Network Address Translation (NAT)

Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts. Also, it does the translation of port numbers i.e. masks the port number of the host with another port number, in the packet that will be routed to destination. It then makes the corresponding entries of IP address and port number in the NAT table. NAT generally operates on router or firewall.^[1]

source: Watguard

Explaining Network Address Translation (NAT)^[2]
The most common form of network translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public address is needed for hundreds or even thousands of users.

Most modern firewalls are stateful – that is, they are able to set up the connection between the internal workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way, they are able to keep track of the session composed of communication between the workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information about the connection.

There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world.

Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols.

NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall.

How NAT Works^[3]
Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:

• Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

• Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

• Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

• Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT.

The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn't travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.

Why Use NAT?^[4]
NAT is a straightforward enough process, but what is the point of it? Ultimately, it comes down to conservation and security.

• IP Conservation: IP addresses identify each device connected to the internet. The existing IP version 4 (IPv4) uses 32-bit numbered IP addresses, which allows for 4 billion possible IP addresses, which seemed like more than enough when it launched in the 1970s. However, the internet has exploded, and while not all 7+ billion people on the planet access the internet regularly, those that do often have multiple connected devices: phones, personal desktop, work laptop, tablet, TV, even refrigerators. Therefore, the number of devices accessing the internet far surpasses the number of IP addresses available. Routing all of these devices via one connection using NAT helps to consolidate multiple private IP addresses into one public IP address. This helps to keep more public IP addresses available even while private IP addresses proliferate. On June 6, 2012, IP version 6 (IPv6) officially launched to accommodate the need for more IP addresses. IPv6 uses 128-bit numbered IP addresses, which allow for exponentially more potential IP addresses. It will take many years before this process finishes; so until then, NAT will be a valuable tool.
• NAT Security: Additionally, NAT can provide security and privacy. Because NAT transfers packets of data from public to private addresses, it also prevents anything else from accessing the private device. The router sorts the data to ensure everything goes to the right place, making it more difficult for unwanted data to get by. It’s not foolproof, but it often acts as the first means of defense for your device. If an organization wants to protect its data, they’ll need to go further than just a NAT firewall — they’ll want to hire a cybersecurity professional. NAT also allows you to display a public IP address while on a local network, helping to keep data and user history private. All of this might seem complicated in theory, but it’s even more so in the real world. IT professionals use NAT to secure their data and use several devices under the same IP – and everyone is interested in securing their data. Getting the right certification helps IT professionals demonstrate their competence and understanding of these complicated subjects.

NAT Implementation^[5]
Network address and port translation may be implemented in several ways. Some applications that use IP address information may need to determine the external address of a network address translator. This is the address that its communication peers in the external network detect. Furthermore, it may be necessary to examine and categorize the type of mapping in use, for example when it is desired to set up a direct communication path between two clients both of which are behind separate NAT gateways.

For this purpose, RFC 3489 specified a protocol called Simple Traversal of UDP over NATs (STUN) in 2003. It classified NAT implementations as full-cone NAT, (address) restricted-cone NAT, port-restricted cone NAT or symmetric NAT, and proposed a methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods are inadequate to correctly assess many devices. RFC 5389 standardized new methods in 2008 and the acronym STUN now represents the new title of the specification: Session Traversal Utilities for NAT.

• Full-cone NAT, also known as one-to-one NAT
  • Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  • Any external host can send packets to iAddr:iPort by sending packets to eAddr:ePort.

• (Address)-restricted-cone NAT
  • Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  • An external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:any. "Any" means the port number doesn't matter

• Port-restricted cone NAT Like an address restricted cone NAT, but the restriction includes port numbers.
  • Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  • An external host (hAddr:hPort) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:hPort.

• Symmetric NAT
  • Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port; if the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used.
  • Only an external host that receives a packet from an internal host can send a packet back.

Advantages of and Disadvantages Using NAT^[6]

Advantages of Using NAT
The biggest advantage that NAT offers is the chance to make sure that all machines on your network share a public IP address. This makes it more difficult for hackers to be able to attack individual computers on your network, since outside machines will not be able to access the actual IP address of an individual employee's machine. This system also makes your network easier to expand. Once the NAT is set up, it is very easy to add a huge number of different computers, all of which can share one or several IP addresses, depending on which NAT model you choose to use. Overall, this setup can also increase ease of use for remote users, since they can effectively be on your network even when they are afar.

Disadvantages of Using NAT
NAT is not for everybody. Among its disadvantages are a matter of complexity. The system is very useful when it begins operation, but it takes time and effort to set it up effectively. If you have an inexperienced IT team, you might want to consult with an experienced network professional before switching over to an NAT. The limited number of public addresses can be a double edged sword, especially if you use VoIP or other programs that require the use of multiple addresses. Finally, because an NAT needs to take some extra steps in rerouting interaction to a limited number of public IPs, it can slow down your network performance, especially if you have a large number of computers on the network.

Depending on your business structure, NAT can be a very useful way to simplify your company's public IP addresses as well as increase your overall security. However, you should make sure that you understand the exact impact that this will have on your network and that you are prepared to maximize the benefits while minimizing the potential drawbacks.

See Also

References