In this article, we are going to look at a very popular and also very important part of both enterprise and small office/home office (SOHO) networks: That is Network Address Translation, or NAT.
NAT was a big help in solving a major problem with IPv4. The specialist saw clearly that the IPv4 address space will be completely consumed by the mid-1990s. After that, the internet could not continue to grow because there was no public IP address left. This would significantly slow down the development of the Internet.
This article breaks this topic into two major sections. The first section explains the challenges the revolution of internet caused to the IPv4 address space in the late 1990s. The second section explains NAT concepts and describes how several variations of NAT work. It also shows how the Port Address Translation (PAT) conserved the IPv4 address space.
Perspectives on IPv4 Address Scalability
The original design for the Internet required every organization to ask for, and receive, one or more registered classful IP network numbers. The people administering the program ensured that none of the IP networks were reused. As long as every organization used only IP addresses inside its own registered network numbers, IP addresses would never be duplicated, and IP routing could work well.
Connecting to the Internet using only a registered network number, or several registered network
numbers, worked well for a while. In the early to mid-1990s, it became apparent that the Internet was growing so fast that all IP network numbers would be assigned by the mid-1990s! Concerns arose that the available networks would be completely assigned, and thus, new organizations would not have been able to connect to the Internet.
NAT, Private Addressing, CIDR
To help solve the problem, many short-term solutions were suggested, but finally three standards worked together to solve the problem. Two of the standards work closely together: Network Address Translation (NAT) and Private Addressing. These features together allow organizations to use unregistered IP network numbers internally and still communicate well with the Internet.
The third standard, Classless Inter-Domain Routing (CIDR), allows ISPs to reduce the wasting of IP
addresses by assigning each company a subset of network number rather than the entire space of a network range. CIDR also can allow ISPs to summarize routes so that multiple Class A, B, or C networks match a single route, which helps reduce the size of Internet routing tables.
Classless Inter-Domain Routing (CIDR)
CIDR, defined in RFC 4632, has two main goals. First, CIDR defines a way to assign public IP addresses, worldwide, to allow route aggregation or route summarization. These route summaries
greatly reduce the size of routing tables in Internet routers. This strategy relies on a worldwide IPv4 address assignment strategy, as well as some simple math to replace many routes for smaller ranges of addresses with one route for a larger range of addresses.
Second, CIDR defines rules that allow an Internet Service Provider (ISP) to assign public IP addresses in smaller blocks rather than an entire Class A, B, or C network. This gives ISPs the option of assigning a specific public IPv4 address block of a size that matches and covers only the needs of that customer.
There are cases that some computers inside a network never need to be connected to the Internet. These computers’ IP addresses could be using duplicate IP addresses, same as the registered IP addresses in the Internet. When designing the IP addressing convention for such a network, an organization could pick and use any network number(s) they want and all would be well.
For example, you can buy a few routers, connect them in your office, and configure IP addresses in network 184.108.40.206, and it would work. Among the IP addresses you use, there might be one or couple of IP addresses that have their duplicate in the Internet space, but if all you want to do is to test the devices in the lab and inside the private space of your office, everything will be fine. The problem is when any of these devices want to connect to a public space like internet.
When building a private network that will have no Internet connectivity, you can use IP network numbers called private internets, as defined in RFC 1918, “Address Allocation for Private Internets.” This RFC defines a set of networks that will never be assigned to any organization as a registered public network number.
Instead of using someone else’s registered network numbers, you can use numbers in a range that are not used by anyone else in the public Internet. Below table shows the private address space defined by RFC 1918.
In other words, any organization can use these network numbers. However, no organization is
allowed to advertise these networks using a routing protocol on the Internet.
You might be wondering why you would bother to reserve special private network numbers when it doesn’t matter whether the addresses are duplicates. Well, as it turns out, you can use private addressing in an inter-network, and connect to the Internet at the same time, as long as you use Network Address Translation (NAT). The rest of this article will examine and explain NAT.
Network Address Translation (NAT)
NAT allows a host that does not have a valid, registered, globally unique IP address to communicate with other hosts through the Internet. The hosts might be using private addresses or addresses assigned to another organization. In either case, NAT allows these addresses that are not Internet-ready to continue to be used and still allows communication with hosts across the Internet.
NAT achieves its goal by using a valid registered IP address to represent the private address to
the rest of the Internet. The NAT function changes the private IP addresses to publicly registered
IP addresses inside each IP packet, as shown in the below figure:
Notice that the router, performing NAT, changes the packet’s source IP address when the
packet leaves the private organization. The router performing NAT also changes the destination
address in each packet that is forwarded back into the private network. (Network 220.127.116.11 is
a registered network in the above figure).
