NAT and private IPv4 addresses have slowed down the depletion of IPv4 addresses, but NAT has some disadvantages. The one major benefit provided by NAT is security.
NAT hides the private IPv4 network from the public Internet, providing a perceived level of security by denying computers on the public Internet from accessing internal hosts. However, NAT is not the alternative for proper network security, such as security provided by a firewall.
In RFC 5902, the IAB included the NAT for the IPv6 quote. “It is commonly perceived that a NAT box provides one level of protection because external hosts cannot directly initiate communication with hosts behind a NAT. However, one should not confuse NAT boxes with firewalls.
As discussed in [RFC4864], Section2.2, translation does not provide security. The stateful filtering function can provide the same level of protection without requiring a translation function. For further discussion, see [RFC4864], Section 4.2.”
IPv6, an addressing scheme, provides 340 undecillion addresses. It has its own IPv6 private address space and NAT, which are implemented differently than for IPv4.
IPv6 Unique Local Addresses (ULA)
These addresses are similar to the private addresses of IPv4, but there are major differences between both. IPv6 Unique Local Addresses (ULA) intends to provide IPv6 address space for communications within a local site. It does not provide any additional IPv6 address space and does not provide any level of security.
The IPv6 Unique Local Addresses (ULA) prefix is FC00::/7, which ranges in the first hextet from FC00 to FDFF. The figure below illustrates the Unique Local Addresses (ULA).
After the prefix, the next 1 bit is set to 1 if the prefix is locally assigned. Set to 0 may be defined later. The next 40 bits are a randomly generated global ID followed by a 16-bit Subnet ID. These first 64 bits make the ULA prefix. The remaining 64 bits are used as the interface ID. These addresses are defined in RFC 4193. ULAs are also known as local IPv6 addresses.
ULA allows sites to be privately interconnected without creating address conflicts. The address can be used independently without any ISP and for communications within a site without having any Internet connectivity.
The ULA is not routable across the internet like the RFC 1918 private IPv4 address; however, if by chance it is leaked by routing or DNS, there is no conflict with any other addresses.
The IPv6 addresses are not created to be used in the form of NAT to translate between unique local addresses and IPv6 global unicast addresses. The execution and possible uses for IPv6 unique local addresses are still under-examined by the Internet community.
NAT for IPv6
There are several varieties of NAT for IPv6, which provide transparent access between IPv6-only and IPv4-only networks. NAT for IPv6 is not a private IPv6 to global IPv6 translation like NAT for IPv4 addresses.
The IPv6 devices should communicate with each other over IPv6 networks. However, during the IPv4 to IPv6 transition, the IETF has developed several techniques, including dual-stack, tunneling, and translation, to accommodate IPv4-to-IPv6.
In dual-stack, both IPv4 and IPv6 are running on the devices in parallel. Tunneling involves encapsulating an IPv6 packet inside an IPv4 packet. This allows the IPv6 packet to be transmitted over an IPv4-only network.
NAT for IPv6 cannot be used as a long-term approach. It is only a temporary method to assist in the transition from IPv4 to IPv6. NAT for IPv6 has several methods, including Network Address Translation-Protocol Translation (NAT-PT) and NAT64.
Configuring port forwarding on Cisco routers is similar to configuring static NAT. It is a static NAT translation with a specific TCP or UDP port number.
The figure above shows an example of configuring port forwarding using Cisco IOS commands on router R2. 192.168.11.100 is the web server’s inside local IPv4 address.
The webserver’s listening port is 80. The administrator wants to access this internal webserver from an external network using the global IP address 202.128.54.1, a globally unique public IPv4 address.
It is the address of the g0/1 interface of R2. The global port is configured as 8080, and the destination port is used, along with the global IPv4 address of 202.128.54.1, to access the internal webserver. The command syntax to configure port forwarding is the following:
TCP or UDP – This parameter shows that the port belongs to TCP or UDP
Local IP—It is the IPv4 address of the host inside the local network.
Local Port— It is the port of the local host in a range of 1-65535.
Global-IP—It is the inside host’s IPv4 address, which is globally unique. The outside clients will use this IP to reach the internal host.
Global port—This is the global TCP/UDP port between 1 and 65535. It is the port number the outside client will use to reach the internal server.
