Network Address Translation (NAT) Tutorial with Examples

What is Network Address Translation (NAT):

In this Explicit Networking Training Tutorial series, we explored the Differences between Modem and Router in detail in our previous tutorial.

In this tutorial, we will explore the concept of network address translation (NAT) by analyzing the need for introducing it, benefits, types and methods of implementation.

In the computer networking system, NAT is introduced as a rescue methodology when the IPv4 address space was getting exhausted.

NAT

What is NAT?

NAT is the process of reassigning the single IP address space into a further one by altering the network address data in the IP header of the data packet while they are traveling through a network towards the destination node.

Generally, NAT works on a router or gateway and interconnects two networks with each other by translating the private addresses into the registered addresses before the data being transmitted to another network.

NAT is having the potential to broadcast only one IP address to the public network on behalf of the entire internal network. This provisions the feature of security by efficiently hiding the overall IP address of the private network behind that solo address.

Thus NAT tenders the double feature of address translation and security for networking systems.

Why NAT?

In any networking system for communication among the PC’s and the web servers via the Internet, we require a unique IP address every time which is a 32-bit number used to locate the PC or network device you want to reach out in the network.

In past decades, while we were using IPV4 addressing scheme, there were 2^32 means 4.3 billion unique addresses could be assigned to the devices for communication purpose. But the actually available addresses were lesser than this as some were exempted because were used for broadcast, testing, and some reserved military purposes.

Therefore the leftover addresses were somewhere around 3.2 billion. It appears to be a huge number but due to the increase of use of the Internet in all areas like home networks, business purpose, watching online video; sharing data etc. the addresses were near to exhaustion.

The solution to this limitation of IPV4 addressing scheme is to recreate the addressing system so that there could be more options for allocating addresses. This can be done by introducing the IPV6 addressing scheme.

But the process of implementation of this has taken several years as this requires alteration in the overall infrastructure of the networking system.

In the meantime, NAT is introduced and widely deployed everywhere which permits a network device like a router to behave as an agent between the Internet and the private network. It signifies that a unique IP address can be used to symbolize the overall class of network devices like PCs.

Types of NAT

#1) Static NAT: It is also known as one to one NAT. In this kind of NAT, only the IP addresses and the header checksum are altered among the overall network address. These are implemented for interconnection of two distinctive IP networks having incompatible addressing.

Static NAT

[image source]

#2) Dynamic NAT: In this type of NAT, mapping of IP from an unregistered private network is done with the single IP address of the registered network from the class of registered IP addresses.

dynamic NAT

#3) Overloading NAT: It is also a type of Dynamic NAT which is also referred to as one-to-many NAT.

In this type of NAT, the packets traveling in the network from the private network to a public network means the Internet will have an alteration in the source address of the data packet and when the packets are reverted back from the public network to the private network they will have an alteration in the destination IP addresses.

overloading NAT

In addition to the source or destination, IP address the packets have the modified or different port numbers with each of the data packet so as to avoid any vagueness in the translation. Thus this combination of port number and the modified IP address is mapped with the registered private network IP.

#4) Overlapping NAT: Sometimes in a networking system, the registered IP addresses used by the internal network are also in use by another network and are registered IP’s of that network.

Therefore, in this case, the router keeps a lookup table with itself so that it can capture such cases and can exchange them with the unique registered IP addresses.

The NAT router translates the IP addresses for internal as well as external registered IP addresses for the private network.

overlapping NAT

How NAT Works?

Before going through the working let's understand some terminology used in NAT:

