How Network Address Translation Works.doc

8/10/2019 How Network Address Translation Works.doc

1/10

How Network Address Translation Works by Jeff Tyson

Browse the article How Network Address Translation Works

Computer Networking Image allery

Network Address Translation helps impro!e security by reusing I" addresses# The NAT routertranslates traffic coming into and lea!ing the pri!ate network# $ee more pictures of computernetworking #

Introduction to How Network Address Translation Works

If you are reading this article% you are most likely connected to the Internet and !iewing it at theHow$tuffWorks Web site# There&s a !ery good chance that you are using Network AddressTranslation 'NAT( right now#

The Internet has grown larger than anyone e!er imagined it could be# Although the e)act si*e isunknown% the current estimate is that there are about +,, million hosts and more than -., million usersacti!ely on the Internet# That is more than the entire population of the /nited $tates0 In fact% the rate of growth has been such that the Internet is effecti!ely doubling in si*e each year#

$o what does the si*e of the Internet ha!e to do with NAT1 2!erything0 3or a computer tocommunicate with other computers and Web ser!ers on the Internet% it must ha!e an IP address # An I"address 'I" stands for Internet "rotocol( is a uni4ue -56bit number that identifies the location of yourcomputer on a network# Basically% it works like your street address 66 as a way to find out e)actlywhere you are and deli!er information to you#

When I" addressing first came out% e!eryone thought that there were plenty of addresses to co!er anyneed# Theoretically% you could ha!e 7%587%89:%589 uni4ue addresses '5 -5 (# The actual number ofa!ailable addresses is smaller 'somewhere between -#5 and -#- billion( because of the way that theaddresses are separated into classes% and because some addresses are set aside for multicasting% testingor other special uses#

With the e)plosion of the Internet and the increase in home networks and business networks% thenumber of a!ailable I" addresses is simply not enough# The ob!ious solution is to redesign the addressformat to allow for more possible addresses# This is being de!eloped 'called IPv6 (% but will takese!eral years to implement because it re4uires modification of the entire infrastructure of the Internet#
http://computer.howstuffworks.com/nat.htm/author-tyson.htmhttp://computer.howstuffworks.com/nat.htmhttp://computer.howstuffworks.com/computer-networking-pictures.htmhttp://computer.howstuffworks.com/computer-networking-pictures.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/home-network.htmhttp://computer.howstuffworks.com/computer-networking-pictures.htmhttp://computer.howstuffworks.com/nat.htmhttp://computer.howstuffworks.com/computer-networking-pictures.htmhttp://computer.howstuffworks.com/computer-networking-pictures.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/internet/basics/question549.htmhttp://computer.howstuffworks.com/home-network.htmhttp://computer.howstuffworks.com/nat.htm/author-tyson.htm


2/10

This is where NAT ' ;3C +9-+ ( comes to the rescue# Network Address Translation allows a singlede!ice% such as a router % to act as an agent between the Internet 'or


3/10

In d(namic NAT, the computer with the IP address !"#$!6%$$!' will translate to the irstavaila*le address in the ran+e rom #!&$!%$!#&$!'' to #!&$!%$!#&$! '$

D(namic NAT 6 aps an unregistered I" address to a registered I" address from a group ofregistered I" addresses#

-verloadin+ 6 A form of dynamic NAT that maps multiple unregistered I" addresses to asingle registered I" address by using different ports# This is known also as "AT '"ort AddressTranslation(% single address NAT or port6le!el multiple)ed NAT#

In overloadin+, each computer on the private network is translated to the same IP address.#!&$!%$!#&$!''/, *ut with a di erent port num*er assi+nment$

-verlappin+ 6 When the I" addresses used on your internal network are registered I" addressesin use on another network% the router must maintain a lookup table of these addresses so that itcan intercept them and replace them with registered uni4ue I" addresses# It is important to notethat the NAT router must translate the