Extendable – The extendable option is applied automatically. This keyword allows the user to configure ambiguous static translation. It extends the static translation to more than one port if necessary
When we want to use a port other than a well-known port, the client must specify the port number in the web request. Like the simple static or dynamic NAT configuration, we should configure port forwarding for inside and outside NAT interfaces. To configure port forwarding on R1, the commands are:
Similar to static NAT verification, we can also verify the port forwarding configuration using the “show ip nat translations” command. The image below illustrates the output of this command.
When the router receives the packet with the inside global IPv4 address of 202.128.54.1, including TCP destination port 8080, it looks up the NAT table using the destination IPv4 address and destination port as the key. It translates the address to the inside local address of the host 192.168.11.100, including the destination port 80.
R2 then forwards the packet to the web server. When the web server replies the packets back to the client, this process is reversed.
Port forwarding is also known as port mapping and tunnelling. It is the method of forwarding traffic destined to a specific network port from one network node to another.
The external user can access a specific port on a private IPv4 address inside a LAN from the outside, through a NAT-enabled router. In other words, port forwarding is directing traffic from the outside world to the right server inside a local TCP/IP network.
Port forwarding is mostly used to isolate network traffic, optimize network speed and to permanently assign a network path for a specific protocol or network service. Usually, well-known port numbers are being used in port forwarding. It is typically implemented at a gateway router, to mechanize the process of identifying and transferring network packets to a destination port.
Usually, peer to peer programs such as web servers and outgoing FTP, require port forwarding or open ports to allow these services to work. Because NAT hides internal addresses, but peer-to-peer only works from the inside out where NAT can map outgoing requests against incoming replies.
NAT does not allow connection establishment from the outside network. This condition can be resolved with port forwarding to identify specific ports that can be forwarded to inside hosts.
The Internet software applications working on different ports that need to be open or available to those applications. For example, HTTP operates through the well-known port 80 and FTP operate through the well-known port 21.
When someone wants to open the https://networkustad.comaddress, the browser displays the networkustad home page. They do not specify the HTTP port number for the page request, because the application assumes port 80.
If a https://networkustad.com is configured with a different port number, then it can be appended to the URL separated by a colon (:). For example, if we configure the server port 8080 in place of 80. then we will enter the address on our browser to open the website on address like
Port forwarding allows access to internal servers from the internet via the WAN port address of the router and the matched external port number. The internal servers are typically configured private IPv4 addresses.
When a request is received to WAN port of the router with IPv4 address of the WAN port in packet header from the Internet, the router forwards the request to the appropriate server on the private network. By default, the broadband router does not permit any external network request to be forwarded to an inside network.
The figure below illustrates the example of port forwarding. An internet service provider opens a web server for their client on their local network. The server can be accessed within the local network because it has a private IPv4 address, it is not publically accessible from the Internet.
Now the owner wants to provide access from anywhere on the Internet. So, port forwarding on the router is configured using the destination port number and the private IPv4 address of the webserver. To access the server, the client software would use the public IPv4 address of the router and the destination port of the server.
We should specify the local address that requests should be forwarded to. In the above configuration, HTTP service requests, coming into a wireless router, will be forwarded to the webserver with the inside local address of 192.168.10.101. If the external WAN IPv4 address of the wireless router is 202.128.54.1, the external user can enter http://www.domain_name.com and the wireless router redirects the HTTP request to the internal webserver at IPv4 address 192.168.10.101, using the default port number 80.
We can change the default port of the webserver but, the external user would have to know the specific port number to use. The above figure illustrates the port forwarding window of the TP-Link router. But it depends on the brand of the router as well as the model of the broadband router.
Port Address Translation (PAT) is also known as NAT overload. Port Address Translation preserves addresses in the inside global address pool. Port Address Translation (PAT) allows the router to simultaneously use one inside global address for several inside local addresses.
We can use a single public IPv4 address for hundreds, even thousands of internal private IPv4 addresses. Router with Port Address Translation (PAT) configuration maintains information from higher-level protocols, such as TCP or UDP port numbers, for example, translate the inside global address back into the accurate inside local address while multiple inside local addresses map to one inside global address. This is possible due to each inside host’s correct TCP or UDP port numbers.
There are 65536 port numbers that we can bind with inside local addresses. So, theoretically, we can translate 65,536 inside local addresses per one global IP address.
But practically, this is too difficult for the router and impossible. A single IP address can be assigned around 4,000 internal addresses. We can configure the Port Address Translation (PAT) in two ways: for a single public IPv4 address and multiple IPv4 addresses.
