NAT

Updated on Apr 11, 2024 by

 80

What Is Network Address Translation (NAT)?

NAT alters the IP address specified in a packet's header and modifies the port number to facilitate IP address reuse. Serving as a transitional solution to mitigate the depletion of public IPv4 addresses, NAT is embraced for its simplicity in implementation, thus enjoying widespread adoption.

What Is NAT Used for?

With the proliferation of network applications, the depletion of IPv4 addresses has emerged as a bottleneck impeding network progression. Prior to the widespread adoption of IPv6 as a replacement for IPv4, which has been entrenched in network infrastructure and supporting existing applications, various IPv4-to-IPv6 transition technologies (such as CIDR and private IP addresses) can be employed to mitigate the scarcity of IPv4 addresses. NAT serves as one such transitional technology.

When a packet originating from an intranet user aiming to access the Internet arrives at a NAT-enabled gateway, the gateway modifies the IP address and port number in the packet's IP datagram header to different values and then relays the packet to the Internet. Throughout this process, the gateway can reassign the IP addresses of packets from distinct intranet users to the same public IP address while distinguishing intranet users based on port numbers. Consequently, the public IP address can be recycled.

Initially, NAT primarily denoted basic NAT, which is straightforward to implement and solely capable of translating IP addresses, not port numbers. Consequently, basic NAT merely facilitates intranet users' Internet access without effectively mitigating the IPv4 address shortage. Subsequently, Network Address Port Translation (NAPT) emerged, enabling the translation of both IP addresses and port numbers, thereby enabling multiple private IP addresses to be mapped to a single public IP address. Thus, NAPT effectively alleviates the scarcity of IP addresses.

NAT Types

NAT can be categorized into three types: source NAT, destination NAT, and bidirectional NAT, depending on whether the IP addresses of packets' sources or destinations are translated.

Source NAT

Source NAT translates only source IP addresses of packets and applies to the scenario where intranet users access the Internet. When a packet sent from an intranet user for accessing the Internet reaches a NAT device, the NAT device translates the private IPv4 address of the packet into a public IPv4 address. In this way, the intranet user can access the Internet.

Based on whether port number translation is performed during source IP address translation, source NAT is categorized into the types shown in the following figure.

What Is NAT? What Are the NAT Types?

Destination NAT

Destination NAT solely modifies the destination IP addresses and port numbers of packets, commonly utilized when Internet users seek access to intranet services. Upon reaching a NAT device, packets dispatched by Internet users aiming for intranet services undergo translation. Here, the NAT device substitutes the packet's public IPv4 address with a private IPv4 address. This seamless process facilitates Internet users in accessing intranet services.

Classification of Destination NAT types is contingent upon the presence of fixed mappings between pre-NAT and post-NAT IP addresses, as depicted in the accompanying figure.

What Is NAT? What Are the NAT Types?

Bidirectional NAT

Bidirectional NAT encompasses the translation of both source and destination IP addresses within packets. It's important to note that Bidirectional NAT isn't a standalone function but rather a fusion of both source NAT and destination NAT. This mechanism proves valuable in scenarios where the same flow necessitates bidirectional translation. Upon receiving a packet, a NAT device proficient in bidirectional NAT translates both the source and destination IP addresses. This approach finds application in scenarios where both Internet and intranet users seek access to intranet servers.

NAT types defined in STUN

Within the Session Traversal Utilities for NAT (STUN) protocol, NAT is categorized into four distinct types, delineated by the mapping mode from private IP addresses and port numbers to public IP addresses and numbers. This classification is visually represented in the accompanying figure.

Full-cone NAT: Under full-cone NAT, all requests originating from the same private IP address and port (e.g., IP1:Port1) are directed to the same public IP address and port (e.g., IP: Port). Notably, any host on the Internet can establish communication with a host on the intranet by dispatching packets to the assigned public IP address and port. This represents a lenient NAT policy where any Internet host can access the intranet host through the NAT device once the mapping between private and public addresses is established.
Restricted-cone NAT: In restricted-cone NAT, requests from the same private IP address and port (e.g., IP1:Port1) are mapped to the same public IP address and port (e.g., IP: Port). However, communication from an Internet host to an intranet host is only permitted if the intranet host has previously initiated communication with the Internet host. This imposes a restriction where Internet hosts can send packets to intranet hosts solely in response to prior communication initiated by the intranet host.
Symmetric NAT: Under symmetric NAT, requests originating from the same private IP address and port to a specific destination IP address and port are mapped consistently to the same IP address and port. However, if a host dispatches a packet with the same source IP address and port number to a different destination, a distinct NAT mapping is utilized. Moreover, only an Internet host that receives a packet from an intranet host is permitted to respond by sending a packet back. Unlike port-restricted cone NAT, which maps requests from the same private IP address and port to the same public IP address and port regardless of their destinations, symmetric NAT maps requests with the same source IP address and port number but different destinations to different public IP addresses and ports.

Implementation of NAT

Based on the aforementioned NAT classifications, we opt to elaborate on the implementation of NAPT (Network Address Port Translation), a form of source NAT, and NAT Server, which falls under destination NAT. While the implementations of other NAT types share similarities, with variations primarily in the translated entities, detailed descriptions of their implementations are omitted here.

Bidirectional NAT, being a fusion of source and destination NAT, is not discussed further in this context.

Implementation of NAPT:

NAPT facilitates the translation of both IP addresses and port numbers, permitting multiple intranet users to access the Internet utilizing the same public IP address. By distinguishing users through port numbers, NAPT ensures effective IP address reuse.

Implementation of NAT Server

In the implementation of the NAT Server, consider the following scenario: the server on the intranet possesses a private IPv4 address of 192.168.1.2/24, a public IPv4 address of 1.1.1.10, and operates on port 80. The mapping between public and private IP addresses has been configured on DeviceA. When a host from the Internet endeavors to access the intranet server, DeviceA executes the following steps: What Is NAT? What Are the NAT Types?

1. Upon receipt of the initial packet intended for 1.1.1.10 from the host, DeviceA seeks the corresponding server mapping entry and alters the packet's destination IP address to 192.168.1.2.
2. DeviceA establishes a session entry and forwards the packet to the intranet server.
3. Subsequently, upon receiving a response packet from the server, DeviceA references the session table created in step 2. It then substitutes the source IP address of the packet with 1.1.1.10 and relays it to the host.
4. For subsequent packets transmitted from the host to the server, DeviceA conducts NAT processing based on the session entry, obviating the need to search for the server mapping entry anew.