4/10

network$ It will also translate the re+istered +lo*al IP addresses *ack to the unre+istered local IPaddresses when in ormation is sent to the internal network$

The internal network is usually a 2AN .2ocal Area Network/ % commonly referred to as the stu*domain # A stub domain is a >AN that uses I" addresses internally# ost of the network traffic in a stub

domain is local% so it doesn&t tra!el outside the internal network# A stub domain can include bothregistered and unregistered I" addresses# f course% any computers that use unregistered I" addressesmust use Network Address Translation to communicate with the rest of the world#

In the ne)t section we&ll look at the different ways NAT can be configured#

IP addresses have di erent desi+nations *ased on whether the( are on the private network .stu*domain/ or on the pu*lic network .Internet/, and whether the tra ic is incomin+ or out+oin+$

NAT Con i+uration

NAT can be configured in !arious ways# In the e)ample below% the NAT router is configured to

translate unregistered 'inside% local( I" addresses% that reside on the pri!ate 'inside( network% toregistered I" addresses# This happens whene!er a de!ice on the inside with an unregistered addressneeds to communicate with the public 'outside( network#

An I$" assigns a range of I" addresses to your company# The assigned block of addresses areregistered% uni4ue I" addresses and are called inside +lo*al addresses # /nregistered% pri!ate I"addresses are split into two groups# ne is a small group ' outside local addresses ( that will beused by the NAT routers# The other% much larger group% known as inside local addresses % will

be used on the stub domain# The outside local addresses are used to translate the uni4ue I"addresses% known as outside +lo*al addresses % of de!ices on the public network#

ost computers on the stub domain communicate with each other using the inside localaddresses#

$ome computers on the stub domain communicate a lot outside the network# These computersha!e inside global addresses% which means that they do not re4uire translation#

When a computer on the stub domain that has an inside local address wants to communicateoutside the network% the packet goes to one of the NAT routers#

The NAT router checks the routing table to see if it has an entry for the destination address# If itdoes% the NAT router then translates the packet and creates an entry for it in the addresstranslation table# If the destination address is not in the routing table% the packet is dropped#

/sing an inside global address% the router sends the packet on to its destination#

A computer on the public network sends a packet to the pri!ate network# The source address onthe packet is an outside global address# The destination address is an inside global address#


5/10

The NAT router looks at the address translation table and determines that the destinationaddress is in there% mapped to a computer on the stub domain#

The NAT router translates the inside global address of the packet to the inside local address%and sends it to the destination computer#

NAT o!erloading utili*es a feature of the TC" I" protocol stack % multiple1in+ % that allows a computerto maintain se!eral concurrent connections with a remote computer 'or computers( using different TC"or /?" ports # An I" packet has a header that contains the following information@

)ource Address 6 The I" address of the originating computer% such as 5,+#-#D-#+-5 )ource Port 6 The TC" or /?" port number assigned by the originating computer for this

packet% such as "ort +,D, Destination Address 6 The I" address of the recei!ing computer% such as +7.#.+#+D#55- Destination Port 6 The TC" or /?" port number that the originating computer is asking the

recei!ing computer to open% such as "ort -,5+

The addresses specify the two machines at each end% while the port numbers ensure that the connection between the two computers has a uni4ue identifier# The combination of these four numbers defines asingle TC" I" connection# 2ach port number uses +9 bits% which means that there are a possible 9.%.-9'5 +9( !alues# ;ealistically% since different manufacturers map the ports in slightly different ways% youcan e)pect to ha!e about 7%,,, ports a!ailable#

D(namic NAT and -verloadin+

Here&s howd(namic NAT works@

An internal network 'stub domain( has been set up with I" addresses that were not specificallyallocated to that company by IANA ' Internet Assigned Numbers Authority (% the globalauthority that hands out I" addresses# These addresses should be considered non3routa*le since they are not uni4ue#

The company sets up a NAT6enabled router# The router has a range of uni4ue I" addressesgi!en to the company by IANA#

