Basic Concepts of NAT Explained in Easy Language

This tutorial explains the fundamental concepts of Network Address Translation (NAT), including its types (Static NAT, Dynamic NAT, NAT Overload, and Port Address Translation [PAT]) and key terminology (inside local, outside local, inside global, and outside global).

Overview of Network Address Translation (NAT)

Address translation is required in several scenarios, such as when a network lacks sufficient public IP addresses for Internet connectivity, when two networks with overlapping IP address spaces need to merge, or when a network wants to hide its internal IP structure for security purposes. Network Address Translation (NAT) is the process that translates IP addresses. NAT can be implemented on firewalls, servers, and routers.

NAT Terminology

Example

Consider a user browsing a website from a home computer. The network connecting the user's computer to the Internet is the local network from the user's perspective. Similarly, the network connecting the web server to the Internet is the web server's local network. The network segment that interconnects both local networks via the Internet is referred to as the global network.

On the router, the interface connected to the local network is configured with an inside local IP address, while the interface connected to the global network is configured with an inside global IP address. The designation of 'inside' and 'outside' depends on the point of reference. For instance, in the network described above, router R1 is considered inside, and router R2 is considered outside.

At the same time, for the web server, router R2 is inside, and router R1 is outside.

On a NAT-enabled router, there are two types of interfaces: inside local and inside global.

The terms 'outside global' and 'outside local' are primarily used to explain the NAT process in theoretical contexts. In practical configurations, you never need to explicitly configure them.

On R1, you will configure the inside local address (10.0.0.1) and the inside global address (100.0.0.1), which will become the outside local address (10.0.0.1) and the outside global address (100.0.0.1) for R2, respectively. In the same way, on R2, you will configure the inside local address (192.168.1.1) and the inside global address (100.0.0.2), which will become the outside local address (192.168.1.1) and the outside global address (100.0.0.2) for R1, respectively.

In a practical configuration, you configure only inside local and inside global addresses. The designation of 'inside' for one network corresponds to 'outside' for the other network.

Types of NAT

There are three types of NAT: Static NAT, Dynamic NAT, and Port Address Translation (PAT). These types determine how inside local IP addresses are mapped to inside global IP addresses.

Static NAT

Static NAT assigns a permanent, one-to-one mapping between an inside local IP address and an inside global IP address. Each internal address always maps to the same public address, so there must be an equal number of addresses on both sides.

Dynamic NAT

Dynamic NAT uses a pool of available inside global IP addresses. When a device inside the local network initiates a connection, the NAT device automatically assigns an available public IP address from the pool to the internal address for the duration of the session.

PAT

Port Address Translation (PAT), also called NAT overload, allows multiple inside local IP addresses to share a single inside global IP address. PAT uses unique port numbers to distinguish between sessions, allowing several devices to access the Internet simultaneously through a single public IP address.

Key points

The decision to implement NAT depends entirely on specific network requirements. NAT is particularly effective in the following scenarios:

• When a network uses private IP addresses and requires Internet connectivity, NAT can map private IP addresses to public IP addresses, enabling external communication.
• When two networks with identical IP address schemes merge, NAT is used to prevent IP address conflicts.
• When multiple computers require Internet access through a single public IP address, NAT enables mapping multiple private IP addresses to a single public IP address via port numbers.

How NAT works (Example)

A user accesses a web server. The user’s computer and the web server are configured with private IP addresses. Private IP addresses are not routable on the Internet. They must be converted into public IP addresses to enable communication. A NAT device converts IP addresses. The routers connected to the user’s computer and the web server handle this.

The user’s computer generates a data packet requesting a webpage hosted on the web server. In the source address field, it uses the IP address 10.0.0.1. In the destination address field, instead of 192.168.1.1, it sets the IP address to 100.0.0.2.

To access a website, a system needs the web server's IP address. An outsider can connect to the website only via the advertised IP address. To enhance network security, web servers typically advertise their global IP addresses. In this example, the web server's global IP address is 100.0.0.2. Hence, the packet has the destination address 100.0.0.2 instead of 192.168.1.1.

The packet reaches R1. Since the packet contains a private IP address in the source field, which is not routable on the Internet, R1 must update the source IP address to a routable public IP address before forwarding the packet.

R1 checks the NAT table for available public IP addresses. Depending on the configured NAT type (Static, Dynamic, or PAT), it will select a single public routable IP address from the NAT table for the packet.

In this example, R1 picks 100.0.0.1 and replaces 10.0.0.1 with 100.0.0.1 in the source field of the packet and forwards it to R2.

R2 receives this packet and reads the destination IP address. R2 looks in the NAT table to find out the actual IP address of the destination. Since the NAT table on R2 contains an entry for 100.0.0.2, which maps it to 192.168.1.1, R2 will replace the destination address 100.0.0.2 with 192.168.1.1 and forward it to the web server.

The web server will process the packet and reply with its own packet. The reply packet contains the source address 192.168.1.1 and the destination address 100.0.0.1. Since the web server received this packet from 100.0.0.1, it will reply to it instead of 10.0.0.1.

R2 receives the reply packet. Before forwarding this packet, R2 replaces the source IP address with the mapped IP address in the NAT table. In this example, 192.168.1.1 is replaced with 100.0.0.2.

R1 receives this packet and checks its destination address. R1 runs a query on the NAT table to determine the IP address associated with this destination IP address. Since this destination IP address 100.0.0.1 is mapped to 10.0.0.1, R1 replaces 100.0.0.1 with 10.0.0.1 and forwards the packet to the PC.

From the user's perspective, the web server's IP address is 100.0.0.2, while from the web server's perspective, the user's IP address is 100.0.0.1. As a result, neither endpoint is aware of the other's actual internal IP address.

Advantages and disadvantages of NAT

The following are the advantages of NAT.

• It solves the IP overlapping issue.
• It hides the internal IP structure from the external world.
• It enables connectivity with external networks without requiring changes to internal IP addresses.
• It allows multiple computers to access the Internet using a single public IP address.

The following are the disadvantages of NAT.

• It adds additional network delay.
• Several applications are not compatible with it.
• End-to-end IP traceability will not work with it.
• It hides the actual end device.

Conclusion

Network Address Translation (NAT) plays a crucial role in modern networks. It enhances network security and enables seamless connectivity between private networks and the Internet. It resolves address overlap and allows multiple devices to connect to the Internet using a single public IP address. Understanding NAT helps you optimize resource usage, maintain robust network operations, and design secure, scalable networks.