  • Inside local address: It is the private IP address of the private network.
  • Inside global address: It is the registered public IP address allocated to the host of the private network when it is initiating communication with the outside network.
  • Outside global address: It is the registered IP address allocated to the host on the Internet.
  • Outside local address: It is the local IP address allocated to the host at the public domain.
  • The address used by the internal network devices to communicate with each other internally is known as inside local address.
  • The address which is used by devices on the internal network to communicate with the external network devices is known as an outside local address.
  • The address used by the outside network devices to communicate with the devices on the private network is the inside global address.
  • The address used by external devices to communicate with one another is outside global address.
  • Whenever any organization built a networking system, the internet service provider will assign the pool of IP addresses to them. The assigned range of addresses includes registered and unique IP addresses which are known as inside global addresses.
  • The unregistered class of private IP addresses is consists of outside local addresses which are deployed by the NAT routers and inside local addresses which are used by local area network also known as stub domain.
  • The outside local address utilizes to translate the unique IP addresses of the network devices for the public network.
  • Most of the network devices on the LAN network uses inside local addresses for communication between them and generally don’t require the translation. Now when any device on the stub domain needs to communicate with another network, the packet will travel through the NAT router.
  • Now the NAT router will look up in the routing table to find out that it is having the entry for destination address or not. If yes, then it translates the packet and makes an entry for it in the address translation table. If the address is not found then the packet is declined.
  • By using the inside global address, the router will route the data packet to the destination.
  • Now the end host like PC on the public network forwards a data packet to the private network. This time the originating address is outside global address and the receiving address is a type of inside global address.
  • Again the NAT router will look up in the translation table and finds out that the destination address is in the table or not and then plot the IP to that stub domain to which it belongs.
  • The translation of the inside global address of the packet into the inside local address is done and it is delivered to the destination host end.
  • As already mentioned earlier, the NAT uses the TCP/IP protocol feature of using the IP packet with TCP or UDP ports with the modified IP header field for the translation purpose.

So the header of the IP packet will carry the following fields:

Source address– The IP address of the initiating host PC like 192.178.120.10

Source port– The TCP or UDP port number allocated by the initiating PC like Port 1020

Destination address– The IP address of the receiver PC like 172.145.57.20

Destination port– The TCP or UDP port that the initiating host requested to the receiver host to open like 4281.

The port number allocation is necessary as it makes sure that the correlation among the two PC’s has the unique identifier.

NAT working

NAT Example

In the below example, the inside host (172.168.20.10) wants to communicate with the outside world and the destination web server address is 192.100.20.2. Then it will send a data packet to the NAT-enabled gateway router of the network for further communication.

The gateway router learns the source IP address of the packet and looks up in the table whether the packet meets the condition for translation. The gateway router maintains an access control list (ACL) which locates the authenticate hosts for the internal network translation purposes.

Thus it will translate the inside local IP address into an inside global IP address which is here is 192.100.10.25. It will then saves this translation in the NAT table and the gateway router will route the packet to the destination.


When the web server of the Internet reverts back to the request, the packet will revert back to the global IP address 192.100.10.25 of the router.

Now the gateway router will again look up in the NAT table to find out the translated IP address corresponding to the global address. It then translates it to the inside local address and then the data packet is delivered to the host at IP address 172.168.20.10. If a match is not found in the table then the packet is discarded.

How NAT works image:

How NAT works

NAT Overload or Port Address Translation

This is basically used by the home broadband routers to map the unregistered IP address from the private network to a solo registered IP address of the public domain.

The port address translation plot the several unregistered private IP addresses into a registered public solo IP address by making use of distinctive ports. To differentiate among the various translations done in the home network the PAT will deploy exclusive port numbers to the inside global IP addresses.

Suppose for a home network, when a host PC will try to access the Internet, The NAT router will allocate the port number to its source IP address.

There could be more than one PC at one instance of time of the home network using the Internet, thus the PAT guarantees that the client PC will use a distinctive port number every time when it initiates a new session with the server on the Internet.

Now in response, the router will route the data packet on the basis of the source port number which is now has turned into the destination port number. This whole phenomenon also ensures the security of the communication session as the packet is reverted in the response to a request raised by the client.

NAT Overload

NAT Overload Table

Inside local IP addressInside global IP addressThe outside global IP addressThe outside local IP address
10.20.10.2:1666192.134.30.4:1666192.134.20.2:80192.134.20.2:80
10.20.10.3:2444192.134.30.4:2444192.134.40.3:80192.134.40.3:80

From the above figure, it is shown that the NAT overload is using the exclusive source port numbers on the inside global IP addresses to discriminate among the translations as the port number 1666 and 2444 is used respectively to spot the data packet.

Here the source address is the inside local IP address which is mentioned in the table and the destination address is the outside local IP address with port number 80 as it is accessing the Internet through HTTP.

AT the NAT router end, NAT overload alters the Source address into the inside global IP address as shown in the table above and the destination address is now known as the outside global IP address.

Double NAT

Double NAT is a situation where more than one network device like a router in a private network is performing network address translation.

The simplest example is when a DSL modem and a Wi-Fi router are connected in a network with NAT enabled in each of them. The host devices connected to the public network through a Wi-Fi router.

In this scenario, the Pc’s will not be able to access the Internet as the router doesn’t have any of its own public IP address while it is having a private IP address limited in the range of the network of the DSL modem.

