Network address translation (NAT)

A method of substituting one Internet Protocol (IP) address for
another.

Overview

Network address translation (NAT) is a mechanism for translating the
IP addresses of hosts on one network into IP addresses belonging to a
different network. NAT is usually used at the boundary of two
networks, especially where a private network such as a corporate
network meets a public network such as the Internet.

The motivation behind the creation of NAT is that the number of
available global (public) registered IP addresses on the Internet is
rapidly being depleted. NAT works around this problem by

. Address reuse: NAT allows multiple private networks to use the same
network IDs (same range of IP addresses). Private networks (networks
not directly connected to the Internet) can use any range of IP
addresses but usually employ those addresses specially reserved by the
Internet Assigned Numbers Authority (IANA) for private network usage,
such as 10.0.0.0 through 10.255.255.255 (or 10/8 in classless
interdomain routing [CIDR] notation), 172.16.0.0 through
172.32.255.255 (or 172.16/12), and 192.168.0.0 through 192.168.255.255
(or 192.168/16).  Addresses in this range are designated by IANA as
nonroutable addresses, and networks using these addresses cannot
directly connect to the Internet using a router. Instead, they need a
router or access device that supports NAT so that these nonroutable
addresses can be translated into public addresses for routing over the
Internet.

. Address multiplexing: NAT allows IP addresses of multiple hosts on a
private network to be exposed to the Internet as a single public IP
address. This allows the addresses of hosts on a private network to be
hidden from the outside world, improving security on the
network. Address multiplexing is sometimes referred to as network
address port translation (NAPT).

NAT is defined in RFC 1631, and the IP addresses reserved by IANA for
use on private networks is defined in RFC 1918.

Uses

NAT has several uses in enterprise networks:

. NAT allows corporate networks using RFC 1918 private network
addresses to access the Internet through NAT-enabled routers and
access servers.  NAT also enables older enterprises that deployed
addresses noncompliant with RFC 1918 to connect to the Internet.

. NAT allows corporate networks to hide the address topology of their
networks from the Internet. NAT is not a replacement for firewalls,
though, as in itself it performs no address or port filtering, just
translation. In fact, NAT is usually available as an additional
feature on most firewall products today.

. Often two private networks need to join together as a result of a
merger. If both networks are using the same RFC 1918 addresses, NAT
enables the networks to be united without the needed of readdressing
one of them.

Implementation

In a typical NAT scenario, a NAT-enabled router connects an internal
corporate network with the Internet.  The internal network has
multiple IP hosts using private network IP addresses, while the router
has a similar private IP address on its near-side (internal) interface
and a public (global) address on its far-side (external) interface.
NAT operates by examining traffic that passes through the router and
building a table that maps the connections between hosts inside the
network and hosts outside on the Internet. For each connection the
table contains
. Original IP address and port number of source address
. Original IP address and port number of destination address
. Translated IP address and port number of source address
. Translated IP address and port number of destination address
. Transmission Control Protocol (TCP) and Internet Control Message
Protocol (ICMP) sequence numbers

All packets that enter the network through the router have their
addresses translated, and all packets leaving the network have their
addresses translated back again.  Implementing NAT on a router or
firewall thus involves creating and configuring a NAT table containing
these private/public IP address mappings. These address mappings can
either be

. Manually created: A static NAT table essentially consists of a
series of manually created NAT rules that specify how IP addresses
will be translated.  Static NAT mappings are always one-to-one
mappings between actual and translated addresses. For example, a
typical static NAT rule might be equivalent to the statement,
.Translate all IP addresses belonging to the network 176.43.8.z to IP
addresses in the form 145.5.133.z with the subnet mask 255.255.255.0
used for both networks.. This rule results in the address 176.43.8.1
being mapped to 145.5.133.1, 176.43.8.2 being mapped to 145.5.133.2,
and so on. This approach can be used, for example, when corporate
networks with conflicting addresses need to be merged into one
network.  Static mappings are not very useful, however, for
connections between private networks and the Internet due to the large
number of possible connections to Internet hosts, which can make the
NAT table grow excessively large thus degrading router performance.
or

. Dynamically assigned: NAT-enabled routers can often dynamically
allocate IP addresses to hosts on the private network by selecting
addresses drawn from a specified pool. Dynamic NAT mappings are also
one-to-one mappings between actual and translated addresses. This
process is similar to Dynamic Host Configuration Protocol (DHCP) and
can be done either randomly or, more usually, on a roundrobin
basis. Each time a connection is formed between the external and
internal networks, NAT assigns a different IP address from the pool to
the internal host being connected to and address information in
packets is modified accordingly.

Another popular form of dynamic NAT is called address overloading,
masquerading, port address translation (PAT), or network address port
translation (NAPT). In this situation all the IP addresses of the
internal private network are hidden to outsiders, who can access only
the single IP address of the interface exposed to the public
network. Address overloading thus employs many-toone mappings of IP
addresses and is used when the number of internal addresses is greater
than the available number of global addresses. Address overloading
differs from standard NAT in that port numbers are also translated,
not just IP addresses. For example, it is possible to multiplex many
TCP connections through a single global IP address by assigning each
connection a different port number. These numbers might be chosen, for
example, from the range 61,000 through 65,096, which would allow up to
4096 simultaneous TCP connections through a single overloaded IP
address. Address overloading is often used by firewalls and sometimes
for load balancing Web servers.

