Not so long ago, the Internet had a problem. There was a high demand for Internet access, but only a limited number of available Internet (IP) addresses. One solution to this problem was the creation and wide deployment of Network Address Translation (NAT), which essentially resolves multiple IP addresses into one address. This simple idea greatly extended the use of IP version 4 addresses, providing the time needed to design and implement a worthy successor—IP version 6. This article discusses the basics of NAT operation and the common NAT modes deployed in modern networks.
NAT: Quick Solution for a Complex Problem
How exactly does the ability to translate one address to another solve the problem of a shrinking public address pool? It works through the creation of a number of private IP address ranges. These ranges can be configured to reach a private device, but cannot be routed on the public Internet. Such private addresses can safely be assigned in every household, office, or enterprise that needs an IP addressing solution. However, these addresses are restricted to communicating between devices within that specific private network (or group of networks, in a large enterprise). This option by itself doesn't resolve the public addressing problem, because none of these addresses can be used as sources for Internet traffic. To remedy this situation, NAT is used.
NAT takes several forms: Static NAT (SNAT), Dynamic NAT (DNAT), and Port Address Translation (PAT). Let's look at each of these methods separately.
When using SNAT, a single internal (private) address is mapped to a single external (public) address. This type of implementation is most commonly used when a device inside a privately addressed network must be accessible directly from the Internet. Figure 1 shows an example.
Figure 1 Static NAT example.
For this example, the router that connects the web server to the Internet is performing SNAT; specifically, it's translating from a public IP address (192.0.2.10) into a private IP address (192.168.1.100). If end users need to access this device, they use the public IP address. When the packet arrives at the web server's router, the public address is translated into the private address; this address is then used for all internal communications, whereas the public IP address is used for all external communications.
DNAT provides the functionality of SNAT, but with a pool of addresses that are not device-specific. Figure 2 shows an example.
Figure 2 Dynamic NAT example.
In this example, DNAT is configured on an Internet-connected router. This router is configured with a pool of public addresses that can be assigned to hosts that need to reach destinations on the Internet. The number of internal users that are allowed to use the Internet is restricted by the number of addresses that exist in the configured pool. In this example, if any of the four displayed users attempt a connection to the Internet, they succeed, because there are four different addresses in the pool. But if all addresses are in use, any other devices that attempt a connection will fail, because no more addresses are available in the pool. From the assignment portion on, these translations act the same as SNAT entries. The problem with this design is that it greatly limits the number of devices that can connect to the Internet. Since public address exhaustion is the main problem, having a larger internal pool of available addresses doesn't fix the problem.
Port Address Translation
PAT offers a method that can be configured statically or dynamically, but in either case it provides a solution to the address exhaustion problem, by allowing multiple devices to use the same external IP address at the same time. This technique works primarily by taking advantage of Layer 4 TCP and UDP port numbers. The source port number is altered and mapped for each outgoing connection; in this way, any returning traffic to that specific port can be mapped to the correct internal address. Figure 3 shows an example.
Figure 3 Port Address Translation example.
In this example, the router is tasked with translating addresses between the internal users and the Internet. When the first device attempts to access the Internet, it's mapped to the external IP address and a specific source port number (TCP or UDP, depending on the traffic type). When traffic returns from the destination, this mapping is used to route the traffic back to the correct originating device. This method allows multiple internal users to use the same external IP address, which is why this method is the most commonly used of all three potential methods.
Almost all home users use PAT on their small Internet routers, which allows users to have multiple internal devices (PCs, laptops, phones, and so on) while sharing the same inexpensive Internet connection. Enterprises also use this functionality to limit the number of external IP addresses they need. PAT is restricted only by the number of available mappings. In large organizations, multiple external IP addresses may be configured; when the first address reaches the maximum number of translations possible for one address, the second address starts being used, and so on.
Like many other Internet services, NAT is used every day by millions of people, and most of them have no idea they're using it. The Internet would be radically different today if the number of available addresses were exhausted without NAT being implemented. Modern NAT is utilized in much the same way that it was 15–20 years ago, but it has evolved into being used for both IPv4 and IPv6 addressing. Versions of NAT have been created that translate from an IPv4 address into an IPv6 address and vice versa; this tool will be used more as IPv4 addresses are slowly phased out and IPv6 addresses are phased in.