Network Address Translation (NAT)

1. Objectives
Upon completion of this lecture, you will be able to answer the following
questions:
 What is the purpose and function of NAT?
 How do different types of NAT operate?
 What are the advantages and disadvantages of NAT?
 How do you configure static NAT?
 How do you configure dynamic NAT?
 How do you configure PAT?

2. Introduction
With the proliferation of personal computing and the advent of the World Wide
Web, it soon became obvious that 4.3 billion IPv4 addresses would not be enough.
The long-term solution was IPv6, but more immediate solutions to address
exhaustion were required. For the short term, several solutions were implemented
by the IETF, including network address translation (NAT) and RFC 1918 private
IPv4 addresses.
Almost all networks connecting to the Internet use the services of network
address translation (NAT). Typically, organizations assign inside hosts private IP
addresses. When exiting the network, the private addresses are translated to public
IP addresses. Return traffic to the public IP address is retranslated to the internal
private IP address. In this section, you learn how NAT provides IPv4 address
scalability in a small-to medium-sized business network.

Figure.1 Translating Between Private and Public

1
 3. What is NAT?
NAT has many uses, but its primary use is to conserve public IPv4 addresses. It
does this by allowing networks to use private IPv4 addresses internally and
providing translation to a public address only when needed. NAT has an added
benefit of adding a degree of privacy and security to a network because it hides
internal IPv4 addresses from outside networks.
NAT-enabled routers can be configured with one or more valid public IPv4
addresses. These public addresses are known as the NAT pool. When an internal
device sends traffic out of the network, the NAT-enabled router translates the
internal IPv4 address of the device to a public address from the NAT pool. To outside
devices, all traffic entering and exiting the network appears to have a public IPv4
address from the provided pool of addresses. A NAT router typically operates at the
border of a stub network. A stub network is a network that has a single connection
to its neighboring network one way in and one way out of the network.

Figure.2 NAT Border Router Topology

2
 4. NAT Terminology
In NAT terminology, the inside network is the set of networks that is subject to
translation. The outside network refers to all other networks. When using NAT,
IPv4 addresses have different designations based on whether they are on the private
network or on the public network (Internet) and whether the traffic is incoming or
outgoing.
NAT includes four types of addresses:
 Inside local address
 Inside global address
 Outside local address
 Outside global address
When determining which type of address is used, it is important to remember that
NAT terminology is always applied from the perspective of the device with the
translated address:
 Inside address—the address of the device that NAT is translating.
 Outside address—the address of the destination device.
NAT also uses the concept of local or global with respect to addresses:
 Local address—A local address is any address that appears on the inside
portion of the network.
 Global address—A global address is any address that appears on the outside
portion of the network.

Figure.3 NAT Address Type Example

3
 5. Types of NAT
In this topic, you learn about the operation of different types of NAT.
 Static NAT
Static NAT uses a one-to-one mapping of local and global addresses. These
mappings are configured by the network administrator and remain constant. In
Figure.4, R2 is configured with static mappings for the inside local addresses of
Svr1, PC2, and PC3. When these devices send traffic to the Internet, their inside
local addresses are translated to the configured inside global addresses. To outside
networks, these devices have public IPv4 addresses.

Figure.4 Static NAT Scenario

Static NAT is particularly useful for servers or devices that must have a consistent
address that is accessible from the Internet, such as a company web server. It is also
useful for devices that must be accessible by authorized personnel when offsite, but
not by the general public on the Internet.

4
  Dynamic NAT
Dynamic network address translation (dynamic NAT)—Many-to-many address
mapping between local and global addresses. Translations are made on an as-
available basis; for example, if there are 100 inside local addresses and 10 inside
global addresses, at any given time only 10 of the 100 inside local addresses can be
translated. This limitation of dynamic NAT makes it much less useful for production
networks than port address translation. In Figure.5, PC3 has accessed the Internet
using the first available address in the dynamic NAT pool. The other addresses are
still available for use.

Figure.5 Dynamic NAT Scenario

Similar to static NAT, dynamic NAT requires that enough public addresses are
available to satisfy the total number of simultaneous user sessions.

5
  Port Address Translation (PAT)
Port Address Translation (PAT), also known as NAT overloading, maps multiple
private IPv4 addresses to a single public IPv4 address or a few addresses. With PAT,
multiple addresses can be mapped to one or to a few addresses because each private
address is also tracked by a port number. When a device initiates a TCP/IP session,
it generates a TCP or UDP source port value or a specially assigned query ID for
ICMP to uniquely identify the session. When the NAT router receives a packet from
the client, it uses its source port number to uniquely identify the specific NAT
translation.
PAT ensures that devices use a different TCP port number for each session with a
server on the Internet. When a response comes back from the server, the source port
number, which becomes the destination port number on the return trip, determines
to which device the router forwards the packets. The PAT process also validates that
the incoming packets were requested, thus adding a degree of security to the session.
Figure.6 illustrates the PAT process.

Figure.6 PAT process

6
In the previous example, the client port numbers, 1331 and 1555, did not change at
the NAT-enabled router. This is not a likely scenario because there is a good chance
that these port numbers may have already been attached to other active sessions.
PAT attempts to preserve the original source port. However, if the original source
port is already used, PAT assigns the first available port number starting from the
beginning of the appropriate port group 0 to 511, 512 to 1,023, or 1,024 to 65,535.
When there are no more ports available and there is more than one external address
in the address pool, PAT moves to the next address to try to allocate the original
source port. This process continues until there are no more available ports or external
IPv4 addresses.
In Figure-7, PAT has assigned the next available port (1445) to the second host
address. The hosts have chosen the same port number 1444. This is acceptable for
the inside address because the hosts have unique private IPv4 addresses. However,
at the NAT router, the port numbers must be changed; otherwise, packets from two
different hosts would exit R2 with the same source address. The example in Figure.7
assumes that the first 420 ports in the range 1,024 to 65,535 are already in use, so
the next available port number, 1445, is used.

Figure.7 Source Port Reassignment

7
 6. Advantages of NAT
NAT provides many benefits, including these:
 NAT conserves the legally registered addressing scheme by allowing the
privatization of intranets. NAT conserves addresses through application port-
level multiplexing.
 NAT increases the flexibility of connections to the public network. Multiple
pools, backup pools, and load-balancing pools can be implemented to ensure
reliable public network connections.
 NAT provides consistency for internal network addressing schemes. NAT
allows the existing private IPv4 address scheme to remain while allowing for
easy change to a new public addressing scheme.
 NAT hides user IPv4 addresses. Using RFC 1918 IPv4 addresses, NAT
provides the side effect of hiding users and other devices’ IPv4 addresses.
Some people consider this a security feature.

7. Disadvantages of NAT
The disadvantages of NAT include the following:
 Performance is degraded.
 End-to-end functionality is degraded.
 End-to-end IP traceability is lost.
 Tunneling becomes more complicated.
 Initiating TCP connections can be disrupted.

8. Configure NAT

8
 Dynamic NAT, static NAT, and PAT are used extensively in networks.
Therefore, it is important to understand how to properly configure the different types
of NAT.

 Configure Static NAT

 Configuring Dynamic NAT

9
 Configure PAT

10
 There are two ways to configure PAT, depending on how the ISP allocates public
IPv4 addresses. In the first instance, the ISP allocates more than one public IPv4
address to the organization, and in the other, it allocates a single public IPv4 address
that is required for the organization to connect to the ISP.

11
12