Configuring Port Address Translation for a Pool of Public IP Addresses
To configure Port Address Translation (PAT) on a Cisco router, first create a NAT pool with a range of public IP addresses allotted by the internet service provider.
After pool configuration, you must create a standard access list to identify and permit the group of private inside IP addresses allowed for NAT translation.
After creating a pool of global IP addresses and an IP access list to identify the traffic, you must configure NAT using “ip nat” command.
Finally, you must specify which is inside the interface and which is the outside interface. The main difference between configuring Dynamic NAT and Port Address Translation (PAT) is using the keyword “overload”.
Example Configuration
The example configuration shown in the figure below establishes overload translation for the NAT pool named Global_pool. The pool contains the same addresses used in the previous lesson, from 202.128.54.3 to 202.128.54.14. Hosts in the 192.168.10.0/24 and 192.168.11.0/24 networks are needed to translate.
The sub-interface S0/0/0.101 is an outside interface, and g0/0 and g0/1 are inside interfaces. The router R2 is the Port Address Translation (PAT) router. We are using the same topology used in the previous lesson, “Dynamic NAT Configuration.”
Now look at the commands executed on R2 for NAT overload configuration on router R2.
R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240
R2(config)#ip nat inside source list 1 pool Global_pool overload
R2(config)#interface gigabitEthernet 0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101
R2(config-subif)#ip nat outside
After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:
Now, the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24. It will use the same interface for outside. We have configured the “ACL permission” and “ip nat inside” interfaces.
Configuring Port Address Translation for a Single Public IPv4 Address
If only a public IPv4 address is available, the overload configuration typically assigns the public address to the outside interface connecting to the ISP. When leaving the outside interface, all inside addresses are translated to a single IPv4 address. The steps to follow to configure Port Address Translation (PAT) with a single IPv4 address are as follows:
Define an ACL to permit the traffic to be translated.
Configure source translation using the interface and overload keywords. The interface keyword defines which interface IP address to use when translating inside addresses. The overload keyword instructs the router to track port numbers with each NAT entry.
Identify which interfaces are inside and which are outside in relation to NAT. The inside interface is any interface that connects to the inside network, and the outside interface is an interface connected to the outside network.
The configuration is similar to dynamic NAT, except that the interface keyword is used to identify the outside IPv4 address instead of a pool of addresses. Therefore, no NAT pool is defined. Now look at the below configuration on R2 for a single IPv4 address on the same topology. The commands for Port Address Translation (PAT) -single IP configuration is the following:
The process of NAT overload is similar to the process of NAT, except there is only one address for translation. Analyzing the above-configured example using a single public IPv4 address, PC1 wants to communicate with the web server, and Laptop0 also wants to communicate with the web server. Both PC1 and PC2 are configured with private IPv4 addresses, with R2 enabled for Port Address Translation (PAT).
PC to Server Process
The figure below illustrates PC1 and Laptop0 sending packets to the web server simultaneously. PC1 has the source IPv4 address 192.168.11.100 and uses TCP source port 1025. Laptop0 has the source IPv4 address 192.168.10.101 and is also assigned the source port 1025.
The packet from PC1 reaches R2 first. Using PAT, R2 translates the source IPv4 address to 202.128.54.1 inside the global address. Since no other devices in the NAT table are using port 1025, PAT maintains the same port number. The packet is then forwarded to the webserver at 201.128.35.2.
PAT is configured to use a single inside global IPv4 address for all translations, so when a packet from Laptop0 arrives on R2, similar to PC1, PAT translates Laptop0’s source IPv4 address to the inside global address 202.128.54.1.
However, the Laptop’s source port number is the same as that of a current PAT entry, the translation for PC1. PAT increases the source port number until it becomes unique in its table. In this example, the source port entry in the NAT table is increased to 1025.
Both hosts use the same translated address, the inside global address of 202.128.54.1, and the same source port number of 1024; however, the R2 process modifies the port number for Laptop0 to 1025. This will become evident in the packets sent from the servers back to the clients.
Server-to-PC Process
The servers use the source port from the received packet as the destination port and the source address as the destination address for the return traffic. The servers give the impression that they are communicating with the same host at 202.128.35.1, but this is not actual.
When the router receives the packet at interface serial 0/0/0.101 on R2, it looks up its NAT table for a unique entry using the packet’s destination address and port.
