Introduction to Network Address Translation
Article by Henry Martel, Field Application Engineer, Antaira Technology.
The Antaira LRX-0200-T is an industrial router with VPN and NAT functionality
Public IPv4 addresses identify a device's network interface, making it routable on the Internet. Public addresses are registered, legal, and typically purchased or leased through a service provider. Unlike a public address, IP addresses on a LAN are private and reserved, meaning they are unrouteable on the Internet or other outside networks. Because every enterprise today needs access to the Internet, the limitations of a private address are obvious.
For private LAN traffic to be routed over the Internet, the device’s IP address needs to be translated (mapped) to a public IP address, a process performed by a NAT gateway router, NAT firewall, or other NAT-enabled device. Essentially, NAT configures a single public address to represent the entire LAN to the outside world in a transparent process. Without NAT, messages would be discarded by the router before reaching their outside destination.
WHAT IS NAT?
NAT stands for Network Address Translation. It works on Layer 3 of the OSI model, the Network Layer, where it deals with packets.
NAT was originally developed to help slow the depletion of public IPv4 addresses. By allowing multiple private addresses to access a single internet connection, NAT preserves IPv4 addresses and saves the enterprise the cost of buying an individual public address for each private device. NAT also eliminates the need for addresses to be renumbered when networks are switched and can prevent address overlap, making it very useful in migrating and merging networks, sharing server loads, and creating virtual servers.
Along with translating addresses, NAT provides an additional layer of security by hiding internal IP addresses from malicious actors. In this way, a NAT router works somewhat like a firewall guarding the LAN network against hacking and denial-of-service (DoS) attacks. Having said that, NAT is not a firewall in the traditional sense in that it will not actively review the contents of a data packet. Instead, NAT as only a first step toward security. NAT does not replace security measures such as firewalling, monitoring, antivirus protection, intrusion detection, application security, or zero trust services.
WHAT ABOUT IPv6?
Exhaustion of IPv4 addresses prompted the introduction of the IPv6 addressing system in 2012. Whereas IPv4 has approximately 4.2 billion available addresses for use, IPv6 leverages 128-bit addressing creating potentially 340 trillion trillion trillion public addresses (not a typo), enough for every device on Earth to have its own. But until IPv6 is fully adopted, NAT remains a networking reality. As of March 2022, according to Google, the IPv6 adoption rate globally is around 34%. Its adoption has been held back by its complexity, the cost of replacing network infrastructure, and its lack of backward compatibility with IPv4.
NAT PROTOCOL TYPES
NAT has three basic protocols: Static, Dynamic and Port Address Translation (PAT):
- Static NAT: Static NAT is a one-on-one mapping of the same local IP address to the same publicly routed IPv4 address, meaning there will be a fixed public address that doesn't change if a device disconnects from the network. The major downside of Static NAT is that if you have multiple devices on your LAN, each with a private IP address, you’ll also need unique public IPv4 addresses for each device. However, Static NAT can be valuable in some instances. For example, it is useful for web or gaming servers where multiple users need to connect to the same server, or when a server is forwarding emails and requires a stable connection address.
- Dynamic NAT (Pooling): Dynamic NAT is a one-to-many mapping of a local address to a global address that the NAT-enabled device picks from an available pool of global addresses not currently assigned. After a period of inactivity, the assigned address is purged, allowing it to be used for new translations. One of the downsides of this approach is that if all pooled IP addresses are in use when a new packet arrives from another inside host, the router simply discards the packet. The internal global pool of addresses must be large enough to serve the maximum number of concurrent hosts requiring the use of the Internet.
- Port Address Translation (PAT): PAT is an advanced, more flexible type of dynamic NAT. Like pooling, PAT maps several private IP addresses to a single public address. However, data sent and received through PAT receives a port number at the end of the IP address, therefore distinguishing the different devices on the network without requiring multiple public IP address connections. The router keeps a NAT table entry for every unique combination of the private IP address and port, with translation to the global address and a unique port number. Numerous hosts may have a similar IP address because the port number is unique.
PAT is the most widely used and trusted form of NAT. The diagram below gives a description of how PAT operates.
WHAT IS A NAT TABLE
The NAT process centers on the NAT table, an operation that is managed within a router or other NAT-enabled device. NAT tables are created by tracking bi-directional connections between the internal network (LAN) and the external network (Internet). As connections are made across the router, the NAT table is populated. This way, the router can consult the NAT table, locate the correct connection entries, and perform the necessary change to a packet address to ensure it goes where it should. Data packets are discarded if no match is found.
Each row in the NAT table is a pairing of the private IP address with an outside destination address and port. The source address, source port, destination address, and destination port characterize a connection. Once connections are closed, the entries are deleted from the table.
SUMMARY
NAT was devised to conserve the declining number of public IPv4 addresses available for use. NAT assigns one legal, globally unique IP address to multiple devices on a private network, therefore giving them access to the Internet or to other outside networks. NAT also provides additional security by effectively hiding the entire internal network.
www.antaira.com