Understanding NAT: Benefits and Reasons to Use Network Address Translation
September 7, 2023NAT, or Network Address Translation, is a process that translates one IP address into another. In other words, NAT’s role is to modify the IP header in a packet.
Back in the 1990s, as the internet rapidly expanded, there were growing concerns about the depletion of available IPv4 addresses. NAT was invented as a solution to this problem. It was developed to allow multiple devices on a private network to share a single public IP address, thereby conserving the limited pool of IP addresses. Although it was originally intended as a temporary solution until IPv6 could be fully implemented, NAT remains widely used today, and not just for conserving IP addresses.
Public And Private IP Addresses
In the past, if someone wanted to assign IP addresses to their private network, like an office network, they would need to coordinate with IANA (Internet Assigned Numbers Authority), which is responsible for IP address allocation. However, as the internet grew, it became clear that the pool of available IP addresses was running out. To address this issue, Network Address Translation was invented.
NAT allows private networks to use specific subnets, known as private IP addresses, while using a separate set of IP addresses, known as public IP addresses, for communication between networks on the internet.
According to IETF RFC 1918, the following IP address ranges are reserved for private networks:
- 10.0.0.0 – 10.255.255.255 (Class A private IP range)
- 172.16.0.0 – 172.31.255.255 (Class B private IP range)
- 192.168.0.0 – 192.168.255.255 (Class C private IP range)
Any IP addresses outside of these ranges are considered public IP addresses. These public IP addresses are unique and are used to identify devices on the internet. Only public IP addresses can be routed on the internet.
This means that within a private network, thousands of devices can share a single public IP address when accessing the internet, significantly conserving the number of public IP addresses needed.
Take your home network as an example—if you check the IP addresses of all the devices connected, whether wired or via Wi-Fi, you’ll notice that their IP addresses come from the private IP pool (such as 192.168.x.x or 10.x.x.x). These private IP addresses are used within your home network.
However, when you browse the internet, your computer uses a public IP address. This public IP address is what websites and external servers see, and you can find out what it is by visiting a site like https://www.whatismyip.com/.
NAT Flow
NAT, as described in IETF RFC 2663, is a network protocol implemented in intermediate devices like routers or firewalls, modifying the IP address within a packet. It allows hosts in a private network to transparently communicate with destinations on an external network and vice versa. Typically, as said before, NAT is used to translate private IP addresses inside a local network to public ones that can communicate over the internet, as shown in the video:
As shown in the picture, the source IP address in the packet coming from the local network computer is changed before it continues to the internet. Let’s explain this process in more detail.
one of the most common examples is your router at home – the one your smartphone or computer uses to access the internet.
In a home local network, all devices connected to the router, either physically or via WiFi, such as your smartphone, computer, or smart TV, have private IP addresses. In the picture above, we see an example of a computer in a local network with the IP address 192.168.1.1.
When a device wants to access the internet, it sends packets to the network gateway (such as a router or firewall). Since private IP addresses cannot communicate directly with the internet, the source IP address of the packets must be changed to a public IP address. This is the role of the gateway—before sending the packets, it replaces the IP address in the packet with a public IP address. In the picture, we can see the router replacing the source IP in the packet from 192.168.1.1, which is private IP, to 172.32.10.2, which is public IP.
It is the same for returning traffic. The gateway replaces the destination IP ,this time, from the public one (in our example, 172.32.10.2) to the private IP of the device in the local network (in our case, 192.168.1.1):
Translation Table
When traffic returns, the gateway checks the translation table to determine which IP address needs to be translated back to which IP address. This ensures that the data reaches the correct device on the local network. While we are discussing the scenario of translating private to public IP addresses, notice that NAT is also useful in other situations.
NAT Types
There are three types of NAT:
- Static NAT – involves one-to-one mapping. The gateway allocates specific public IP to specific private IP. In this type you need to manually specify the public and private addresses. It is useful for servers or devices requiring consistent or unique IP addresses. The translation table will have a static entry look like that:
- Dynamic NAT – converts multiple device IPs to different public IP addresses. There is a pool of Public IPs, and the router selects a temporary IP for each device.
- PAT, or Port Address Translation – allows multiple devices to share the same public IP address simultaneously. It works by using port numbers to differentiate packets from each device. When a packet arrives at the router, the router changes the source port and IP address in the packet, records this information in a translation table, and then forwards the packet to its destination. When the response packet returns, the router checks the destination port and uses the translation table to forward the packet to the correct device on the local network. PAT, also known as NAT overload, is commonly used in home networks.
In some contexts, “Dynamic NAT” can refer to the combination of both Dynamic NAT and PAT.
Terminology
There are four address types in NAT: inside local, outside local, inside global, and outside global.
To differentiate between them, it’s important to understand the direction of the NAT process, which determines the inside and outside zones: 
- Inside Local – The IP address of a device within the local network before translation (192.168.1.1 in our example).
- Outside Local – The IP address of the local device as it appears to the outside world after NAT translation (172.32.10.2 in our example).
- Inside Global – The IP address of an external device as it appears within the local network (82.69.7.240 in our example).
- Outside Global – The actual IP address of an external device as seen on the public network (82.69.7.240 in our example). This address will be different from Inside Global address if we use destination translation.
-
- IP Conservation – as we know there is major lack of IPv4 addresses . Using NAT is a perfect way to save IP addresses as several devices use the same public IP.
-
- Security – using NAT, and specifically PAT, considered more secured for your network. All of your private LAN devices hide behind one IP and that keeps people from connecting directly to your device.
- Simplified Network Managment – NAT reduce the number of public IP addresses. Therefore reduce administrative overhead associated with IP managment (allocation, tracking and more).
- Flexability – NAT allows network managers the freedom to implement segmentation and make sddress changes within the local network.
- Easier Network Integration – NAT enables simple deployment and integration in the networksince the topologyof the local network is simple and flexible.
Configuration On Cisco IOS
To configure NAT, follow these steps:
Configure Inside And Outside Interface
First, configure the relevant interfaces as inside or outside using the following commands:
On the inside interface:
- (config-if)# ip nat inside
- (config-if)# ip nat outside
Configure Static NAT
To set up static NAT, use the following command:
- (config)# ip nat inside source static [inside-local] [inside-global]
Configue Dynamic NAT
To set up dynamic NAT, use the following command:
- (config)# ip nat pool [pool-name] [address-start] [address-end] netmask [subnet mask]
- Configure an ACL that describes what inside global addresses can use NAT
- (config)# ip nat inside source list [ACL-name] pool [pool-name]
Configure PAT
To set up PAT, use the following command:
If you want to do PAT on pool of addresses:
- (config)# ip nat inside source list [ACL-name] pool [pool-name] overload
If you want to do PAT on specific interface ip:
- (config)# ip nat inside source list [ACL-name] interface [int] overload
Verification
To view the NAT translation table and verify your configuration, use the following command:
- (config)# show ip nat tanslations
[…] sometimes, when our network contain private IP addresses we will use our firewall to perform Network address Translation (NAT) and Virtual Private Network (VPN) – hiding the private addresses behind one […]