Network Address Translation (NAT): How It Works Explained

Network Address Translation (NAT) is a service that is used in routers. Its purpose is to translate a set of IP addresses to another set of IP addresses. If you are viewing this article on the internet on the WIMIA website, there’s a very good chance that you are using Network Address Translation (NAT) right now. IP version 4 is the fourth version of the Internet Protocol. When the IP version 4 address was created, engineers had no concept of how big the internet would become. At the time of its inception, the Internet was an avenue for academics–it was not meant for you and me. So having 4 billion IP version 4 addresses available seemed like more than enough. Fast forward to today. At this point, the current estimate is that there are about 100 million hosts and more than 350 million users actively on the Internet. That is more than the entire population of the United States! In fact, the rate of growth has been such that the Internet is effectively doubling in size each year. So what does the size of the Internet have to do with NAT? Everything! For a computer to communicate with other computers and web servers on the Internet, it has to have an IP address. An IP address is a unique 32-bit number that identifies the location of your computer on a network. Basically, it works like your street address–as a way to find out exactly where you are and deliver information to you. It follows that with the massive population explosion, coupled with the fact that some of the 7.97 billion people on this planet have several devices in their homes and in their back pockets, we needed to figure out how to get more devices on the internet. The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play. Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public address is needed for hundreds or even thousands of users. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economic and security purposes. Those original 4 billion unique addresses were not all able to be assigned to devices for communication. Some were used for testing, broadcast, and military purposes. While that left over 3 billion for communication, as we explained, the proliferation of the internet meant the addresses were near exhaustion. In the meantime, NAT was introduced by Cisco and widely deployed. Most modern firewalls are stateful – that is, they are able to set up the connection between the internal workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way, they are able to keep track of the session composed of communication between the workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information about the connection. There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world. Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary and can control the session in both directions, restricting port access and protocols. There are many forms of Network Address Translation and it can function in several ways. Static Network Address Translation (SNAT) is used to conserve IP addresses by allowing private IP networks with unregistered IP addresses to connect to the Internet. SNAT maps unregistered IP addresses using 1-to-1 network address translation to match up with registered IP addresses. NAT translates the private addresses in the internal network into legal addresses before they are forwarded to another network. Why is this important? Because hackers cannot directly attack clients if the addresses are hidden. While static NAT is a constant mapping between inside local and global addresses, dynamic network address translation allows you to automatically map inside local and global addresses (which are usually public IP addresses). Dynamic NAT uses a group or pool of public IPv4 addresses for translation. Port address translation (PAT) is NAT overload. PAT is actually a modified version of dynamic NAT in which the number of inside local addresses is greater than the number of inside global addresses. There is generally one single inside global IP address providing Internet access to all inside hosts. NAT Overloading is the only version of NAT that actually conserves IP addresses and it is also the most popular form of NAT as well. PAT is often most cost-effective when many users are connected to the internet through just one public IP address. Some Advantages of using NAT include: Some disadvantages of using NAT include: NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall.