NAT

NAT (Network Address Translation) is a mechanism in TCP/IP networks that allows the IP addresses of transit packets to be translated. It is also known as:

  • IP Masquerading
  • Network Masquerading
  • Native Address Translation

Why is it needed?

  1. Saving IP addresses: The main reason NAT appeared was the shortage of IPv4 addresses. NAT allows an entire local network with many devices to access the internet using only one public IP address.
  2. Security: NAT hides the internal network structure. From the external internet, only the router’s public addresses are visible, not the specific IP addresses of computers inside the network. This makes attacks against internal hosts more difficult.
  3. Ease of administration: It allows changing the provider or internal addressing scheme without reconfiguring every device in the network.

Types of NAT

1. Static NAT

One internal unregistered (private) IP address is mapped to one external registered (public) IP address. The ratio is 1:1.

It is usually used for servers inside a network that must be permanently accessible from outside, such as a web server or mail server.

2. Dynamic NAT

An internal private IP address is mapped to the first available public IP address from a predefined pool of public addresses.

If the pool of public addresses runs out, new devices will not be able to access the internet until someone else releases an address. The ratio is M:N.

3. PAT (Port Address Translation / NAT Overload)

The most common type of NAT, and the one usually used in home routers. Many internal private IP addresses are mapped to one public IP address, but different port numbers are used to distinguish sessions. The ratio is M:1.

  • How it works: The router remembers which internal IP and port initiated a connection and assigns this session a unique port number on its external interface.

NAT operation diagram

How the process works

  1. Outgoing packet: A device (192.168.1.10) sends a request to the internet. The router receives the packet, replaces the internal IP with its public one (for example, 1.1.1.1), and writes the mapping to the translation table: Internal IP:port <-> Public IP:unique_port.
  2. Response: When a response from the internet arrives at the router’s public IP, the router looks in the translation table, finds the corresponding unique port, and forwards the data to the specific device on the local network.

Advantages and disadvantages

Pros:

  • Allows the use of private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Reduces the likelihood of port scanning against internal machines.

Cons:

  • Complexity for some protocols: Protocols that transmit IP addresses inside the payload (for example, FTP or SIP/VoIP) may work incorrectly without additional mechanisms (ALG).
  • Resource costs: The router needs to spend memory and CPU time storing and processing the translation table.
  • Violation of the End-to-End principle: NAT breaks the direct connection between nodes, which complicates the operation of P2P networks and some types of VPN.