Network address translation is simply mapping one IP address to another. It is widely used, from home users through to large ISPs (Internet Service Providers). It became widespread when we started running out of public IP addresses.
NAT is usually applied by a router or a firewall. It allows a large network to use a single public IP address – assigned to a gateway router. Traffic from devices on the network are then translated to that single address. The router must keep track of the mappings used for the different devices.
Conserving address space. There are no public IPv4 addresses left and NAT means that we don’t have to give every device on the Internet a dedicated public IP address.
Security. NAT adds a layer of security because hosts behind NAT will not be directly reachable from outside the network.
Keeping track of translations is CPU and memory intensive. It may require more powerful, or dedicated hardware.
Some things break, or get more difficult, when NAT is used. For example, ‘peer to peer’ communication becomes less straight forward.
Troubleshooting problems can become harder because you may no longer have full end to end traceability.
Basic NAT, or one-to-one NAT, simply maps each IP address to a different IP address. For example mapping addresses from 192.168.1.0/24 to 10.1.1.0/24 may result in 192.168.1.15 being mapped to 10.1.1.15. Basic NAT doesn’t help save address space but it can help interconnect networks with different addressing schemes.
This is the most useful, and most common implementation of NAT. Because multiple addresses all get mapped to a single one, the router must have a way of distinguishing the traffic which comes back. A common way of doing this is to use port numbers to differentiate between the streams of traffic and translate back to the original IP addresses. This is sometimes called Port Address Translation (PAT) or Network Address and Port Translation (NAPT).
There are several different ways of implementing one-to-many NAT but typically it is something like this:
Outbound traffic will have it’s source IP address (IP_A) and source port (PORT_A) translated to the external, public, IP address (IP_B) and a certain source port (PORT_B).
These translations are recorded in a translation table, the IP header is changed and the packet is routed onwards.
Inbound traffic is looked up against the translation table. If the destination address matches IP_B (the external address) and the destination port matches PORT_B then the traffic will be mapped to IP_A:PORT_B.
The IP header is updated and the packet is routed to the original host.
IP masquerading is the implementation of one-to-many NAT commonly used to ‘hide’ a network of private addresses behind a single public IP address. An example of this is home routers – all devices on a home network will typically be assigned a private address. When they transit the router to the ISP, they will be mapped to a single public IP address.