A computer on the stub domain attempts to connect to a computer outside the network% such asa Web ser!er#

The router recei!es the packet from the computer on the stub domain# The router sa!es the computer&s non6routable I" address to an address translation ta*le # The

router replaces the sending computer&s non6routable I" address with the first a!ailable I"address out of the range of uni4ue I" addresses# The translation table now has a mapping of thecomputer&s non6routable I" address matched with the one of the uni4ue I" addresses#

When a packet comes back from the destination computer% the router checks the destinationaddress on the packet# It then looks in the address translation table to see which computer onthe stub domain the packet belongs to# It changes the destination address to the one sa!ed in theaddress translation table and sends it to that computer# If it doesn&t find a match in the table% itdrops the packet#

The computer recei!es the packet from the router# The process repeats as long as the computeris communicating with the e)ternal system#

Here&s howoverloadin+ works@
http://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/web-server.htmhttp://www.iana.org/http://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/web-server.htmhttp://www.iana.org/


6/10

An internal network 'stub domain( has been set up with non6routable I" addresses that were notspecifically allocated to that company by IANA#

The company sets up a NAT6enabled router# The router has a uni4ue I" address gi!en to thecompany by IANA#

A computer on the stub domain attempts to connect to a computer outside the network% such as

a Web ser!er# The router recei!es the packet from the computer on the stub domain# The router sa!es the computer&s non6routable I" address and port number to an address

translation table# The router replaces the sending computer&s non6routable I" address with therouter&s I" address# The router replaces the sending computer&s source port with the port number that matches where the router sa!ed the sending computer&s address information in the addresstranslation table# The translation table now has a mapping of the computer&s non6routable I"address and port number along with the router&s I" address#

When a packet comes back from the destination computer% the router checks the destination port on the packet# It then looks in the address translation table to see which computer on thestub domain the packet belongs to# It changes the destination address and destination port to theones sa!ed in the address translation table and sends it to that computer#

The computer recei!es the packet from the router# The process repeats as long as the computeris communicating with the e)ternal system#

$ince the NAT router now has the computer&s source address and source port sa!ed to theaddress translation table% it will continue to use that same port number for the duration of theconnection# A timer is reset each time the router accesses an entry in the table# If the entry is notaccessed again before the timer e)pires% the entry is remo!ed from the table#

In the ne)t section we&ll look at the organi*ation of stub domains#

)tu* Domains>ook below to see how the computers on a stub domain might appear to e)ternal networks#

$ource Computer A

I" Address@ +85#+9D#-5#+,

Computer "ort@ 7,,

NAT ;outer I" Address@ 5+.#-:#-5#5,-

NAT ;outer Assigned "ort Number@ +

$ource Computer B

I" Address@ +85#+9D#-5#+-

Computer "ort@ .,


NAT ;outer Assigned "ort Number@ 5


7/10

$ource Computer C

I" Address@ +85#+9D#-5#+.

Computer "ort@ -:.,


NAT ;outer Assigned "ort Number@ -

$ource Computer ?

I" Address@ +85#+9D#-5#+D

Computer "ort@ 5,9


NAT ;outer Assigned "ort Number@ 7

As you can see% the NAT router stores the I" address and port number of each computer# It thenreplaces the I" address with its own registered I" address and the port number corresponding to thelocation% in the table% of the entry for that packet&s source computer# $o any e)ternal network sees the

NAT router&s I" address and the port number assigned by the router as the source6computerinformation on each packet#

=ou can still ha!e some computers on the stub domain that use dedicated I" addresses# =ou can createan access list of I" addresses that tells the router which computers on the network re4uire NAT# Allother I" addresses will pass through untranslated#

The number of simultaneous translations that a router will support are determined mainly by theamount of D4A5 '?ynamic ;andom Access emory( it has# But since a typical entry in the address6translation table only takes about +9, bytes% a router with 7 B of ?;A could theoretically process59%5+7 simultaneous translations% which is more than enough for most applications#