Multiple entries were received from the server with the destination IPv4 address 202.128.54.1 but only one with the destination port 1025. R2 matched the entry with the NAT table and changed the packet’s destination IPv4 address to 192.168.11.101. No change was required for the destination port. The packet was then forwarded to PC1.
When a packet is received with destination port 1026 to R2, R2 performs a similar translation. The destination IPv4 address of 202.128.54.1 is found again with multiple entries. But R2 uses the destination port of 1026 to uniquely identify the translation entry. The destination IPv4 address is translated to 192.168.10.101.
Verifying Port Address Translation
We can use the commands discussed in “Static NAT Configuration and Dynamic NAT Configuration” to verify Port Address Translation (PAT). The figure below illustrates the output of the show ip nat translations command. The figure displays the translations from two different hosts to a single web server.
We can also use the show ip nat statistics command to verify that NAT-POOL2 has allocated a single address. The running-config command is another command we can use for the PAT configuration.
Dynamic NAT maps inside local addresses to inside global addresses automatically. The inside global addresses are usually public IPv4 addresses. Dynamic NAT uses a pool of public IPv4 address or a group public IPv4 addresses for translation.
Dynamic NAT also requires the configuration of the inside and outside interfaces participating in NAT like Static NAT. The difference between static and dynamic NAT is that the static NAT creates a permanent mapping to a single address but dynamic NAT uses a pool of addresses.
The example topology shown in the figure above has an inside network containing two LANs, 192.168.10.0/24 and 192.168.11.0/24. The R1 is working as a border router. It is configured for dynamic NAT using a pool of public IPv4 addresses 202.128.54.0/28.
Any device from the inside devices can access the internet using the pool of inside global IPv4 address pool. The inside network can use this pool on a first-come first-get basis. The dynamic NAT, translate a single inside address into a single outside address.
Like a static NAT, dynamic NAT also required enough addresses in the pool to accommodate all the inside devices want to access the outside network at the same time. If all of the addresses in the pool translated to with inside addresses, other devices will wait for an available address before it can access the outside network.
Configuring Dynamic NAT
First of all, define the inside global IP pool using the“ip nat pool” This pool is usually a group of public IPv4 addresses assigned by the server providers. The pool is defined by indicating the start and end IP addresses including the netmask or prefix-length.
After configuring the pool, dynamic NAT required a standard ACL. The ACL identify and permit the addresses required to be translated. Don’t forget to configure the implicit deny all statement at the end of each ACL.
Now bind the configured ACL to the address pool. We can bind the ACL with IP pool using the“ip nat inside source list <access-list-number> pool<pool name>”
Identify the inside and outside interfaces concerning NAT that connects to the inside or outside network and configure them accordingly.
Now I am going to configure the router R1for dynamic routing according to the above steps.
R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240
R2(config)#ip nat inside source list 1 pool Global_pool
R2(config)#interface gigabitEthernet 0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101
R2(config-subif)#ip nat outside
After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:
Now the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24, it will use the same interface for outside. We have just configured the “ACL permission” and “ip nat inside” interface.
Analyzing Dynamic NAT
Using the previous configuration of the figures illustrate the dynamic NAT translation process between the clients and the webserver. The traffic flow from inside to outside is shown in the below figures step by step:
The hosts 192.168.11.100 send an ICMP message to the webserver at the public IPv4 address 201.128.35.2. in the figure below, we can read the outbound PDU information. The source IP address is 192.168.11.100 and the destination IP address is 201.128.35.2, the IP address of the webserver netwrokustad.com.
When R2 receives the packet from host 192.168.11.100 on an interface configured with inside NAT interface, because of inside NAT, R2 checks the NAT configuration to determine if this packet should be translated. If the ACL permits the packet, so R2 will translate the packet. R2 checks its NAT configuration table.
If translation entry found the R2 forward the packet, if no translation entry found the, R2 determines that the source address 192.168.1.100 must be translated dynamically. R2 selects the first available global address from the dynamic address pool and creates a translation entry, in this example, as shown in the figure below 128.54.3.
The above address belongs to the inside global address pool. You can see highlighted entries in the inbound interfaces and also in the outbound interfaces. At the outbound interfaces, the source address is now changed to 202.128.54.3.
R2 replaces the inside local source address of PC1, 192.168.11.100, with the inside global addresses of 202.128.54.3 and forwards the packet. Here I am going to escape the packet on internet cloud and R1. The server receives the packet from PC1 and responds using the IPv4 destination address of 202.128.54.3 as shown in the figure below.
