NAT: Network Address Translation
Network address translation involves mapping one IP address to another. It is widely used, from home users through to large ISPs (Internet Service Providers). It became widespread when we started running out of public IP addresses.
NAT is usually applied by a router or a firewall. It allows a large network to use a single public IP address – assigned to a gateway router. Traffic from devices on the network is then translated to that single address. The router must keep track of the mappings used for the different devices.
- Conserving address space. There are no public IPv4 addresses left, and NAT means that we don’t have to give a dedicated public IP address every device on a network.
- Security. NAT adds a layer of defence because hosts behind NAT will not be directly reachable from outside the network.
- Keeping track of translations is CPU and memory intensive. It may require more powerful hardware.
- Some things break or get more complicated when NAT is used. For example, ‘peer to peer’ communications become less straight forward.
- Troubleshooting problems can become more challenging because you may no longer have full end to end traceability.
Basic NAT, or one-to-one NAT, maps each IP address to a different IP address. For example, mapping addresses from 192.168.1.0/24 to 10.1.1.0/24 may result in 192.168.1.15 being mapped to 10.1.1.15. Basic NAT doesn’t help save address space, but it can help interconnect networks with different addressing schemes.
One-to-many NAT is the most useful, and most common implementation of NAT. Because multiple addresses all get mapped to a single one, the router must have a way of distinguishing the traffic which comes back. A common way of doing this is to use port numbers to differentiate between the streams of traffic and translate back to the original IP addresses. This type of NAT is sometimes called Port Address Translation (PAT) or Network Address and Port Translation (NAPT).
How it Works
There are several different ways of implementing one-to-many NAT, but typically it is something like this:
Outbound traffic will have its source IP address (IPA) and source port (PORTA) translated to the external, public, IP address (IPB) and a particular source port (PORTB).
These translations are recorded in a translation table, the IP header is changed, and the packet is routed onwards.
Inbound traffic is looked up against the translation table. If the destination address matches IPB (the external address) and the destination port matches PORTB, then the traffic will be mapped to IPA:PORTB.
The IP header is updated, and the packet is routed to the original host.
IP masquerading is the implementation of one-to-many NAT commonly used to ‘hide’ a network of private addresses behind a single public IP address. An example of this is home routers – all devices on a home network will typically be assigned a private address. When traffic transits the router to the ISP, the private addresses will be mapped to a single public IP address.