IANA has set aside specific ranges of I" addresses for use as non6routable% internal network addresses#These addresses are considered unre+istered 'for more information check out ;3C +8+D@ Address

Allocation for "ri!ate Internets % which defines these address ranges(# No company or agency can claimownership of unregistered addresses or use them on public computers# ;outers are designed to discard'instead of forward( unregistered addresses# What this means is that a packet from a computer with anunregistered address could reach a registered destination computer% but the reply would be discarded

by the first router it came to#

There is a range for each of the three classes of I" addresses used for networking@

;ange +@ Class A 6 +,#,#,#, through +,#5..#5..#5.. ;ange 5@ Class B 6 +:5#+9#,#, through +:5#-+#5..#5.. ;ange -@ Class C 6 +85#+9D#,#, through +85#+9D#5..#5..
http://www.ietf.org/rfc/rfc1918.txthttp://www.ietf.org/rfc/rfc1918.txthttp://www.ietf.org/rfc/rfc1918.txthttp://www.ietf.org/rfc/rfc1918.txt


8/10

Although each range is in a different class% your are not re4uired to use any particular range for yourinternal network# It is a good practice% though% because it greatly diminishes the chance of an I"address conflict#

)tatic NAT .in*ound mappin+/ allows a computer on the stu* domain to maintain a speci icaddress when communicatin+ with devices outside the network$

)ecurit( and AdministrationImplementing dynamic NAT automatically creates a irewall between your internal network andoutside networks% or between your internal network and the Internet# NAT only allows connections thatoriginate inside the stub domain# 2ssentially% this means that a computer on an e)ternal network cannotconnect to your computer unless your computer has initiated the contact# =ou can browse the Internetand connect to a site% and e!en download a fileE but somebody else cannot latch onto your I" addressand use it to connect to a port on your computer#

In specific circumstances% $tatic NAT% also called in*ound mappin+ % allows e)ternal de!ices toinitiate connections to computers on the stub domain# 3or instance% if you wish to go from an inside

global address to a specific inside local address that is assigned to your Web ser!er% $tatic NAT wouldenable the connection#

$ome NAT routers pro!ide for e)tensi!e filtering and traffic logging# 3iltering allows your company tocontrol what type of sites employees !isit on the Web% pre!enting them from !iewing 4uestionablematerial# =ou can use traffic logging to create a log file of what sites are !isited and generate !ariousreports from it#

NAT is sometimes confused with pro1( servers % but there are definite differences between them# NATis transparent to the source and to destination computers$ Neither one reali*es that it is dealingwith a third de!ice# But a pro)y ser!er is not transparent# The source computer knows that it is makinga re4uest to the pro)y ser!er and must be configured to do so# The destination computer thinks that the

pro)y ser!er I) the source computer% and deals with it directly# Also% pro)y ser!ers usually work atlayer 7 'transport( of the $I ;eference odel or higher% while NAT is a layer - 'network( protocol#Working at a higher layer makes pro)y ser!ers slower than NAT de!ices in most cases#
http://computer.howstuffworks.com/osi.htmhttp://computer.howstuffworks.com/osi.htmhttp://computer.howstuffworks.com/osi.htm


9/10

NAT operates at the Network la(er .la(er &/ o the -)I 4e erence 5odel 33 this is the la(er thatrouters work at$

A real benefit of NAT is apparent in network administration # 3or e)ample% you can mo!e your Webser!er or 3T" ser!er to another host computer without ha!ing to worry about broken links# $implychange the inbound mapping at the router to reflect the new host# =ou can also make changes to yourinternal network easily% because the only e)ternal I" address either belongs to the router or comes froma pool of global addresses#

NAT and ?HC" 'dynamic host configuration protocol ( are a natural fit# =ou can choose a range ofunregistered I" addresses for your stub domain and ha!e the ?HC" ser!er dole them out as necessary#It also makes it much easier to scale up your network as your needs grow# =ou don&t ha!e to re4uestmore I" addresses from IANA# Instead% you can Fust increase the range of a!ailable I" addressesconfigured in ?HC" to immediately ha!e room for additional computers on your network#