When R2 receives the packet with the destination IPv4 address of 202.128.54.3; it performs a NAT table lookup. Using the mapping from the table, R2 translates 202.128.54.3 back to the 192.168.11.100, the inside local address forwards the packet toward PC1. The same process will be done for host 192.168.10.101.
Verifying Dynamic NAT
The command show ip nat translations are used to verify the dynamic NAT configuration. We have already discussed this command in the Static NAT configuration.
The command displays all static translations including any dynamic translations that have been created by traffic. The figure below illustrates the output of this command for dynamic NAT configuration.
The translation entries remain in the translation table for 24 24 hours by default, but we can reconfigure the timer with theip nat translation timeout <timeout-seconds> command in global configuration mode.
We can also clear the dynamic entries translation using “theclear ip nat translation”command in privileged EXEC mode. To clear dynamic NAT entries use the command “clear ip nat translation *in privileged EXEC mode. Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.
We can also use theshow ip nat statistics command. The command displays information about the total number of active translations including NAT configuration parameters, the total addresses in the pool, and currently allocated an address. We can also use theshow running-config command and look for dynamic NAT configuration.
Static NAT maps inside and outside addresses one-to-one. It allows external devices to establish a session with internal devices using the statically assigned public address. For example, an internal web server is mapped to a specific inside global address.
The figure below illustrates an inside network containing a web server with a private IPv4 address accessible from the outside network using a global IPv4 address.
Router R1 is configured with static NAT, allowing devices on the outside network to access the webserver. Static NAT translates the public IPv4 address to the private IPv4 address So the devices outside access the web server. The steps for configuring a static route are the following:
Create a mapping between the inside local address and the inside global addresses
After mapping, the interfaces participating in the translation are configured as interfaces inside or outside relative to NAT.
When NAT is applied, the packets arriving at the router’s inside interface are translated and forwarded to the outside interface. Packets arriving on the outside interface are addressed to the configured inside global IPv4 address, translated to the inside local address, and forwarded to the inside network.
Example configuration of Static NAT
There are four basic terms for configuring NAT: inside local, inside global, outside local, and outside global. We discussed these terms in the previous lesson. In this lesson, I am going to explain static NAT briefly. The following topology is used to configure static NAT.
The above figure shows the topology for static NAT configuration. The topology contains both the inside and outside networks. R2 is the NAT router, which translates packets from web servers with 192.168.10.101 and 192.168.11.100 to public IPv4 addresses 202.128.54.3 and 202.128.54.4.
The Internet client directs web requests to the public IPv4 addresses 202.128.54.3 and 202.128.54.4. R2 forwards that traffic to the web server on IP addresses 192.168.10.101 and 192.168.11.100. Now, let’s configure R2 for static NAT. All other necessary configurations have been done previously.
Configuration of Static NAT for Server-1 (192.168.11.100)
Configuration of Static NAT for Server-2 (192.168.11.100)
For Server-2 the inside global is also s0/0/0.100 sub-interface, which is already marked with ip nat outside, therefore we do not need to configure the ip nat outside again.
The configuration illustrates the static NAT translation process between the client and the web server. Generally, static translations are configured when clients on the internet need to reach devices on the private network. Now look at the above topology and analyze the network after the NAT configuration:
PC-1 is on the Internet, and both servers are in the private network. PC-1 wants to open a connection to web server-1. The client sends a packet to server-1 using the public IPv4 destination address 202.128.54.4, which is the inside global address of the web server.
Upon receiving the first packet from the outside interface, R2 checks its NAT table. The packet’s destination IPv4 address is in the NAT table and translated.
R2 translates the inside global address 202.128.54.4 into the inside local address 192.168.11.100 and then forwards the packet to the web server.
The web server receives the packet from R2 and relies on PC-1, which uses the inside local address 192.168.11.100.
R2 receives the packet from the web server using interface g0/1, the inside interface with a source address of the web server’s inside local address, 192.168.11.100.
R2 again checks the NAT table for translation, and the address is found in the NAT table. It translates the source address (inside local address) to the inside global address 202.128.54.4 and forwards the packet from its serial 0/0/0.100 interface to the client.
The client received the packet and continued the conversation. The NAT router performs Steps 2 to 7 for each packet.
