Introduction to Network Address Translation (NAT)

Similar to Classless Inter-Domain Routing (CIDR), the original intention for NAT was to slow the depletion of the available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses.

Since then, it's been discovered that NAT is also a useful tool for network migrations and mergers, server load sharing, and creating “virtual servers.” So in this section, I'm going to describe the basics of NAT functionality and the terminology common to NAT.

At times, NAT really decreases the overwhelming amount of public IP addresses required in your networking environment. And NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its Internet service provider and the networking manager doesn't want the hassle of changing the internal address scheme.

Here's a list of situations when it's best to have NAT on your side:

• You need to connect to the Internet, and your hosts don't have globally unique IP addresses.
• You change to a new ISP that requires you to renumber your network.
• You need to merge two intranets with duplicate addresses.

You typically use NAT on a border router. For an illustration of this, see Figure 3.10.

FIGURE 3.10 Where to configure NAT

Now you may be thinking, “NAT's totally cool. It's the grooviest greatest network gadget, and I just gotta have it.” Well, hang on a minute. There are truly some serious snags related to NAT use. Oh, don't get me wrong: it really can save you sometimes, but there's a dark side you need to know about, too. For a visual of the pros and cons linked to using NAT, check out Table 3.3.

TABLE 3.3 Advantages and disadvantages of implementing NAT

Types of Network Address Translation

In this section, I'll go over the three types of NAT with you.

Static NAT This type of NAT is designed to allow one-to-one mapping between local and global addresses. Keep in mind that the static version requires you to have one real Internet IP address for every host on your network.

Dynamic NAT This version gives you the ability to map an unregistered IP address to a registered IP address from out of a pool of registered IP addresses. You don't have to statically configure your router to map an inside to an outside address as you would using static NAT, but you do have to have enough real, bona fide IP addresses for everyone who's going to be sending packets to and receiving them from the Internet.

Overloading This is the most popular type of NAT configuration. Understand that overloading really is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address—many-to-one—by using different ports. Now, why is this so special? Well, because it's also known as Port Address Translation (PAT). And by using PAT (NAT Overload), you get to have thousands of users connect to the Internet using only one real global IP address—pretty slick, yeah? Seriously, NAT Overload is the real reason we haven't run out of valid IP address on the Internet. Really, I'm not joking.

NAT Names

The names you use to describe the addresses used with NAT are pretty simple. Addresses used after NAT translations are called global addresses. These are usually the public addresses used on the Internet, but remember, you don't need public addresses if you aren't going on the Internet.

Local addresses are the ones you use before NAT translation. So, the inside local address is actually the private address of the sending host that's trying to get to the Internet, while the outside local address is the address of your router's interface connected to the Internet.

After translation, the inside local address is called the inside global address, and the outside global address then becomes the name of the destination host. Check out Table 3.4, which lists all this terminology, for a clear picture of the various names used with NAT.

TABLE 3.4 NAT terms

How NAT Works

Okay, now it's time to look at how this whole NAT thing works. I'm going to start by using Figure 3.11 to describe the basic translation of NAT.

In the example shown in Figure 3.11, host 10.1.1.1 sends an outbound packet to the border router configured with NAT. The router identifies the IP address as an inside local IP address destined for an outside network, translates the address, and documents the translation in the NAT table.

The packet is sent to the outside interface with the new translated source address. The external host returns the packet to the destination host, and the NAT router translates the inside global IP address back to the inside local IP address using the NAT table. This is as simple as it gets.

Let's take a look at a more complex configuration using overloading, or what is also referred to as Port Address Translation (PAT). I'll use Figure 3.12 to demonstrate how PAT works.

FIGURE 3.11 Basic NAT translation

FIGURE 3.12 NAT overloading example (PAT)

With overloading, all inside hosts get translated to one single IP address, which is why it's called overloading. Again, the reason we have not run out of available IP addresses on the Internet is because of overloading (PAT).

Take a look at the NAT table in Figure 3.12 again. In addition to the inside local IP address and outside global IP address, we now have port numbers. These port numbers help the router identify which host should receive the return traffic.

Port numbers are used at the Transport layer to identify the local host in this example. If we had to use IP addresses to identify the source hosts, that would be called static NAT, and we would run out of addresses. PAT allows us to use the Transport layer to identify the hosts, which in turn allows us to use (theoretically) up to 65,000 hosts with one real IP address.

You're done, the diva has sung, the chicken has crossed the road…whew! Take a good break (but skip the shot and the beer for now), and then come back and go through the written labs and review questions.