Network Address Translation (NAT) is a feature that enables the translation of IPv4 addresses. It is most often used to translate private IPv4 addresses to public routable IPv4 addresses.
This feature has almost singlehandedly vastly increased the longevity of the IPv4 protocol as the primary Network Layer protocol running on the Internet, since it resolves to a large degree, the exhaustion of the IPv4 address space.
Let’s take a closer look at what NAT is by examining the various mechanisms involved in the implementation of this feature.
Through our journey, we’ll also compare NAT with Port Address Translation (PAT), and we’ll examine the vital functionality of each.
First let’s start with a high-level overview and comparison Table between the two technologies:
NAT vs PAT Comparison Table
The following table summarizes the differences between NAT and PAT:
|Description||Translates IPv4 addresses on a one-to-one basis||Translates IPv4 addresses on a one-to-many basis by leveraging Transport Layer port numbers|
|Translates||IPv4 addresses||IPv4 addresses and port numbers|
Dynamic or Overloaded PAT
|Traffic Flow||Used for both inbound and outbound traffic||Used mainly for outbound traffic (internal network to external)|
|Main Use Case||To allow access from Internet to a corporate server (e.g Web Server) which is behind a router or firewall (using static NAT)||To allow access of a whole LAN subnet to the Internet using a single public IP.|
|Superset of PAT.||Subset of the general NAT technology.|
A bit about terminology
Depending upon the context, the term NAT can refer to several things. First and foremost, it is an umbrella term that encompasses all NAT functionalities. NAT can be broken down into two primary components:
- Basic NAT which performs a one-to-one translation of IP addresses. This may also be called “one-to-one NAT” or is simply referred to as NAT.
- Port Address Translation (PAT) performs one-to-many translation of IP addresses. Other names for this include IP masquerading and NAT overload. It is this particular feature that has extended the lifetime of the IPv4 address space.
Both of these are defined in RFC 2663. Both can be applied either statically or dynamically from a pool of predefined addresses.
Where does NAT take place?
NAT is a Layer 3 mechanism and is implemented within a router (or firewall device). Typically, it is performed at the edge of the network where the local enterprise LAN meets the Internet.
NAT can translate any IPv4 address to any other IPv4 address, however, as mentioned before, the most common scenario of the implementation of NAT is to translate private non-routable IPv4 addresses, as defined in RFC 1918 to routable public IPv4 addresses.
The private IPv4 address ranges should be familiar to most of us, and as follows:
- 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
Let’s now examine NAT and PAT and see how they operate and compare. For the remainder of this article, unless otherwise stated, when we use the term NAT, we are referring to basic NAT.
Basic NAT (Network Address Translation)
When a packet traverses a NAT-enabled router, the IPv4 addresses found within the source and destination fields can be replaced or translated to a different set of IPv4 addresses. For example, take a look at the following diagram:
Image Source from Wendell Odom (2013) (in English) Cisco CCENT/CCNA ICND1 100-101 Official Cert Guide (Academic ed.), Pearson Education, Inc., p. 582
When traffic goes from the Host to the Server, it uses a source private IP address of 10.0.0.1. When the packet traverses the NAT router, that source IP address is replaced with, or translated to the public address of 188.8.131.52.
Return traffic from the Server to the Host also gets translated, but this time, it is the destination address that is translated, from 184.108.40.206 back to 10.0.0.1.
These addresses have specific names:
- Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP.
- Inside global address—A public IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
- Outside local address—The IP address of an outside host as it appears to the inside network.
- Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
On the above diagram, the following addresses correspond to each type:
- Inside local address: 0.0.1
- Inside global address: 150.0.1
- Outside local address: 100.10.1
- Outside global address: 100.10.1
PAT (Port Address Translation)
PAT can be used to map multiple inside local addresses to a single inside global address, thus allowing dozens or even hundreds of internal hosts to share a single routable IPv4 address.
This is achieved by leveraging the use of the TCP or UDP ports in the Transport Layer to ensure the uniqueness of each communication that takes place.
Even though the same inside global address is used for multiple hosts, a different Transport Layer port is used to distinguish between data flows. For example, take a look at the following diagram:
Image Source from Wendell Odom (2013) (in English) Cisco CCENT/CCNA ICND1 100-101 Official Cert Guide (Academic ed.), Pearson Education, Inc., p. 586
Here you can see three hosts on the inside with three different IP addresses. These are translated using PAT to the same outside IP address of 220.127.116.11 but using different port numbers.
The IP address/port number combination is the unique identifier of each flow. The NAT router is smart enough to perform the appropriate translation so that each flow corresponds correctly with the appropriate host, and communications can take place successfully.
Note that in the above diagram, the acronym NAPT is used to refer to the Network Address and Port Translation. This is equivalent to a router performing PAT, but just goes to show how the understanding of terms in context is of utmost importance.
Limitations and other concerns of all types of NAT
The following are some limitations and concerns of both NAT and PAT that you should keep in mind whenever implementing these features:
- Since TCP and UDP port numbers are used to map one-to-many IPv4 addresses, only TCP and UDP traffic can be translated using PAT. However, the vast majority of network traffic is either TCP or UDP, so this limitation is not of great concern.
- NAT of all types can cause problems in the communication of some network services that use multiple streams of data, such as Voice over IP (VoIP) and FTP sessions.
- The number of translations that a router can perform depends upon its CPU and memory resources.
- Even if the router has enough CPU and memory resources, PAT has a hard limit of 65536 maximum PAT entries in its table at a time for each inside global address (since it uses port numbers which have a range of 0 to 65535).
- NAT supports IPv6 in what is known as NAT66, however, it is not generally implemented since it is not needed since address space exhaustion is not an issue with IPv6.