Verifying Static NAT
The “show ip nat translations” command is important for verifying the workings of NAT. Its output displays active NAT translations, while static translations are always in the NAT table.
If the command is executed during an active session, the output also indicates the address of the outside device, as shown in the figure below; otherwise, it only translates the inside address.
We can also use the “showip nat statistics” command. This command displays the total number of active translations, including NAT configuration parameters, the number of addresses in the pool, and the number of addresses allocated. The figure below illustrates the output of this command.
To verify that the NAT translation works, clear the previous statistics using the clear ip nat statistics command before testing. Before sending any packet to the web servers, execute the “show ip nat statistics” command; it will display no current hits. After establishing the session with the server, the “show ip nat statistics” command will display the increment to hits.
Before discussing the configuration of the NAT in this article we will discuss the NAT advantages and disadvantages.
NAT Advantages
The main advantage of NAT is that it can prevent the depletion of IPv4 addresses. It conserves the public IPv4 address by allowing the privatization of intranets. NAT save the addresses using application port-level multiplexing. With Port Address Translation, the hosts with private IPv4 addresses can share a single public IPv4 address for all external communications.
Network Address Translation (NAT) also provides increased flexibility when connecting to the public Internet. We can implement a backup pool, and load-balancing pools to ensure reliable public network connections.
If a network uses a public IP address, first the administrator will get an address space as a network grows, the chance of getting IP addresses from the same IP address class is minimal and even zero. But in case of using private address and NAT for external traffic using some addresses, an organization does not have to purchase IP addresses for every computer in use there is a significant cost saving due to using the process of Network Address Translation.
Network Address Translation (NAT) allows to use your own private IPv4 addressing scheme and prevent the internal address changes in case of changing the service provider.
Network Address Translation (NAT) provides additional security by masking the original source and destination addresses. The private networks do not advertise their addresses or internal topology, therefore, are secure when used in conjunction with NAT to gain controlled external access.
Disadvantages of NAT
With NAT advantages the NAT also some disadvantages. Because of the host on the Internet communicates directly with the NAT-enabled router in place of the actual host inside the private network. That situation creates several issues.
Network Address Translation (NAT) consumes the processor and memory because NAT need to translate IPv4 addresses for all incoming and outgoing IPv4 datagram and to keep the translation details in memory.
It slows down the network performance, therefore it creates a problem in real-time protocols. It increases switching delays because the translation of each IPv4 address within the packet headers takes time.
When using, NAT the end-to-end addressing is lost. Several Internet protocols and applications basis on end-to-end addressing from the source to the destination therefore many applications do not work with NAT. Some applications use physical addresses, in its place of a qualified domain name, cannot reach the destinations when using a NAT router.
In the case of using NAT, the end-to-end IPv4 traceability is not possible. The tracing of the packets is much difficult because of changing the address over multiple NAT hops. This makes troubleshooting difficult.
There are three types of NAT translation. In this lesson, we will explore the types of NAT. The main types of NAT translations are Static address translation (static NAT), Dynamic address translation (dynamic NAT) and Port Address Translation (PAT).
Static NAT
Static NAT translation is also known as one to one NAT. Static NAT translation maps network traffic from a static external IP address to a static internal IP address or an internal whole network. It translates real addresses to mapped addresses.
In other works Static NAT uses a one-to-one mapping of local and global addresses. The mapping includes destination IP address translation and source IP address translation in different directions.
Static NAT allows connections to be established and start a conversation from either side of the network, but translation is limited to one-to-one or between blocks of addresses of the same size. In static NAT for each private address, a public address must be reserved. No address pools are necessary for static NAT.
A static NAT translation is mostly used in enterprise networks to enables external network or Internet connectivity to computers, servers or networking devices within a private local area network having an unregistered private IP address. It creates a one-to-one relationship between the public and private IP address.
So, the private IP address can be mapped to only one public IP address at a time. The end-user, on the other hand, has a transparent view of the remote device/network and accesses it using the mapped public IP address. It also ensures network security and privacy by hiding the details of internal network usage, architecture and patterns from external or public users.
R1 is configured with static NAT for the inside local addresses of PC1, PC2, and PC3. When PC1, PC2 and PC3 send data to the Internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices have public IPv4 addresses.
Static NAT is also useful for devices that required authorized access while offsite, but not by the general public on the Internet. For example, a network administrator from PC4 can SSH to devices in LAN inside global address 20.240.5.19. R1 translates this inside global address to the inside local address and connects the administrator to any device on the LAN.
