What Is Network Address Translation (NAT)

What Is Network Address Translation NAT

NAT translates the IP address in the IP datagram header of a packet into another IP address and translates the port number to make the IP address reusable. As a transition technology that alleviates public IPv4 address exhaustion, NAT is easy to implement and therefore widely used.

What Is NAT Used for?

As the number of network applications increases, IPv4 address exhaustion has become a bottleneck hindering network development. Before IPv6 can be widely used to replace IPv4 that has been running on network devices and bearing existing applications, some IPv4-to-IPv6 transition technologies (such as CIDR and private IP addresses) can be used to alleviate the IPv4 address shortage. NAT is such a kind of transition technology.

When a packet sent by an intranet user for accessing the Internet reaches a NAT-enabled gateway, the gateway translates the IP address in the IP datagram header of the packet to another IP address and the port number to another port number, and then forwards the packet to the Internet. In this process, the gateway can translate the IP addresses of packets from different intranet users to the same public IP address and differentiate intranet users based on port numbers. In this way, the public IP address can be reused.

In early times, NAT refers to basic NAT, which is easy to implement and can translate only IP addresses but not port numbers. Therefore, basic NAT can only allow intranet users to access the Internet, but cannot address the IPv4 address shortage issue. Later, Network Address Port Translation (NAPT) came into being, which can translate both IP addresses and port numbers and allows multiple private IP addresses to be mapped to the same public IP address. As such, NAPT alleviates the IP address shortage.

 

NAT Types

Based on whether the source or destination IP addresses of packets are translated, NAT is classified into source NAT, destination NAT, and bidirectional NAT.

Source NAT

Source NAT translates only source IP addresses of packets and applies to the scenario where intranet users access the Internet. When a packet sent from an intranet user for accessing the Internet reaches a NAT device, the NAT device translates the private IPv4 address of the packet into a public IPv4 address. In this way, the intranet user can access the Internet.

Based on whether port number translation is performed during source IP address translation, source NAT is categorized into the types shown in the following figure.

source NAT is categorized into the types

Destination NAT

Destination NAT translates only the destination IP addresses and destination port numbers of packets and applies to scenarios where Internet users require to access intranet services. When a packet sent from an Internet user for accessing intranet services reaches a NAT device, the NAT device translates the public IPv4 address of the packet into a private IPv4 address. In this way, the Internet user can access intranet services.

Destination NAT can be classified into the types shown in the following figure based on whether there are fixed mappings between pre-NAT and post-NAT IP addresses.

between pre NAT and post NAT IP addresses

Bidirectional NAT

Bidirectional NAT translates both the source and destination IP addresses of packets. Bidirectional NAT is not an independent function. Instead, it is a combination of source NAT and destination NAT. Bidirectional NAT applies to the same flow. When receiving a packet, a NAT device translates both the source and destination IP addresses of the packet. Bidirectional NAT applies to scenarios where both Internet and intranet users require to access intranet servers.

NAT Types Defined in STUN

In the Session Traversal Utilities for NAT (STUN) protocol, NAT is classified into four types based on the mapping mode from private IP addresses and port numbers to public IP addresses and numbers, as shown in the following figure.

NAT Types Defined in STUN

Full-cone NAT

All requests from the same private IP address and port (for example, IP1:Port1) are mapped to the same public IP address and port (for example, IP:Port). In addition, any host on the Internet can communicate with the host on the intranet by sending packets to the mapped public IP address and port.

This is a relatively loose NAT policy. As long as the mapping between the private IP address and port and the public IP address and port is established, any host on the Internet can access the host on the intranet through the NAT device.

Restricted-cone NAT

All requests from the same private IP address and port (for example, IP1:Port1) are mapped to the same public IP address and port (for example, IP:Port). A host on the Internet can send packets to the host on the intranet only if the host on the intranet has previously sent a packet to the host on the Internet.

Port-restricted cone NAT

Port-restricted cone NAT is similar to restricted-cone NAT, but the restriction includes port numbers. That is, a host on the Internet (for example, IP2:Port2) can send packets to a host on the intranet only if the host on the intranet has previously sent a packet to the host on the Internet.

Symmetric NAT

All requests sent from the same private IP address and port to a specific destination IP address and port are mapped to the same IP address and port. If a host sends a packet with the same source IP address and port number to a different destination, a different NAT mapping is used. In addition, only a host on the Internet that receives a packet from a host on the intranet can send a packet back.

Unlike port-restricted cone NAT that maps all requests from the same private IP address and port to the same public IP address and port, regardless of their destinations, symmetric NAT maps requests with the same source IP address and port number but different destinations to different public IP addresses and ports.