5.1 Introduction to NAT

Another very interesting topic is NAT. NAT stands for Network Address Translation and is usually present in every router as a service. So what is it and why is it needed?

NAT is a point by which local networks can be connected to global networks, such as the Internet, for example.

As you already know, on local networks, all computers (and other devices connected to the network) have their own local IP addresses. And in order to exchange data with a server on the Internet, it is necessary that our computer can send a request to the server and the server can send us a response. And where should he send a response if our IP address is unknown outside of our local network?

Imagine that you are writing a paper letter to Donald Trump. Trump is a public figure, he is the only one - this is our public server. And you indicate Masha as the return address in the letter. Mash a lot. Which Masha should be sent the answer?

So you send a letter to your acquaintance in Washington, also a public figure, with strict instructions to send it to Trump. Your friend receives a letter, sends it to Trump, and gives his address in Washington as the return address.

Then, after receiving a response from Trump, the acquaintance forwards it to you. Same with IP packets...

To allow a device with a private IPv4 address to access devices and resources outside the local network, the private address must first be changed to a public public address.

Just NAT translates private addresses into public ones. This allows a device with a local IP address to access resources outside of its private network. NAT, combined with local IP addresses, has proven to be a useful method of maintaining public IPv4 addresses.

There are 8 billion people in the world, and there are already many more network devices: phones, laptops, smart watches, servers, any smart devices. And there are only 4 billion IP addresses. It used to seem like a lot, but with the rapid growth of the Internet, it became clear to everyone that this was not enough.

Here NAT comes to the rescue: one public IPv4 address can be used by hundreds, even thousands of devices, each of which has a local IPv4 address. NAT has the added benefit of adding a degree of privacy and security to a network because it hides internal IPv4 addresses from external networks.

Java webinar

5.2 Subnets in NAT

LANs are usually designed with private IP addresses. These are addresses from private subnets 10.0.0.0/8, 172.16.0.0/12and 192.168.0.0/16. These IP addresses are used internally by an organization or site to allow devices to communicate locally, they are not routable on the internet.

NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are called a NAT pool.

When a device on the internal network sends traffic from the network to the outside, the NAT-enabled router translates the internal IP address of the device to the public IP address from the NAT pool. To external devices, all traffic in and out of the network appears to have a public IP address.

A NAT router usually operates at the edge of a Stub network. A stub network is a term from network theory: a stub network that has one connection to a neighboring network, one entry and exit from the network.

When a device inside the Stub network wants to communicate with a device outside its network, the packet is forwarded to the router and it performs a NAT process, translating the device's internal private address to a public, external, routable address.

5.3 NAT terminology

If you delve into the theory of networks, then NAT is an internal network, which is a set of subnets to be translated. The external network refers to all other networks.

When using NAT, IP addresses have different designations based on whether they are on a private network or on a public network (on the Internet) and whether the traffic is incoming or outgoing.

NAT includes four types of addresses:

  • Internal local address (Inside local address);
  • Internal global address (Inside global address);
  • Outside local address ;
  • External global address (Outside global address);

When determining which type of address is being used, it is important to remember that NAT terminology is always applied from the point of view of the device with the translated address:

  • Internal address (Inside address) - address of the device that is translated by NAT;
  • Outside address – destination device address;
  • A Local address is any address that appears internally on the network;
  • A Global address is any address that appears on the outside of the network.

Let's look at this with a diagram example.

The computer in the picture on the left has an internal local ( Inside local ) address 192.168.1.5, and from its point of view, the web server has an external ( outside ) address 208.141.17.4. When data packets are sent from the computer to the global address of the web server, the internal local ( Inside local ) address of the PC is translated to 208.141.16.5( inside global ). The external device address is usually not translated because it is a public IPv4 address.

It is worth noting that a computer has, as it were, two addresses: local and global addresses, while a web server has the same public IP address. From his point of view, the traffic that originates from the computer comes from the internal global address 208.141.16.5. A NAT router is the separation point between internal and external networks, and between local and global addresses.

The terms inside and outside are combined with the terms local and global to refer to specific addresses. In the figure, the router is configured to provide NAT and has a pool of public addresses to assign to internal hosts.