The static NAT requires enough public IPv4 addresses to accommodate the total number of the user. The static NAT translation table is also illustrated in the image below.
Dynamic NAT
In the dynamic NAT, multiple private IP addresses is mapped to a pool of public IP address. Dynamic NAT is working on the principle of first-come, first, get basis.
We use dynamic NAT when we know the number of fixed users who wants to access the Internet at a given point of time. When an inside user requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool of addresses.
When an inside user sends traffic through the NAT router, it examines the source IP address and compares it to the internal local address pool. If it finds a match, then it determines which inside global address pool it should use for the translation.
The figure below illustrates the dynamic NAT. PC1 has accessed the Internet using the first available address in the dynamic NAT pool. The other addresses of the pool are still available for further use. Similarly to static NAT, dynamic NAT also requires enough public IPv4 addresses to assure the total number of simultaneous user sessions.
Port Address Translation (PAT)
Port Address Translation (PAT) is an extension of Network Address Translation (NAT) also known as the NAT overload. NAT permits multiple devices on a LAN to be mapped to a single public IPv4 address to conserve IP addresses.
In Port Address Translation (PAT), all devices that go through the address NAT router have the same global IP address assigned to them including the source TCP or UDP port numbers to differentiate the different connections. If two devices have the same port number, the NAT router changes one of them to ensure uniqueness.
With Port Address Translation (PAT), when a device initiates a TCP/IP session, it generates a TCP or UDP source port value to individually recognize the session. When the NAT router receives a packet from the client, it uses its source port number to individually identify the specific NAT translation.
Port Address Translation ensure the use of a different TCP port number for each session with a server on the Internet. When a reply comes back from the server, the source port number becomes the destination port number, which determines the device forwards to the packets. The PAT process also ensure the incoming packets were requested, this adds the security to the session. Now examine the figure below.
When R1 processes any packet, it uses a port number, to individually identify the source of the packet. The source address is the inside local address including the TCP/IP assigned port number added by the NAT overloading.
The destination address is the outside local address including the service port number added by the NAT configured router. The port 80 is the HTTP port. R1 translates the inside local address to an inside global address including the port number. The destination address is not changed.
In the example, the client port numbers are 1205, 1285 and 1339. The NAT-enabled router did not change the port numbers. There are chances that these port numbers may have already been used to other active sessions.
PAT try to maintain the original source port. But, if the original source port is already in use with some active sessions, PAT assigns the first available port number starting from the beginning of the appropriate port group (0–511), (512–1,023), or (1,024–65,535).
If there is no more ports available for use and there is more than one global IP address in the address pool, PAT moves to the next address to allocate the original source port. This process continues until check all the available ports or IP address.
As discussed before, That NAT translates Private IP addresses into public IP addresses. So in the process of translation, there are different operations involve and understanding each of them requires understanding NAT terminology. Therefore before understanding NAT in details, it is important to understand basic NAT terminology. In a NAT terminology, the inside network is the set of networks that is subject to translation and the outside network refers to all other networks.
It is important to recall that NAT terminology is always applied from the viewpoint of the device with the translated address when determining the type of address. NAT also uses the perception of local or global concerning addresses
Inside address– The address of the device which is needed to be translated with NAT.
Outside address– This is the address of the destination device.
Local address– Any address that appears on the inside portion of the network.
Global address– Any address that appears on the outside portion of the network.
Let’s understand the above terms with an example. For example when a user browsing a website from his computer. The network which connects him with the internet is considered as a local network for him and the network which connects the webserver where the website is located with the internet is considered as a local network for a webserver. The network which connects both networks on the internet is considered as a global network.
Inside and outside in the NAT depend on the direction of the data. For example in the below topology for PC-1, router R1 is inside and router R2 is outside as illustrated in the first image below. If we change the direction of data as illustrated in the second image. The router R2 is inside for the server and R1 is outside for the server.
The interface of the router which is connected with the local network will be configured with an inside local IP address and the interface connected with the global network will be configured with an inside global IP address.
Now, look at the below topology where we have to expend the above topology and assign an IP address to the devices. PC1 has an inside local address of 192.168.1.100 and inside global address 172.35.10.2 has assigned to R1 outside interface. From the side of PC1, the webserver has an outside address of 20.41.5.19. When PC-1 sending packets to the global address of the webserver, the inside local address 192.168.1.100 of PC1 is translated to the inside global address of 172.35.10.2.