Advantages and Disadvantages

NAT provides corporate networks with portability by eliminating the
need for an organization to obtain globally unique IP addresses from
its Internet service provider (ISP). Should an organization using
global addresses need to change providers, this usually means
obtaining new global addresses from the new provider and reconfiguring
the network accordingly. With NAT, a company can use RFC 1918 private
addresses for hosts on its corporate network, regardless of which ISP
it is connected to the Internet through. And when changing ISPs, the
only reconfiguration that would be required would be on the external
interface of the company.s router or firewall, which would need a new
global address obtained from the new provider.

NAT also reduces cost for large corporate networks that need to
connect to the Internet. This is because without NAT you would need to
purchase a large block of unique IP addresses from your ISP in order
to connect your network with the Internet, and such address blocks are
sometimes scarce and therefore costly. Using NAT, however, only the
far side (public interface) of your router or firewall needs a unique
global IP address obtained from your ISP.within your network you can
use RFC 1918 addresses because your private network is securely hidden
from the outside world behind your NAT-enabled router firewall. And
RFC 1918 addressing provides companies with access to address blocks
as large as Class A (the 10/8 block) that can support millions of
different hosts. Try obtaining a Class A from an ISP today if you
think you need one.all Class A addresses have been assigned years ago,
and only a few Class B addresses are still available.  NAT also helps
to conserve the available pool of IPv4 addresses for the Internet,
thus postponing the day when networks will need to be migrated to
IPv6, a process that may be costly for large enterprises and will
require considerable training of network professionals in use of the
new protocol.

NAT.s main disadvantage is that some protocols (and hence the
applications that use them) simply do not work when IP addresses are
translated. This particularly applies to protocols that involve

. Encryption: NAT does not work with protocols that use encryption
schemes, and it can interfere with authentication systems that employ
encryption as well. The main way of working around this issue with
IPsec, a popular IP encryption protocol, is to use a router that
supports both NAT and virtual private networking (VPN) to tunnel
IPsec-encrypted packets through unencrypted IP packets that can be
translated using NAT, but this is a complicated workaround that
increases the router.s processing load (and therefore the cost).

. Embedded addresses: NAT does not work with protocols that embed
address and port information within the data portion of packets in a
nonpredictable fashion.

The following table lists some of the protocols that have no trouble
working with NAT, that can work with NAT as long as NAT devices are
specially configured to support them, and that cannot easily work with
NAT.  Another disadvantage of NAT is that end-to-end connectivity is
effectively lost, which makes it more difficult to troubleshoot
routing issues. Also, more costly routers may be required due to the
additional processing overhead incurred by NAT. This processing
overhead can introduce additional latency into internetworks using
NAT-enabled routers, which can degrade time-sensitive applications
such as Voice over IP (VoIP) and streaming multimedia presentations.

Support for NAT by Popular Internet Protocols
Work with NAT by Default
HTTP NFS Rlogin Telnet TFTP

Can Be Configured To Work with NAT
DNS FTP H.323 ICMP  IP multicast  NetBT

Cannot Easily Work with NAT
BOOTP  IPSEC Kerberos  routing table updates, SNMP

Marketplace

Many routers and access servers support NAT. In particular, Cisco
System routers running Cisco.s Internetwork Operating System (IOS)
versions 11.2 and higher support NAT.

Microsoft Windows 2000 supports two ways of translating IP addresses
for connecting a private network with the Internet:

. Internet Connection Sharing (ICS): Intended for small office/home
office (SOHO) environments to provide access to the Internet through a
designated Windows 2000, Windows XP, or Windows .NET Server
computer. ICS automatically allocates addresses for internal hosts and
only supports one interface to the internal network.

. Routing and Remote Access Service (RRAS): Provides a robust solution
for larger corporate networks to access the Internet through multiple
interfaces and using an addressing scheme chosen by the administrator.
Windows 2000 or Windows .NET Server computers using the NAT feature of
RRAS also function as DNS and Windows Internet Name Service (WINS)
proxies for their connected subnets.

Prospects

NAT is essentially a workaround to extend the viability of the current
IPv4 system by reducing the number of unique IP addresses required for
connectivity to the Internet.  NAT is viewed as a temporary solution
until existing IPv4 networks can be fully migrated to the new IPv6
standard.  However, the security advantages of using NAT-enabled
firewalls has actually revitalized IPv4 to an extent and hence made
migration to IPv6 seem less urgent to many network architects. Thus,
while the Internet community presses for migration to IPv6, most large
enterprises are content to use NAT and avoid the costs associated with
a mass upgrade to the newer IPv6 protocol.

On the other hand, the proliferation of small mobile networked devices
such as Web-enabled cell phones and Personal Digital Assistants (PDAs)
may provide the impetus needed to push the wider networking community
toward IPv6. The current IPv4 system lacks sufficient available
addresses to support the millions of Internet-enabled mobile devices
just over the horizon, and some countries such as Japan are already
starting to roll out IPv6 on these devices. Workarounds such as NAT
may still be in use for years, however, and gateways can be deployed
for converting IPv6 to IPv4 addresses within the mixed IPv6/4
environment that is likely to characterize the global Internet of the
next decade.

See Also: classless interdomain routing (CIDR), Dynamic Host
Configuration Protocol (DHCP), firewall, Internet, IP address, IPsec,
routing, virtual private network (VPN)