How to Resolve the Double NAT Problem

There are various ways to solve the double NAT problem but which solution will exactly work will depend upon the kind of network set-up.

#1) Set the wireless router in the bridged mode: It means that go to the web interface of the router and disable the NAT and DHCP function of the wireless router manually.

If both the functions will be disabled when the mode is known as bridged mode and then configure the port forwarding function on the modem to resolve the Double NAT issue.

The screenshot below will show the enabling Bridged mode in the Router to overcome Double NAT problem.

Double NAT Bridged mode

[image source]

#2) Create PPPoE connection between router and modem: This is not supported by all ISP’s but it is one of the best ways to deal with the Double NAT issue. Go to the WAN settings in the web interface of the router and then check to mark the PPPoE to configure the WAN connection. This will bypass the NAT in the modem.

#3) Enable DMZ in modem: This will connect your router having the DMZ feature directly to the Internet and will bypass the NAT router IP, firewall and DHCP connection settings and thus the devices will automatically get the values from the router.

The steps are as follows:

  • Firstly login into the web interface of the Router and find out the WAN IP address of the router.
  • Now secondly, login into the modem administrative settings and in the DMZ settings of the modem set the Router’s WAN address as the IP address. This will enable the port forwarding and the traffic will route to the set client host.

Double NAT DMZ mode

NAT Router

A NAT router generates a network of IP addresses for local network and it interrelates that LAN network to the public network that is the Internet. The NAT executed by the router will permit the several PC’s or host devices on the LAN network at the rear end of the router to communicate with the WAN network i.e. the Internet.

The NAT routers are used for home purposes and small scale industries because the router emerges to the Internet as a solo host with a solo IP address. This efficiently cast the fact that the PC’s on the local network of the router will be allocated a single IP address at the same interval of the time.

NAT Router

NAT Router [image source]

NAT Router Inherent Security

The NAT routers have this feature that they will work as a hardware firewall device in the network and they guard the LAN network against any kind of unwanted and unusual traffic which can harm the network.

Thus it acts as a filter between the Internet and the private LAN network and allows only those traffic to pass through which are authorized to enter the network.

How does it work? Since the router interconnects the LAN network to the Internet so it witnesses all the data packets sent out to the Internet from the LAN network. The router keeps an internal connection table with itself and it saves each of the outgoing packet destination IP and the port number allocated into it. It thereafter allocates its own IP address and port number to the packet for acknowledging the homecoming traffic.

Finally, it saves the final data packet information along with the IP address and the port number in its current connection table. When any of the data packets land at the router from the Internet, the router will examine it in the current connection table that arrived packet is desired for the LAN network by checking into the table.

If the equivalent IP address and port number are found then it directs it to the destination PC of the LAN network. And if the match is not found, then the router will discard the data packet and tag it as unwanted traffic.

In this way, the NAT router shields your connection with the outside network and also in case if only one device is connected in a LAN network. So with NAT router configured in the network, none of the worms and the malicious virus can harm your network.

NAT router inherent secuirty

NAT Router Security Features

NAT Advantages:

  • By managing and reusing the IP addresses the NAT can prevent the exhaustion of the IPV4 addressing scheme.
  • It provisions the security to the private network from the outside world by maintaining the secrecy of source and destination IP address from the external network.
  • It provisions flexible networking system.
  • The private network organizations by using NAT can use the IP range of their choice for building up the internal network irrespective of the service provider of the public interface.

Limitations of NAT:

  • Since the NAT will examine all the incoming and outgoing data packets to maintain the connection table and another data record in the processor memory so the overall process will require huge capacity storage and time-consuming.
  • All the network devices and the networking systems are not compatible with the NAT technology, thus it will not function everywhere in all scenarios.
  • Due to change in the IP addresses of the device several times during the NAT process, sometimes its become very difficult to trace the end to end IP reachability of the network components.
  • NAT causes unexpected delays in the communication system.

What secure protocol is recommended for NAT: There is no such specified set of protocols which is specifically been used for NAT. But the translation comes under the Internet protocol (IP) suite. Also, the TCP protocol is used for translation while performing the NAT by the routers.

Apart from these protocols, depending upon the network scenario the different set of protocols are used like ICMP, UDP, and IPSec which are already explained in the previous tutorials.

Conclusion

From this tutorial, we have understood the reason for introducing the network address translation process in the computer networking system and its significance.

We have also learned with the help of various examples and figures, the types and working of NAT.

PREV Tutorial | NEXT Tutorial