Network Address Translation tutorial

What is NAT (Network Address Translation)?

Using NAT with NETGEAR products, accessing the Internet, the addresses on your LAN are substituted for a single WAN IP address. This lets your computers share one IP address from your ISP. It also makes your network more secure, since traffic to and from the Internet now goes through your router's address substitution process, blocking direct access to your local IP addresses. Unless you use port forwarding, port triggering, or a DMZ, your computers are not reachable from the Internet (unless one of your computers requests it, of course!)

HOW IT WoRKS

Network Address Translation translates and IP address used in a network to another IP address known within another network. A NAT table is maintained for global to local and local to mapping of IP’s. NAT can be statically defined or dynamically translate from a pool of addresses. The NAT router is responsible for translating traffic coming and leaving the network. NAT prevents malicious activity initiated by outside hosts from reaching local hosts by being dependent on a machine on the local network to initiate any connection to hosts on the other side of the router.

NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client and to put them through.

The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches up the person's name and extension. The receptionist knows that you requested this call, therefore the receptionist forwards the caller to your extension.

Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:

• Static NAT – Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110:

• Dynamic NAT – Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT also establishes a one-to-one mapping between unregistered and registered IP address, but the mapping could vary depending on the registered address available in the pool, at the time of communication.

In dynamic NAT, the computer with the IP address of 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150:

A NAT example

If a small business is using the 192.168.0.0 network ID for its intranet and has been granted the public address of w1.x1.y1.z1 by its Internet service provider (ISP), then network address translation (NAT) maps all private addresses on 192.168.0.0 to the IP address of w1.x1.y1.z1. If multiple private addresses are mapped to a single public address, NAT uses dynamically chosen TCP and UDP ports to distinguish one intranet location from another.
Note

• The use of w1.x1.y1.z1 and w2.x2.y2.z2 is intended to represent valid public IP addresses as allocated by the Internet Assigned Numbers Authority (IANA) or an ISP.

The following illustration shows an example of using NAT to transparently connect an intranet to the Internet.

If a private user at 192.168.0.10 uses a Web browser to connect to the Web server at w2.x2.y2.z2, the user's computer creates an IP packet with the following information:

• Destination IP address: w2.x2.y2.z2
• Source IP address: 192.168.0.10
• Destination port: TCP port 80
• Source port: TCP port 5000

This IP packet is then forwarded to the NAT protocol, which translates the addresses of the outgoing packet to the following:

• Destination IP address: w2.x2.y2.z2
• Source IP address: w1.x1.y1.z1
• Destination port: TCP port 80
• Source port: TCP port 1025

The NAT protocol keeps the mapping of {192.168.0.10, TCP 1025} to {w1.x1.y1.z1, TCP 5000} in a table.
The translated IP packet is sent over the Internet. The response is sent back and received by the NAT protocol. When received, the packet contains the following public address information:

• Destination IP address: w1.x1.y1.z1
• Source IP address: w2.x2.y2.z2
• Destination port: TCP port 1025
• Source port: TCP port 80

The NAT protocol checks its translation table and maps the public addresses to private addresses and forwards the packet to the computer at 192.168.0.10. The forwarded packet contains the following address information:

• Destination IP address: 192.168.0.10
• Source IP address: w2.x2.y2.z2
• Destination port: TCP port 5000
• Source port: TCP port 80

For outgoing packets from the NAT protocol, the source IP address (a private address) is mapped to the ISP allocated address (a public address), and the TCP/UDP port numbers are mapped to a different TCP/UDP port number.
For incoming packets to the NAT protocol, the destination IP address (a public address) is mapped to the original intranet address (a private address), and the TCP/UDP port numbers are mapped back to their original TCP/UDP port numbers.
Note

• Packets that contain the IP address only in the IP header are properly translated by NAT. Packets that contain the IP address within the IP payload may not be properly translated by NAT.