NAT – Internet Protocol Version 4 (IPv4) Design

Network Address Translation (NAT) devices convert IP address space into globally unique IP addresses. NAT was originally specified by RFC 1631; the current specification is RFC 3022. It is common for companies to use NAT to translate internal private addresses to public addresses and vice versa, although it can also translate public IP addresses to public IP addresses.

The translation can be from many private addresses to a single public address or from many private addresses to a range of public addresses. When NAT performs a many-to-one translation, the process is called Port Address Translation (PAT) because different port numbers identify translations.

As shown in Figure 1-3, the source addresses for outgoing IP packets are converted to globally unique IP addresses. The conversion can be configured statically, or it can be done dynamically, using a global pool of addresses.

Figure 1-3 Network Address Translation

NAT has several forms:

• Static NAT: This form maps an unregistered or private IP address to a registered IP address; it is configured manually. It is commonly used to assign a unique public address to a network device with an internal private IP address so that it can be accessed from the Internet. Hence, a static NAT is a one-to-one assignment.
• Dynamic NAT: This form dynamically maps an unregistered or private IP address to a registered IP address from a pool (group) of registered addresses. The two subsets of dynamic NAT are overloading and overlapping:
  • Overloading: Overloading maps multiple unregistered or private IP addresses to a single registered IP address by using different ports. This is also known as PAT, single-address NAT, or port-level multiplexed NAT. The number of PAT translations is limited. Since the port number is a 16-bit integer number, one single registered IP address can support a maximum of 65,535 internal hosts via PAT.
  • Overlapping: Overlapping networks result when you assign an IP address to a device on your network that is already legally owned and assigned to a different device on the Internet or outside network. Overlapping networks also result when two companies, both of which use RFC 1918 IP addresses in their networks, merge. In the case of overlapping address ranges, both source and destination IPs have to undergo NAT to the nonoverlapping address ranges so that they can communicate with each other. These two networks need to communicate, preferably without having to re-address all their devices.

When designing for NAT, you should understand the following terminology:

• Stub domain: The internal network that might be using private IP addresses.
• Public network: The network outside the stub domain, which resides in the Internet. Addresses in the public network can be reached from the Internet.
• Inside local address: The real IP address of the device that resides in the internal network. This address is used in the stub domain.
• Inside global address: The translated IP address of the device that resides in the internal network. This address is used in the public network.
• Outside global address: The real IP address of a device that resides in the Internet, outside the stub domain.
• Outside local address: The translated IP address of the device that resides in the Internet. This address is used inside the stub domain.

Figure 1-4 illustrates the terms described in this list. The real IP address of the host in the stub network is 192.168.10.100; it is the inside local address. The NAT router translates the inside local address into the inside global address (200.100.10.100). Hosts located on the Internet have their real IP addresses (outside global addresses) translated; in the figure 30.100.2.50 is translated into the outside local address 192.168.100.50.

Figure 1-4 Terminology Example

Table 1-13 summarizes the NAT concepts. 

Table 1-13 NAT Concepts