NAT (NETWORK ADDRESS TRANSLATION)
In computer networking, Network Address Translation (NAT) is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device.
Network Address Translation (NAT) allows security administrators to overcome IP addressing limitations, allowing private IP-address allocation and unregistered internal-addressing schemes.
Enterprises employ NAT for a variety of reasons, including:
- Private IP addresses used an internal networks.
- Limiting external network access.
- Ease and flexibility of network administration.
Network Address translation (NAT) can be used to translate IP address in a connection. When translating the IP of the machine initiating the connection (typically the “client” of the connection) this is referred to as source NAT. When translating the IP address of the machine receiving the connection this is referred to as Destination NAT.
Methods Of Translation
There are several ways of implementing network address and port translation. In some application protocols that use IP address information, the application running on a node in the masqueraded network needs to determine the external address of the NAT,
Static NAT is a one to one relationship, where each host is translated to a unique address. This allows connections to be initiated internally and externally. An example would be a web server or a mail server that needs to allow connections initiated externally.
A static translation is assigned to a server that need to be accessed directly from outside the Firewall (for example). So, the packet is typically initiated from a host outside the firewall. When the client initiates traffic to the static NAT address, the destination of the packet is translated.
Dynamic network address translation (Dynamic NAT) is a technique in which multiple public Internet Protocol (IP) addresses are mapped and used with an internal or private IP address.
It allows a user to connect a local computer, server or networking device to an external network or Internet group with an unregistered private IP address that has a group of available public IP addresses.
Dynamic NAT bridges the communication and packet routing path between private/protected/internal networks and the Internet. Each internal device on an unregistered IP address requesting Internet access can select from a group of public IP addresses.
Dynamic NAT is usually configured on a router/firewall that maintains a group of public IP addresses in a network address translation (NAT) table. For each outgoing packet, the router replaces its source, a private IP address, with the first available public IP address.
When the packet is received from the destination node, it reviews the NAT table to find its private IP address and then routes the packet to the corresponding node.
PORT ADDRESS TRANSLATION (PAT)
Port Address Translation (PAT) is a technique in which port numbers and private Internet Protocol (IP) addresses are mapped from multiple internal hosts to one public IP address.
It is a type of network address translation (NAT) technology that extends capabilities by translating and mapping port numbers, in addition to the IP address, when communicating with an external network.
PAT maps Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port numbers and IP addresses of local devices with registered, public IP addresses and corresponding TCP/UDP ports. PAT uses the same public IP address to enable the connection of multiple internal hosts with external networks or the Internet.
PAT is usually configured on a routing device, like a router or firewall. Each internal host requesting connection to an external network passes through the PAT device, which changes the host device’s IP address and port number to a pool of public IP addresses and port numbers. For example, a device that requests access may have the IP address 10.0.0.1 and port 5678. When its packets leave the PAT device, its IP address is 18.104.22.168 – or any available public IP address – and port 7650.
The NAT device or router usually is configured with or assigned the public IP address, allowing multiple local hosts to have the same IP address with different port numbers in order to access Internet/external networks.
NAT In IPv6
Network address translation is not commonly used in IPv6, because one of the design goals of IPv6 is to restore end-to-end network connectivity. NAT loopback is not commonly needed. Although still possible, the large addressing space of IPv6 obviates the need to conserve addresses and every device can be given a unique globally routable address. That being said, using unique local addresses in combination with network prefix translation can achieve similar results.