Types of NAT Translation

There are three types of NAT translation. In this lesson, we will explore the types of NAT. The main types of NAT translations are Static address translation (static NAT), Dynamic address translation (dynamic NAT) and Port Address Translation (PAT).

Static NAT 

Static NAT translation is also known as one to one NAT. Static NAT translation maps network traffic from a static external IP address to a static internal IP address or an internal whole network. It translates real addresses to mapped addresses. In other works Static NAT uses a one-to-one mapping of local and global addresses. The mapping includes destination IP address translation and source IP address translation in different directions.

Static NAT allows connections to be established and start a conversation from either side of the network, but translation is limited to one-to-one or between blocks of addresses of the same size. In static NAT for each private address, a public address must be reserved. No address pools are necessary for static NAT.

A static NAT translation is mostly used in enterprise networks to enables external network or Internet connectivity to computers, servers or networking devices within a private local area network having an unregistered private IP address. It creates a one-to-one relationship between the public and private IP address.

So, the private IP address can be mapped to only one public IP address at a time. The end-user, on the other hand, has a transparent view of the remote device/network and accesses it using the mapped public IP address. It also ensues network security and privacy by hiding the details of internal network usage, architecture and patterns from external or public users.

R1 is configured with static NAT for the inside local addresses of PC1, PC2, and PC3. When PC1, PC2 and PC3 send data to the Internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices have public IPv4 addresses.

Static NAT is also useful for devices that required authorized access while offsite, but not by the general public on the Internet. For example, a network administrator from PC4 can SSH to devices in LAN inside global address 20.240.5.19. R1 translates this inside global address to the inside local address and connects the administrator to any device on the LAN.

The static NAT requires enough public IPv4 addresses to accommodate the total number of the user. The static NAT translation table is also illustrated in the image below.

Types of NAT Translation 3

Dynamic NAT

In the dynamic NAT, multiple private IP addresses is mapped to a pool of public IP address. Dynamic NAT is working on the principle of first-come, first, get basis. We use dynamic NAT when we know the number of fixed users who wants to access the Internet at a given point of time.  When an inside user requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool of addresses.

When an inside user sends traffic through the NAT router, it examines the source IP address and compares it to the internal local address pool. If it finds a match, then it determines which inside global address pool it should use for the translation.

The figure below illustrates the dynamic NAT. PC1 has accessed the Internet using the first available address in the dynamic NAT pool. The other addresses of the pool are still available for further use. Similarly to static NAT, dynamic NAT also requires enough public IPv4 addresses to assure the total number of simultaneous user sessions.

Types of NAT Translation 4

Port Address Translation (PAT)

Port Address Translation (PAT) is an extension of Network Address Translation (NAT) also known as the NAT overload. NAT permits multiple devices on a LAN to be mapped to a single public IPv4 address to conserve IP addresses.

In Port Address Translation (PAT), all devices that go through the address NAT router have the same global IP address assigned to them including the source TCP or UDP port numbers to differentiate the different connections. If two devices have the same port number, the NAT router changes one of them to ensure uniqueness.

With Port Address Translation (PAT), when a device initiates a TCP/IP session, it generates a TCP or UDP source port value to individually recognize the session. When the NAT router receives a packet from the client, it uses its source port number to individually identify the specific NAT translation.

Port Address Translation ensure the use of a different TCP port number for each session with a server on the Internet. When a reply comes back from the server, the source port number becomes the destination port number, which determines the device forwards to the packets. The PAT process also ensure the incoming packets were requested, this adds the security to the session. Now examine the figure below.

NAT Translation

When R1 processes any packet, it uses a port number, to individually identify the source of the packet. The source address is the inside local address including the TCP/IP assigned port number added by the NAT overloading. The destination address is the outside local address including the service port number added by the NAT configured router. The port 80 is the HTTP port. R1 translates the inside local address to an inside global address including the port number. The destination address is not changed.

In the example, the client port numbers are 1205, 1285 and 1339. The NAT-enabled router did not change the port numbers. There are chances that these port numbers may have already been used to other active sessions.

PAT try to maintain the original source port. But, if the original source port is already in use with some active sessions, PAT assigns the first available port number starting from the beginning of the appropriate port group (0–511), (512–1,023), or (1,024–65,535).

If there is no more ports available for use and there is more than one global IP address in the address pool, PAT moves to the next address to allocate the original source port. This process continues until check all the available ports or IP address.