In computer networking, network address translation (NAT) is the process of modifying network address information in datagram (IP) packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another.
Most often today, NAT is used in conjunction with network masquerading (or IP masquerading) which is a technique that hides an entire address space, usually consisting of private network addresses (RFC 1918), behind a single IP address in another, often public address space. This mechanism is implemented in a routing device that uses stateful translation tables to map the “hidden” addresses into a single address and then rewrites the outgoing Internet Protocol (IP) packets on exit so
that they appear to originate from the router. In the reverse communications path, responses are mapped back to the originating IP address using the rules (“state”) stored in the translation tables. The translation table rules established in this fashion are flushed after a short period without new traffic refreshing their state.
As described, the method enables communication through the router only when the conversation originates in the masqueraded network, since this establishes the translation tables. For example, a web browser in the masqueraded network can browse a website outside, but a web browser outside could not browse a web site in the masqueraded network. However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as “static NAT” or port forwarding and allows traffic originating in the ‘outside’ network to reach designated hosts in the masqueraded network.
Because of the popularity of this technique (see below), the term NAT has become virtually synonymous with the method of IP masquerading.
Network address translation has serious consequences (Drawbacks, Benefits) on the quality of Internet connectivity and requires careful attention to the details of its implementation. As a result, many methods have been devised to alleviate the issues encountered. See article on NAT traversal.
Overview
In the mid-1990s NAT became a popular tool for alleviating the IPv4 address exhaustion. It has become a standard, indispensable feature in routers for home and small-office Internet connections.
Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). However, NAT breaks the originally envisioned model of IP end-to-end connectivity across the Internet, introduces complications in communication between hosts, and affects performance.
NAT obscures an internal network’s structure: all traffic appears to outside parties as if it originated from the gateway machine.
Network address translation involves re-writing the source and/or destination IP addresses and usually also the TCP/UDP port numbers of IP packets as they pass through the NAT. Checksums (both IP and TCP/UDP) must also be rewritten to take account of the changes.
In a typical configuration, a local network uses one of the designated “private” IP address subnets (the RFC 1918). Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x (or using CIDR notation, 192.168/16, 172.16/12, and 10/8), and a router on that network has a private address (such as 192.168.0.1) in that address space. The router is also connected to the Internet with a single “public” address (known as “overloaded” NAT) or multiple “public” addresses assigned by an ISP. As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es). The router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; the TCP or UDP client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. To a system on the Internet, the router itself appears to be the source/destination for this traffic.
Basic NAT and PAT
There are two levels of network address translation.
• Basic NAT. This involves IP address translation only, not port mapping.
• PAT (Port Address Translation). Also called simply “NAT” or “Network Address Port Translation, NAPT”. This involves the
translation of both IP addresses and port numbers.
All Internet packets have a source IP address and a destination IP address. Both or either of the source and destination addresses may be translated.
Some Internet packets do not have port numbers. For example, ICMP packets have no port numbers. However, the vast bulk of Internet traffic is TCP and UDP packets, which do have port numbers. Packets which do have port numbers have both a source port number and a destination port number. Both or either of the source and destination ports may be translated.
NAT which involves translation of the source IP address and/or source port is called source NAT or SNAT. This re-writes the IP address and/or port number of the computer which originated the packet.
NAT which involves translation of the destination IP address and/or destination port number is called destination NAT or DNAT. This re-writes the IP address and/or port number corresponding to the destination computer.
SNAT and DNAT may be applied simultaneously to Internet packets.
Types of NAT
Network address translation is implemented in a variety of schemes of translating addresses and port numbers, each affecting application communication protocols differently. In some application protocols that use IP address information, the application running on a node in the masqueraded network needs to determine the external address of the NAT, i.e., the address that its communication peers detect, and, furthermore, often needs to examine and categorize the type of mapping in use. For this purpose, the Simple traversal of UDP over NATs (STUN) protocol was developed (RFC 3489, March 2003). It classified NAT implementation as full cone NAT, (address) restricted cone NAT, port restricted cone NAT or symmetric NAT and proposed a methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods have proven faulty and inadequate to correctly assess many devices. New methods have been standardized in RFC 5389 (October 2008) and the STUN acronym now represents the new title of the specification: Session Traversal Utilities for NAT.
This terminology has been the source of much confusion, as it has proven inadequate at describing real-life NAT behavior.[2] Many NAT implementations combine these types, and it is therefore better to refer to specific individual NAT behaviors instead of using the Cone/Symmetric terminology. Especially, most NAT translators combine symmetric NAT for outgoing connections with static port mapping, where incoming packets to the external address and port are redirected to a specific internal address and port. Some products can redirect packets to several internal hosts, e.g. to divide the load between a few servers. However, this introduces problems with more sophisticated communications that have many interconnected packets, and thus is rarely used.
