8.7.4.1      Network Address Translation - NAT

Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. This allows home users and small businesses to connect their network to the Internet cheaply and efficiently.

The impetus towards increasing use of NAT comes from a number of factors:

·          Security needs

·          Shortage of IP addresses

·          Ease and flexibility of network administration

NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, and NAT will not allow that.

It is still possible to make some internal servers available to the outside world via inbound mapping, which maps certain well know TCP ports (e.g. 21 for FTP) to specific internal addresses, thus making services such as FTP or Web available in a controlled way.

A network address translator (NAT) is an IP router that can translate the IP addresses and TCP/UDP port numbers of packets as they are forwarded. For example, consider a small business network with multiple computers that connect to the Internet. This business would normally have to obtain a public IP address for each computer on the network from an Internet service provider (ISP). With a NAT, however, the small business can use private addressing (as described in RFC 1918) and have the NAT map its private addresses to a single or to multiple public IP addresses.

Why use NAT

NAT is a good solution for the following combination of requirements:

·         You want to leverage the use of a single connection, rather than connecting multiple computers, to the Internet.

·         You want to use private addressing.

·         You want access to Internet resources without having to deploy a proxy server.

Simple address translation

A common application of NAT is simple address translation between private internal network addresses and public external network addresses. This can be done to connect your network using private IP addresses (which are not allowed on the Internet) to the public Internet, which requires the use of officially assigned IP addresses, to avoid renumbering an entire network which uses unreserved IP addresses. NAT is often used where only a single IP address is supplied by your Internet Service Provider (ISP) for use by a number of devices on your LAN. By using single IP address NAT, internal IP addresses are mapped to different port numbers of the external IP address, allowing many devices to use the single IP address simultaneously.

NAT also offers some simple security by not displaying your internal LAN IP addresses to external networks

How network address translation works

If a small business is using the 192.168.0.0 private network ID for its intranet and has been allocated a single public IP address by its ISP, the NAT maps all private IP addresses used on network 192.168.0.0 to the public IP address.

When a private user on the small business intranet connects to an Internet resource, the user's TCP/IP protocol creates an IP packet with the following values set in the IP and TCP or UDP headers (bold text indicates the fields that are affected by the NAT):

·         Destination IP Address: Internet resource IP address

·         Source IP Address: Private IP address

·         Destination Port: Internet resource TCP or UDP port

·         Source Port: Source application TCP or UDP port

The source host or another router forwards this IP packet to the NAT, which translates the addresses of the outgoing packet as follows:

·         Destination IP Address: Internet resource IP address

·         Source IP Address: ISP-allocated public address

·         Destination Port: Internet resource TCP or UDP port

·         Source Port: Remapped source application TCP or UDP port

The NAT sends the remapped IP packet over the Internet. The responding computer sends back a response to the NAT. When it is received by the NAT, the packet contains the following addressing information:

·         Destination IP Address: ISP-allocated public address

·         Source IP Address: Internet resource IP address

·         Destination Port: Remapped source application TCP or UDP port

·         Source Port: Internet resource TCP or UDP port

When the NAT maps and translates the addresses, and forwards the packet to the intranet client, it contains the following addressing information:

·         Destination IP Address: Private IP address

·         Source IP Address: Internet resource IP address

·         Destination Port: Source application TCP or UDP port

·         Source Port: Internet resource TCP or UDP port

For outgoing packets, the source IP address and TCP/UDP port numbers are mapped to a public source IP address and a possibly changed TCP/UDP port number. For incoming packets, the destination IP address and TCP/UDP port numbers are mapped to the private IP address and original TCP/UDP port number.

The mappings for private to public traffic are stored in a NAT translation table, which can contain two types of entries:

1.      Dynamic mappings

Created when communications to Internet locations are initiated by private network clients. Dynamic mappings are removed from the NAT translation table after a specified amount of time.

2.      Static mappings

Configured manually so that communications initiated by Internet clients can be mapped to a specific private network address and port. Static mappings are needed when there are servers (for example, Web servers) or applications (for example, games) on the private network that you want to make available to computers that are connected to the Internet. Static mappings are not removed from the NAT translation table.

The NAT only forwards traffic from the Internet to the private network if a mapping exists in the NAT translation table. In this way, the NAT provides a level of protection for computers that are connected to private network segments. However, a NAT should not be used in place of a fully-featured firewall when Internet security is a concern.

Limitations of NAT

Typical network address translation relies on the translation of:

·         The IP addresses in the IP header.

·         The TCP port numbers in the TCP header.

·         The UDP port numbers in the UDP header.

Beyond these three items, additional translation requires processing by software components called NAT editors. For example, Hypertext Transfer Protocol (HTTP) traffic that is used to access Web servers does not require a NAT editor because HTTP traffic requires only the translation of the IP address in the IP header and the TCP port in the TCP header.

·         NAT editors are required in the following instances:

·         An IP address, TCP port, or UDP port is stored in the payload.

For example, File Transfer Protocol (FTP) stores the dotted decimal representation of IP addresses in the FTP header for the FTP port command. If the NAT does not properly translate the IP address within the FTP header and adjust TCP sequencing, connectivity problems might occur.

·         TCP or UDP is not being used to identify the data stream.

For example, data that is tunneled with the Point-to-Point Tunneling Protocol (PPTP) does not use a TCP or UDP header. Instead, a Generic Routing Encapsulation (GRE) header is used and the Tunnel ID, which is stored in the GRE header, identifies the data stream. If the NAT does not properly translate the Tunnel ID within the GRE header, connectivity problems might occur.