5.4 Packet path

If you are already tired, then go to the next lecture. If you're still interested, then welcome further down the wormhole.

The figure below shows how traffic is sent from an internal computer to an external web server through a NAT-enabled router, sent out, and relayed back.

router NAT table
PC web server
Inside Global Inside Local outside local Outside Global
208.141.17.4 192.168.1.5 208.141.16.5 208.141.16.5

Inside local address - The source address as seen from the internal network. In the figure, the address 192.168.1.5is assigned to the computer - this is its internal local address.

Inside global address - The source address as seen from the outside network. In the figure, when traffic from the computer is sent to the web server at 208.141.17.4, the router translates the internal local address (local address) to the inside global address (Inside global address). In this case, the router changes the IPv4 source address from 192.168.1.5to 208.141.16.5.

Outside global address - the address of the destination as seen from the outside network. This is a globally routable IP address assigned to a host on the Internet. In the diagram, the web server is available at 208.141.17.4. Most often, external local and external global addresses are the same.

Outside local address - The recipient's address as seen from the internal network. In this example, the computer sends traffic to the web server at208.141.17.4

Now let's look at the entire package path. The computer with the address 192.168.1.5is trying to communicate with the web server 208.141.17.4. When a packet arrives at a NAT-enabled router, it reads the packet's destination IP address to determine if the packet matches the criteria specified for translation. In this example, the source address matches the criteria and is translated from 192.168.1.5(Inside local address) to 208.141.16.5(Inside global address).

The router adds this local-to-global address mapping to the NAT table and sends the packet with the translated source address to the destination. The web server responds with a packet addressed to the PC's internal global address ( 208.141.16.5).

The router receives a packet with a destination address 208.141.16.5and checks the NAT table for an entry for that mapping. It uses this information and translates back the inside global address ( 208.141.16.5) to the inside local address ( 192.168.1.5), the packet is redirected towards the PC.

5.5 Advantages and disadvantages of NAT

The NAT service is a very powerful solution that is used everywhere. NAT provides many benefits including:

  • NAT maintains a registered addressing scheme, providing flexible LAN operation. With NAT, internal hosts can share one public IP address for all external communications. This type of configuration requires very few external addresses to support many internal hosts.
  • NAT increases the flexibility of Internet connections. Multiple pools, backup pools, and load balancing pools can be implemented to provide reliable public network connections.
  • NAT provides consistency for the network's internal addressing schemes. On a network that does not use private IP addresses and NAT, changing the general IP address scheme requires redirecting all hosts on the existing network. The cost of host forwarding can be significant. NAT allows the existing IPv4 private addressing scheme to remain while allowing the new public addressing scheme to be easily changed. This means that an organization can change providers and does not need to change any of its internal customers.
  • NAT provides network security . Because private networks do not advertise their addresses or internal topology, they remain reasonably reliable when used in conjunction with NAT to gain controlled external access. However, you need to understand that NAT does not replace firewalls.

But NAT has some disadvantages . The fact that hosts on the internet appear to be talking directly to a NAT-enabled device rather than to an actual host inside the private network creates a number of problems:

  • One of the disadvantages of using NAT has to do with network performance, especially for real-time protocols such as VoIP. NAT increases switching delays because the translation of each IP address in the packet headers takes time.
  • Another disadvantage of using NAT is that end-to-end addressing is lost. Many Internet protocols and applications rely on end-to-end addressing from source to destination. Some applications do not work with NAT. Applications that use physical addresses rather than a qualified domain name fail to reach destinations that are translated through a NAT router. This can sometimes be avoided by implementing static NAT mappings.
  • End-to-end IPv4 tracing is also lost. It is more difficult to trace packets that undergo multiple packet address changes over multiple NAT hops, making troubleshooting difficult.
  • The use of NAT also makes tunneling protocols such as IPsec difficult because NAT changes values ​​in headers that interfere with integrity checks performed by IPsec and other tunneling protocols.
  • Services that require TCP connections to be initiated from the external network, or stateless protocols such as those using UDP, may be broken. If the NAT router is not configured to support these protocols, incoming packets cannot reach their destination.