Network Address
Translation (NAT) Concepts
Introduction
Before we dive into the deep
waters of NAT, we need to make sure we understand
exactly what NAT does. So let me give you the
background of NAT,
why it's here today and how it works. Even though
there are different modes of
NAT
they are all basically
extensions to the original concept.
NAT
has become so popular that
almost all small routers, firewall software and
operating systems support at least one
NAT
mode. This shows how important
it is to understand NAT.
The NAT Concept
NOTE:
NAT is not only used for
networks that connect to the Internet. You can use
NAT even between private networks as we will see in
the pages to follow, but because most networks use
it for their Internet connection, we are focusing on
that.
The
NAT
concept is simple: it allows a
single device to act as an Internet gateway for
internal LAN clients by translating the clients'
internal network IP Addresses into the IP Address on
the NAT-enabled
gateway device.
In other words,
NAT
runs on the device that's
connected to the Internet and hides the rest of your
network from the public, thus making your whole
network appear as one device (or computer, if you
like) to the rest of the world.
NAT
is transparent to your
network, meaning all internal network devices are
not required to be reconfigured in order to access
the Internet. All that's required is to let your
network devices know that the
NAT
device is the default gateway
to the Internet.
NAT
is secure since it hides your network from the
Internet. All communications from your private
network are handled by the
NAT
device, which will ensure all
the appropriate translations are performed and
provide a flawless connection between your devices
and the Internet.
The diagram below illustrates this:
As you can see, we have a
simple network of 4
hosts (computers) and
one router that connects this network to the
Internet. All hosts in our network have a private
Class C IP Address,
including the router's private
interface (192.168.0.1),
while the public interface
that's connected to the Internet has a real IP
Address (203.31.220.134).
If
you're having trouble understanding, the following
diagram shows how the Internet would see the above
setup:
As you can see, the idea
behind NAT
is really simple. Remember
that we have mentioned there are 3 different
NAT
modes to suit all types of
network configurations. If required you can use
NAT
to allow the Internet to see
specific machines on your internal network !
Such configurations will allow the Internet to
access an internal webserver or ftp server you might
have, without directly compromising your network
security. Of course special actions need to be taken
to ensure that your visitors are restricted to the
resources you want and that's where the firewall
comes into the picture. We'll discover how all this
is possible in the next pages, so be patient and
keep reading !
How NAT works
There are 3 different ways in
which NAT works.
However, the principle is the same for all 3 modes.
To help understand it we need a good, simple example
and the first one at the beginning of this page will
do the job just fine.
The trick to understanding how
NAT
works is to realise that only
the device (router, firewall or pc) that connects
directly to the Internet performs
NAT.
For our example this device
happens to be a router, but it could even be a
simple PC; it makes no difference for us.
As you already know, all
requests the workstations generate are sent to the
Internet via the router. The router will then
perform NAT
on these packets and send them
to their destination. As each packet arrives into
the router's private interface, the router will
strip the source IP Address from the 3rd layer
(network layer) e.g
192.168.0.10 and place
its own public IP address
(203.31.220.134)
before sending it to the Internet.
This is how the packet then
seems to have originated from the router itself. In
some cases, depending on the
NAT
mode, the source and
destination port numbers (layer 4) will be changed
as well but we examine that on the pages that
follow. For now, we'll just look at the simple IP
translation within the router.
The illustration below shows how the router modifies
the packets:
In
this illustration, a workstation from our network
has generated a packet with a destination
IP Address 135.250.24.10.
Logically, this packet is
first sent to the gateway, which performs
NAT on
this packet and then sends it to the Internet to
finally make its way to the destined host.
Looking more closely at the
gateway (router) during the initial
NAT
operation, the original
packet's Source IP
is changed from
192.168.0.12
to that of the router's
public interface, which
is 203.31.220.134,
then the router stores this
information in a special address within its memory
(also called NAT Table
- explained next), so when the
expected reply arrives it will know to which
workstation within its network it needs to forward
it.
The next page will show you
the heart of NAT,
the NAT Table,
and briefly explain the function of each
NAT
mode. |
