NETWORK ADDRESS TRANSLATION (NAT)

NAT CONCEPTS

NOTE: NAT is not only used for networks that connect to the Internet. You can use NAT even between private networks as we will see in the pages to follow, but because most networks use it for their Internet connection, we are focusing on that.

The NAT concept is simple: it allows a single device to act as an Internet gateway for internal LAN clients by translating the clients' internal network IP Addresses into the IP Address on the NAT-enabled gateway device.

In other words, NAT runs on the device that's connected to the Internet and hides the rest of your network from the public, thus making your whole network appear as one device (or computer, if you like) to the rest of the world.

NAT is transparent to your network, meaning all internal network devices are not required to be reconfigured in order to access the Internet. All that's required is to let your network devices know that the NAT device is the default gateway to the Internet.

NAT is secure since it hides your network from the Internet. All communications from your private network are handled by the NAT device, which will ensure all the appropriate translations are performed and provide a flawless connection between your devices and the Internet.

The diagram below illustrates this:

As you can see, we have a simple network of 4 hosts (computers) and one router that connects this network to the Internet. All hosts in our network have a private Class C IP Address, including the router's private interface (192.168.0.1), while the public interface that's connected to the Internet has a real IP Address (203.31.220.134).

If you're having trouble understanding, the following diagram shows how the Internet would see the above setup:

As you can see, the idea behind NAT is really simple. Remember that we have mentioned there are 3 different NAT modes to suit all types of network configurations. If required you can use NAT to allow the Internet to see specific machines on your internal network !

Such configurations will allow the Internet to access an internal webserver or ftp server you might have, without directly compromising your network security. Of course special actions need to be taken to ensure that your visitors are restricted to the resources you want and that's where the firewall comes into the picture. We'll discover how all this is possible in the next pages, so be patient and keep reading !

HOW NAT WORKS

There are 3 different ways in which NAT works. However, the principle is the same for all 3 modes. To help understand it we need a good, simple example and the first one at the beginning of this page will do the job just fine.

The trick to understanding how NAT works is to realise that only the device (router, firewall or pc) that connects directly to the Internet performs NAT. For our example this device happens to be a router, but it could even be a simple PC; it makes no difference for us.

As you already know, all requests the workstations generate are sent to the Internet via the router. The router will then perform NAT on these packets and send them to their destination. As each packet arrives into the router's private interface, the router will strip the source IP Address from the 3rd layer (network layer) e.g 192.168.0.10 and place its own public IP address (203.31.220.134) before sending it to the Internet.

This is how the packet then seems to have originated from the router itself. In some cases, depending on the NAT mode, the source and destination port numbers (layer 4) will be changed as well but we examine that on the pages that follow. For now, we'll just look at the simple IP translation within the router.

The illustration below shows how the router modifies the packets:

In this illustration, a workstation from our network has generated a packet with a destination IP Address 135.250.24.10. Logically, this packet is first sent to the gateway, which performs NAT on this packet and then sends it to the Internet to finally make its way to the destined host.

Looking more closely at the gateway (router) during the initial NAT operation, the original packet's Source IP is changed from 192.168.0.12 to that of the router's public interface, which is 203.31.220.134, then the router stores this information in a special address within its memory (also called NAT Table - explained next), so when the expected reply arrives it will know to which workstation within its network it needs to forward it.

THE NETWORK ADDRESS TRANSLATION TABLE

The NAT table is the heart of the whole NAT operation, which takes place within the router (or any NAT-enabled device) as packets arrive and leave its interfaces. Each connection from the internal (private) network to the external (public-Internet) network, and vice versa, is tracked and a special table is created to help the router determine what to do with all incoming packets on all of its interfaces; in our example there are two. This table, known as the NAT table, is populated gradually as connections are created across the router and once these connections are closed the entries are deleted, making room for new entries.

The NAT table works differently depending on the NAT mode. This is explained in greater detail on each NAT mode's page. For now, we just need to get the feeling for this table to facilitate understanding of each NAT mode.

The larger the NAT table (which means the more memory it occupies), the more bi-directional connections it can track. This means that a NAT-enabled device with a big NAT table is able to serve more clients on the internal network than other similar devices with smaller NAT tables.

The illustration below shows you a typical table of a NAT-enabled device while internal clients are trying access resources on the Internet:

Let's explain what's happening here: The above illustration shows two requests from the private LAN, hosts 192.168.0.5 and 192.168.0.21, arriving at the NAT-enabled device's (router in this example) private interface. These packets are temporarily stored in a special area in the router's memory until small changes are made to them. In this example the router will take each packet's Source IP (which is the PC the packets have come from) value and replace it with its own Public IP (203.31.220.134).

The packets are then sent out through the Public interface to their destinations, in this case 120.0.0.2 and 124.0.0.1. In addition, before the packets leave the router, an entry is made for each packet into the router's NAT table. These entries enable the router to behave appropriately when the reply for each outgoing packet hits its Public interface.

The above example covers only one specific NAT scenario. Depending on your NAT mode, the router would have dealt with the packets in a different way. This is analysed later in each NAT mode's page but, for now, you simply need to understand what the NAT table is and the purpose it serves.

So what happens when replies come back from the Internet?

Well, strictly speaking, exactly the opposite from when they are received from the internal network and sent to the Internet:

When the reply comes back, the router will consult the NAT table, locate the correct entries and perform another change to the incoming (for the Internet) packets by replacing the "destination IP" value from 203.31.220.134 to 192.168.0.5 for the first packet, and 192.168.0.21for the second. The new packets are then sent to their destination, which are hosts 192.168.0.5 and 192.168.0.21 so the router can then delete their NAT table entries.

With most NAT devices, the NAT session limit is bound by the available memory in the device. Each NAT translation consumes about 160 bytes in the device's memory. As a result, 10,000 translations (a lot more than would normally be handled by a small router) will consume about 1.6 MB of memory. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations but in practice the story (as always) is different.

Typically on smaller Cisco routers, e.g 700, 800, 1600 series, that have an IOS with NAT capabilities, the number of NAT sessions they are able to track is around 2000 without much trouble but this also depends on the NAT mode being used. Pump that up to something like 3000 to 4000 sessions and you start having major problems as the NAT table gets too big for the router's CPU to manage. As you see, it's not only a memory issue :) This is when you start to see big delays in ping replies and eventually an exponential increase in packet loss.