NAT (Network Address Translation)

Although there are many guides and lots of mater I believe NAT is a very important topic and understanding it is very important for advancing on the Networking-security field.
First thing we have to understand is IPv4 is very limited and about to run out (if it did not by now)
In order to last a bit longer prior changing to a new standard (IPv6) was developed a concept of "Private IP"  it's segment that is known only to the LAN there are well known segments which are reserved for this purpose only according to RFC1918 –,,
When we see an IP from one of the private subsets we can safely assume it's not "Route-able" (known only to the LAN).

It's all nice and easy till the point we need to use one of those addresses to access the internet, for example:
We have a PC with the IP of connected to a Router that has internet access and we want the PC to access some website
So a packet originating from the PC will travel up to the server and the server will not know who to send it back because he is not familiar with 192.168.x.x (only the local router Is)
The solution was to "Hide" the IP 192.168.x.x with the well known IP  of the Router (his internet IP)
In that case the packet from the PC will arrive at the router which will replace the source IP with its own and send it to the server, then the server will reply to the IP of the router,
The packet will travel back till the router which will replace the Destination IP (seeing as it's the way back) to the original one (the 192.168.x.x) and send it back to the PC.

Seems easy, now think of a network of 100 or even better 1000 devices, who can the router keep track of all the translations ..?
For this purpose there was developed a mechanism of PAT (port address translation), simply put
A table containing all the translations made by the router, the PAT table contains Source IP (the originating device) destination IP (end server) source port (random port chosen by the PC for one specific session) and destination port (decided by the server, most of the time according to the well known port's).

Up to now I spoke about the way out, but what about a scenario of a server with an internal IP, for example a Web server with an IP of
When a client will wish to establish a connection to the server he will not be able to find as it's not  a well known IP
So we have to use NAT to translate the internet IP, In this case a simple Hide NAT (like the previous scenario) may not work ( there will not be a PAT entry talking about this case), there are 2 ways creating a permanent entry, port forwarding or One to One NAT (also known by Static NAT).
Port forwarding creates an entry sais a packet with ANY source address and port going to a SPECIFIC destination address and port – will go to the internal IP with a specific port (may be changed in the moment of translation).
One to One NAT create a similar  rule, in this case it will be – a packet with ANY source IP and port going to the destination IP on ANY port – go to preset the internal IP.
In other words translate only the destination IP.
Static NAT is a good solution when there are many Port forwarding to create and more than one available internet IP.

So we discussed when we need NAT on the internal and external links, there are also times we need NOT to NAT.
Most routers purchased today not only has the NAT function but it's also enabled by default, but we may have a direct link between few sites or a VPN tunnel or even servers with internet IP's where implementing NAT can be a long unnecessary set of rules.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


Post a Comment