5ulti3homin+

As businesses rely more and more on the Internet% ha!ing multiple points of connection to the Internetis fast becoming an integral part of their network strategy# ultiple connections% known as multi3homin+ % reduces the chance of a potentially catastrophic shutdown if one of the connections shouldfail#

In addition to maintaining a reliable connection% multi6homing allows a company to perform load3*alancin+ by lowering the number of computers connecting to the Internet through any single


10/10

connection# ?istributing the load through multiple connections optimi*es the performance and cansignificantly decrease wait times#

ulti6homed networks are often connected to se!eral different I)Ps 'Internet $er!ice "ro!iders(# 2achI$" assigns an I" address 'or range of I" addresses( to the company# ;outers use 7P 'Border

ateway "rotocol(% a part of the TC" I" protocol suite% to route between networks using different protocols# In a multi6homed network% the router utili*es I 7P 'Internal Border ateway "rotocol( onthe stub domain side% and 8 7P '2)ternal Border ateway "rotocol( to communicate with otherrouters#

ulti6homing really makes a difference if one of the connections to an I$" fails# As soon as the routerassigned to connect to that I$" determines that the connection is down% it will reroute all data throughone of the other routers#

NAT can be used to facilitate scalable routing for multi6homed% multi6pro!ider connecti!ity# 3or moreon multi6homing% see Cisco@ 2nabling 2nterprise ultihoming #

3or lots more information on NAT and related topics% check out the links on the ne)t page#

2ots 5ore In ormation

;elated Articles

How Web $er!ers Work How >AN $witches Work How ;outers Work How 2thernet Works How Home Networking Works How $I Works

ore reat >inks

Network Address Translation 3AG Netsi*er@ ;ealtime Internet rowth Cisco@ Network Address Translation NAT Technical ?iscussion Cisco@ Configuring I" Addressing Cisco@ NAT !erlapping Cisco@ NAT rder of peration I" Journal@ The Trouble With NAT Cisco@ 2nabling 2nterprise ultihoming ;3C +9-+@ The I" Network Address Translator 'NAT(

;3C +8+D@ Address Allocation for "ri!ate Internets
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/lan-switch.htmhttp://computer.howstuffworks.com/router.htmhttp://computer.howstuffworks.com/ethernet.htmhttp://computer.howstuffworks.com/home-network.htmhttp://computer.howstuffworks.com/osi.htmhttp://www.vicomsoft.com/knowledge/reference/nat.htmlhttp://www.netsizer.com/http://www.cisco.com/warp/public/732/nat/http://www.safety.net/nattech.htmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cipadr.htmhttp://www.cisco.com/warp/public/556/3.htmlhttp://www.cisco.com/warp/public/556/5.htmlhttp://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.htmlhttp://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htmhttp://www.faqs.org/rfcs/rfc1631.htmlhttp://www.ietf.org/rfc/rfc1918.txthttp://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htmhttp://computer.howstuffworks.com/web-server.htmhttp://computer.howstuffworks.com/lan-switch.htmhttp://computer.howstuffworks.com/router.htmhttp://computer.howstuffworks.com/ethernet.htmhttp://computer.howstuffworks.com/home-network.htmhttp://computer.howstuffworks.com/osi.htmhttp://www.vicomsoft.com/knowledge/reference/nat.htmlhttp://www.netsizer.com/http://www.cisco.com/warp/public/732/nat/http://www.safety.net/nattech.htmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cipadr.htmhttp://www.cisco.com/warp/public/556/3.htmlhttp://www.cisco.com/warp/public/556/5.htmlhttp://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.htmlhttp://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htmhttp://www.faqs.org/rfcs/rfc1631.htmlhttp://www.ietf.org/rfc/rfc1918.txt

Documents

How Network Address Translation Works.doc