random port. Depending on the router’s vendor, it may try with the first one available, use a random one or a combination of the two. In this example, the first client opens an FTP connection using port 21, and the router can maintain that. However, for the second client, the router changes the port to 1024. This way, when packets come in, it will always be able to send traffic back to the right device.

Remember that NAT Overload creates entries dynamically when traffic comes from the inside. If the router receives unsolicited traffic from the outside (with no entry in the table), it drops it.

Static NAT

NAT Overload is dynamic. It creates entry only when a device from inside starts to source traffic. Because of that, it’s not the way to go if you want to publicly expose servers. If that’s your case, you need to consider static NAT.

Static NAT is a much simpler way to apply NAT. You manually create an entry in the NAT table, and it stays there forever. So, you can say that a given internal IP must map to a given public IP on all ports, or on some specific ports. You may also hardcode a port translation. For example, your web server is running on port 8080 on its private IP address, but you want it to show as port 80 to the public. No problem, you can hardcode that. Here’s an example.

Static NAT is useful for servers in inside source mode
Static NAT for a server.

In this example, the internal server has an IP of 10.0.4.20, and we have configured the router to map it to the public address of 87.211.31.67 for all ports. As a result, from the outside, it looks like that the server has the IP address of 87.211.31.67 assigned to it.

Dynamic NAT

This type of NAT is not very common, as NAT Overload and Static NAT can do the job. Dynamic NAT is a hybrid approach between the two, and you can imagine it as the predecessor of the “Overload” version. With this technology, the router must have multiple public IP addresses. When a device from the inside is sourcing traffic, the router creates an entry using an available public IP address. While doing so, it completely reserves this IP address (all the ports). As a result, you are doing NAT Overload on all the ports.

You can imagine that this is not efficient and requires you to have many public IP addresses. In most cases, this is not the way to go.

The NAT Pro Tips

We wanted to add some extra-knowledge to this article. Here are two things that may make a difference on your knowledge of NAT.

  • For ICMP traffic, that does not have port numbers, routers generally use the ICMP sequence number to keep track of the connection.
  • The main application of NAT is connecting the company to the Internet. However, it doesn’t stop there. We often use NAT when two companies have just merged, and their IT Infrastructure must converge. While doing so, it is very likely that some addresses will overlap. To solve that, we consider the two Infrastructure to merge as independent, and then we put NAT on the edge between them.
  • Since, with NAT, you can limit services exposed to the Internet, you can think about it like some kind of rudimental security feature as well.

Conclusion

With this article, we discovered the beauty of NAT. Having a solid understanding of it allows us to connect the company to the Internet, or merge it with another. Here’s what you absolutely want to take with you from this article:

  • NAT is a technology you configure on edge routers that rewrites the IP and TCP/UDP headers, changing IP addresses and ports. To do that, routers have a NAT table
  • Using NAT Overload, multiple clients can share the same public IP address by multiplexing on the port number
  • With static NAT, you can configure a permanent entry on the NAT table to expose to the Internet services running on servers with private IP addresses

Once you feel confident with those concepts, just continue with the Free CCNA Course. The next article is about implementing and troubleshooting NAT!

Don't fail the CCNA Exam!

Failing the CCNA exam equals wasting $300. Don't do that, be prepared instead.
Together with our free course, we offer a companion book with Questions and Answers. And it's only $27.50 if you are following the course.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Alessandro Maggio

2017-06-22T16:30:38+00:00

Unspecified

Free CCNA Course

Unspecified