On all TCP/IP networks, every device requires a unique IP address. This quickly presented a challenge considering the shortage of IP addresses
in the IPv4 scheme. Network Address Translation (NAT) has provided a sustainable solution for organizations that do not have the ability to
acquire the necessary IP addresses for devices within their local area network (LAN). NAT is the process where a network device, usually a perimeter
router or firewall, maps a public, routable IP address to a private IP address used on the LAN. The main purpose of NAT is to limit the number of
public IP addresses an organization must use for their internal network clients to access public resources. As mentioned earlier, there are not
enough IP addresses in the IPv4 scheme for every device that needs access to public resources. NAT provides an economical and secure way for
internal clients to access public resources without having a dedicated public IP address. Here is an example of a high level network diagram that
incorporates NAT at the edge of the network:
In this example, NAT is enabled on the perimeter router and the private IP addresses within packets leaving the network are translated to the public
IP address assigned to the router's public interface. From an Internet host's perspective, all packets orignating from the source private network are originating
from the router's public interface. When an Internet host responds to traffic from this private network, it will respond back to the router's public interface.
When the router receives traffic back from the Internet host, it will translate the packet back to the private IP and send it back to the original host within the
private network. With NAT, you instruct your NAT-capable router to replace the source IP address of a computer with the source IP address from the
router's public interface on outgoing packets. The outside world never sees the IP addresses used by the internal network, which enables you to
use any network ID you wish for the internal network. You can use IP addresses from any of the three private IP ranges:
|IP Range||Total IPs|
|10.0.0.0 – 10.255.255.255||16,777,216|
|172.16.0.0 – 172.31.255.255||1,048,576|
|192.168.0.0 – 192.168.255.255||65,536|
Within the NAT technology, there are specific types of NATs that you can implement: Source NAT, Destination NAT, Static NAT, Dynamic NAT, and
With Source NAT and Destination NAT, the source or destination IP addresses, respectively, get translated by the NAT device. With Static NAT, a public
address maps back to a single private IP address (one to one relationship). This enables you to access that private host from outside the network.
With Dynamic NAT, many hosts can share a pool of public IP addresses. For example, you may have 10 public IP addresses that you share for 50 private
hosts. The 10 addresses are pooled among the 50 computers. However, this type of NAT will not allow the 11th host to access the pool, until one
of the 10 public addresses is released by another host. However, the most common type of NAT implemented is the Overloaded NAT. This is the type of NAT
that hides all of the private IP addresses behind a single public IP address. When the term NAT is vaguely used, this is the type of NAT being
discussed. The Overloaded NAT is similar to the Dynamic NAT, but the Overloaded NAT requires the use of additional information to keep track of
the various private IP hosts that are sharing the single public IP address. The NAT device saves the computer's private IP address as well as the source
port to an address translation table. This way, the NAT device can keep track of several devices sharing the same IP address. The Overloaded NAT is
also known as Port Address Translation (PAT), IP masquerading, and many-to-one NAT.
Port forwarding hides an internal host on listening on a specific port number from the public hosts on the Internet. This enables public servers
to work behind a NAT router. Port forwarding gives servers the protection of NAT while still allowing access to that server. For example, if have a
web server behind a NAT router, you can implement port forwarding to only allow public traffic to access that internal private server on a specific port.
No traffic that is destined on that port will be forwarded through the NAT device. In the example of the web server, you would configure the NAT
device to listen on the public IP address on port 80. When traffic is received at this IP address for port 80, it will be forwarded to the private
host that you configured. Depending on the vendor/manufacturer, the terms PAT, port forwarding, Overloaded NAT are used to mean the same thing. Usually, the term Overloaded NAT,
or just NAT refers to the process of internal private hosts accessing public hosts, while Port Forwarding or Port Address Translation refers to
the process of public hosts trying to access internal private resources.
Recommended Books & Training Resources