Many NAT implementations follow the port preservation design. For most communications, they use the same values as internal and external port numbers. However, if two internal hosts attempt to communicate with the same external host using the same port number, the external port number used by the second host will be chosen at random. Such NAT will be sometimes perceived as (address) restricted cone NAT and other times as symmetric NAT.
NAT and TCP/UDP
“Pure NAT”, operating on IP alone, may or may not correctly parse protocols that are totally concerned with IP information, such as ICMP, depending on whether the payload is interpreted by a host on the “inside” or “outside” of translation. As soon as the protocol stack is climbed, even with such basic protocols as TCP and UDP, the protocols will break unless NAT takes action beyond the network layer.
IP has a checksum in each packet header, which provides error detection only for the header. IP datagrams may become fragmented and it is necessary for a NAT to reassemble these fragments to allow correct recalculation of higher level checksums and correct tracking of which packets belong to which connection.
The major transport layer protocols, TCP and UDP, have a checksum that covers all the data they carry, as well as the TCP/UDP header, plus a “pseudo-header” that contains the source and destination IP addresses of the packet carrying the TCP/UDP header. For an originating NAT to successfully pass TCP or UDP, it must recompute the TCP/UDP header checksum based on the translated IP addresses, not the original ones, and put that checksum into the TCP/UDP header of the first packet of the fragmented set of packets. The receiving NAT must recompute the IP checksum on every packet it passes to the destination host, and also recognize and recompute the TCP/UDP header using the retranslated addresses and pseudo-header. This is not a completely solved problem. One solution is for the receiving NAT to reassemble the entire segment and then recompute a checksum calculated across all packets.
Originating host may perform Maximum transmission unit (MTU) path discovery (RFC 1191) to determine the packet size that can be transmitted without fragmentation, and then set the “don’t fragment” bit in the appropriate packet header field.
Destination network address translation (DNAT)
DNAT is a technique for transparently changing the destination IP address of an en-route packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet.
DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address.
SNAT
The usage of the term SNAT varies by vendor. Many vendors have proprietary definitions for SNAT. A common definition is Source NAT, the counterpart of Destination NAT (DNAT).
Microsoft uses the term for Secure NAT, in regards to the ISA Server extension discussed below. For Cisco Systems, SNAT means Stateful NAT.
The Internet Engineering Task Force (IETF) defines SNAT as Softwires Network Address Translation. This type of NAT is named after the Softwires working group that is charged with the standardization of discovery, control and encapsulation methods for connecting IPv4 networks across IPv6 networks and IPv6 networks across IPv4 networks.
Pingback: plz!!!need help with portmapping..?
Pingback: Network address translation (NAT) | Network Tutorial | IP address.co.uk
I don’t normally post to blogs but I enjoyed this post so keep up the good work. -cheers-
Czech Republic VPN Accounts To Go: https://www.intl-alliance.com/store/index.php?main_page=index&cPath=1_73
This information is bit incomplete, I must say that the homework was done really good, but the problem came when you tried to assemble this information and present it. No doubt you did your best and I appreciate the fact that this will help as well, you should read other posts as well to make your posting really to the point and really understandable. I will PM you some of the threads about this topic so that the next time you visit the forum and post something really informative like this, it will be more effective and helpful to all.
Pingback: Webhosting help!!! (not want computer open 24/7)? | Host Rage
Great site. A lot of useful information here. I’m sending it to some friends!
Thanks My Friend
Pingback: Are You Thinking Big Enough
Superb! Generally I never read whole articles but the way you wrote this information is simply amazing and this kept my interest in reading and I enjoyed it. You have got good writing skills. I’m sure you would like some more traffic to your blog because everyone does. I personally use the miracle traffic bot! You won’t be disappointed because this thing is definitely amazing.
No. But now i will. Thanks for that.
You are a very smart person!
There is obviously a lot to know about this. I think you made some good points in Features also. Keep working ,great job!
Pingback: How to Create a Small Network for Home or Office
Im grateful for the blog post.Really looking forward to read more. Really Cool.
Best you should change the post title Network address translation (NAT) | Network Tutorial to more generic for your blog post you make. I liked the post however.
Great points altogether, you just gained a brand new reader. What would you recommend in regards to your post that you made a few days ago? Any positive?
you’re actually a excellent webmaster. The site loading velocity is amazing. It sort of feels that you are doing any distinctive trick. Moreover, The contents are masterpiece. you’ve performed a wonderful process in this topic!