Static NAT works just like the example shown in the previous section, but with the IP addresses statically mapped to each other. To help you understand the implications of static NAT and to explain couple of key terms, the following figure shows a similar example with more details.
First, the company obtains registered IP address(s) from the ISP, then utilizes NAT to change private IP address and map them to a public IP address. To do so, the NAT router changes the source IP addresses in the packets going from left to right in the figure.
In this example, the NAT router changes the source address (“SA” in the figure) of 10.1.1.1 to 18.104.22.168. With static NAT, the NAT router simply configures a one-to-one mapping between the private address and the registered address that is used on its behalf. The NAT router has statically configured a mapping between private address 10.1.1.1 and the publicly registered address 22.214.171.124.
Using NAT terminology, the enterprise network that uses private addresses, and therefore needs NAT, is the “inside” part of the network. The Internet side of the NAT function is the “outside” part of the network. A host that needs NAT (such as 10.1.1.1 in the example) has the IP address it uses inside the network, and it needs an IP address to represent it in the outside network. So, because the host essentially needs two different addresses to present itself, you need two terms.
Most typical NAT configurations change only the IP address of inside hosts. Therefore, the current
NAT terms shown in the above Figure represent the inside local and corresponding inside global registered addresses.
However, the outside host IP address can also be changed with NAT. When that occurs, the terms outside local and outside global denote the IP address used to represent that host in the inside network and the outside network, respectively. Below table summarizes the terminology and meanings.
Dynamic NAT has some similarities and differences compared to static NAT. Like static NAT, the NAT router creates a one-to-one mapping between an inside local and inside global address, and changes the IP addresses in packets as they exit and enter the inside network. However, the mapping of an inside local address to an inside global address happens dynamically.
Dynamic NAT sets up a pool of possible inside global addresses and defines matching criteria
to determine which inside local IP addresses should be translated with NAT. For example, in the below figure, a pool of five inside global IP addresses has been established: 126.96.36.199 through
188.8.131.52. NAT has also been configured to translate any inside local addresses that follow the
The numbers 1, 2, 3, and 4 in the figure refer to the following sequence of events:
1. Host 10.1.1.1 sends its first packet to the server at 184.108.40.206.
2. As the packet enters the NAT router, the router applies some matching logic to decide whether the packet should have NAT applied. Because the logic has been configured to match source IP addresses that begin with 10.1.1, the router adds an entry in the NAT table for 10.1.1.1 as an inside local address.
3. The NAT router needs to allocate an IP address from the pool of valid inside global addresses. It picks the first one available (220.127.116.11, in this case) and adds it to the NAT table to complete the entry.
4. The NAT router translates the source IP address and forwards the packet.
Overloading NAT with Port Address Translation (PAT)
Some networks need most of their IP hosts have access to the Internet. If that network uses private IP addresses, the NAT router needs a very large set of registered IP addresses. With static NAT, for each private IP host that needs Internet access, you need a publicly registered IP address, completely defeating the goal of reducing the number of public IPv4 addresses needed for that organization.
Dynamic NAT lessens the problem to some degree, because every single host in an inter-network should seldom need to communicate with the Internet at the same time. However, if a large percentage of the IP hosts in a network will need Internet access throughout that company’s normal business hours, NAT still requires a large number of registered IP addresses, again failing to reduce IPv4 address consumption.
Briefly, how Port Address Translation works
The NAT Overload feature, also called Port Address Translation (PAT), solves this problem. Overloading allows NAT to scale to support many clients by using only a few public IP addresses. The key to understanding how overloading works is to recall how hosts use TCP and UDP ports. To see why, first consider the idea of three separate TCP connections to a web server, from three different hosts, as shown in the next figure.
NAT takes advantage of the fact that, from a transport layer perspective, the server doesn’t care
whether it has one connection each to three different hosts or three connections to a single host
IP address. Port Address Translation (PAT) translates not only the address, but also changes layer 4 port number when necessary. With this changes many TCP or UDP flows from different hosts look like the same number of flows from one host.
The NAT router keeps a NAT table entry for every unique combination of inside local IP address and port number, and also its translation to the inside global IP address and a unique port number associated with the inside global address.
Since, the port number field has 16 bits, NAT overload can use more than 65,000 port numbers, allowing it to scale well without needing many registered IP addresses. In many cases, NAT overload needs to use only one IP from inside global IP address.