The R1 is configured as NAT router and working as the demarcation point between the inside and outside networks and as between local and global addresses.
The term inside and outside is combined with the terms local and global for specific addresses. In the above topology the, router R1 has been configured to provide NAT.
Inside local address– In the above topology, the IP address 192.168.1.100 is assigned to PC-1. This is the inside local address of PC1.
Inside global address– When traffic is sending from PC1 to the webserver. The R1 translates the inside local address 192.168.1.100 to an inside global addresses 172.35.10.20. In the terminology of NAT, the inside local address is translated to the inside global address.
Outside global address– The outside global address is usually a Public IPv4 address assigned to a host on the Internet. For example, the webserver is reachable at IPv4 address 209.165.201.1. Most often the outside local and outside global addresses are the same.
Outside local address– The address of the destination as seen from the inside network. In this example, PC1 sends traffic to the webserver at the IPv4 address 20.41.5.19.
When PC-1 sending traffic to a web server. Its web server also returns traffic is initially addressed and translated. The figure below illustrates the return traffic.
All public IPv4 addresses must be registered with a Regional Internet Registry (RIR). The registered holder of a public Internet address can assign these addresses to a network device. There is a maximum of 4.3 billion IPv4 addresses available. Still, with the increase of personal computing and the beginning of the World Wide Web, it soon became clear that 4.3 billion IPv4 addresses would not be enough.
The long-term solution for the shortage was IPv6, but urgent solutions to address exhaustion were required. So, for the short term, the IETF implemented numerous solutions, including Network Address Translation (NAT), Port Address Translation, and RFC 1918 private IPv4 addresses.
In the coming article, we will discuss briefly how Network Address Translation (NAT) works and how Network Address Translation (NAT) combines with the use of private address space.
IPv4 Private Address Space
RFC 1918 describes the “Address Allocation for Private Internets.” It is the Internet Engineering Task Force (IETF) memorandum on methods of assigning private IP addresses on TCP/IP networks.
This document provides essential information for the network administrator considering using these addresses on their network. The following table shows the ranges of Private IP addresses for different classes.
Class
Internal Address Range define in RFC 1918
CIDR Prefix
A
10.0.0.0 to 10.255.255.255
10.0.0.0/8
B
172.16.0.0 to 172.16.255.255
172.16.0.0/12
C
192.168.0.0 to 192.168.255.255
192.168.0.0/16
Private IP addresses are used to communicate devices within an organization locally and are routed over the Internet because they do not identify any single company or organization. To route a private IP address to the Internet, it must first be translated to a public address.
Network Address Translation (NAT) is the technique for translating private addresses to public addresses and vice versa. Network Address Translation (NAT) allows a device configured with a private IPv4 address to access network resources outside their private or local network.
The Internet is one big example of NAT. It is a valuable method of preserving public IPv4 addresses because we can use and share a single public IPv4 address with hundreds and thousands of private IPv4 addresses. NAT temporarily solves the exhaustion of IPv4 address space. The permanent solution to the exhaustion of IPv4 address space is the transition to IPv6. The figure below illustrates the NAT process.
What is Network Address Translation (NAT)?
Many users use Network Address Translation (NAT) most crucially to conserve public IPv4 addresses. NAT conserves public IPv4 addresses by allowing networks to use private IPv4 addresses internally and translating private IPv4 into a public address only when required. NAT hides internal private IPv4 addresses from an outside public network, which provides extra privacy and security to a network.
The router configured with NAT requires one or more public IPv4 addresses, which are known as the NAT pool. When an internal device sends traffic from the private IP address out of the network, the router configured with NAT translates the internal IPv4 address of the device into a public address from the NAT pool. When receiving the reply from outside to that public IPv4 address, the NAT-enabled router translates the public IPv4 address into a private IPv4 address.
A Network Address Translation (NAT) router is typically required at the border of a stub network. We have already discussed the stub network in one of my previous articles. It is a network providing only one way to its neighboring network, one way in, and one way out of the network. The figure below illustrates the stub network and NAT-enabled router.
When someone wants to communicate outside the stub networks, the device sends the packet to the border router, which is NAT-enabled. The NAT-enabled border router translates the private IPv4 address of the stub network into a Public IPv4 address.
