NAT (Network Address Translation)

NAT (Network Address Translation) in Dictionary

According to abbreviationfinder, NAT stands for Network Address Translation).

Advantages of NAT

The use of NAT has several advantages: The first and most obvious, the great saving of IPv4 addresses that it entails, let us remember that we can connect multiple machines on a network to the Internet using a single public IP address.

Security. Machines connected to the network via NAT are not visible from the outside, so an external attacker would not be able to figure out whether or not a machine is connected to the network. Network maintenance. It would only be necessary to modify the forwarding table of a router to divert all traffic to another machine while maintenance tasks are carried out.

Disadvantages of NAT

Let us remember that NAT is only a patch, not a solution to the real problem, therefore it also has a series of disadvantages associated with its use: TCP and UDP checksums: The router has to recalculate the checksum of each packet it modifies. So more computing power is needed. Not all applications and protocols support NAT. There are protocols that introduce the source port within the data zone of a packet, so the router does not modify it and the application does not work correctly.

NAT Principle

Network address translation or NAT was developed to solve the lack of IP addresses with the IPv4 protocol (within a short time the IPv6 protocol will solve this problem). In fact, in IPv4 addresses, the number of routable IP addresses (which are unique in the world) is not enough to allow all the computers that require it to be connected to the Internet.

Therefore, the principle of NAT is to use a gateway connection to the Internet, having at least one network interface connected to the internal network and at least one network interface connected to the Internet (with a routable IP address) in order to connect all computers to the network.

It is a matter of creating, at the gateway level, a conversion of packets from the internal network to the external network. Therefore, each computer on the network that needs Internet access is configured to use a NAT gateway (by specifying the IP address of the gateway in the field

” Gateway ” with its TCP/IP parameters). When a network computer sends a request to the Internet, the gateway makes the request for it, receives the response, and sends it to the computer that made the request. Because the gateway completely hides internal addresses on the network, the network address translation mechanism provides a secure function. In fact, to an outside observer on the network, all requests appear to come from the gateway IP address.

Address space

The organization that manages the public address space (routable IP addresses) is the Internet Assigned Number Authority (IANA). RFC 1918 defines a private address space that allows any organization to assign IP addresses to computers on its internal network without risking conflict with a public IP address assigned by the IANA. These so-called non-routable addresses correspond to the following series of addresses:

  • Class A: from to;
  • Class B: from to;
  • Class C: from to

All computers on an internal network, connected to the Internet through a router and that do not have a public IP address, must use an address that is within these series. For small home networks, the address range between and is generally used.

Static conversion

The principle of static NAT is to bind a public IP address to a private internal IP address on the network. Therefore, the router (or more precisely the gateway) allows a private IP address (for example to be linked with a public routable IP address on the Internet and performs the conversion, on any address, by changing the address in the IP packet.

Therefore, static network address translation allows computers on an internal network to be transparently connected to the Internet, but it does not solve the problem of missing addresses, since n routable IP addresses are needed to connect n computers. to the internal network.

Dynamic conversion

Dynamic NAT allows multiple computers with private addresses to share a routable IP address (or a small number of routable IP addresses). So seen from the outside, all the computers on the internal network practically have the same IP address. This is why the term “IP masquerading” is sometimes used to mean dynamic network address translation.

In order to “multiplex” (share) the different IP addresses into one or more routable IP addresses, dynamic NAT uses Port Address Translation (PAT), that is, assigning a different source port to each request, so that a correspondence can be maintained between the requests that come from the internal network and the responses from the computers on the Internet, all sent to the IP address of the router.

Port enablement

Network address translation only allows requests from the internal network to the external network, making it impossible for an external computer to send a packet to a computer on the internal network. In other words, the computers on the internal network cannot function as a server with respect to the external network.

For this reason, there is a NAT extension called “port forwarding” or port mapping which consists of configuring the gateway to send all packets received on a particular port to a specific host on the internal network. Therefore, if the external network needs to access a Web server (port 80) running on a machine, it will be necessary to define a port forwarding rule on the gateway, which will redirect all received TCP packets on port 80 to team

Port triggering

Most client-server applications make a request through a remote host on a given port and in turn open a port to retrieve the data. However, certain applications use more than one port to exchange data with the server. This is the case, for example, with FTP, for which a connection is established on port 21, but the data is transferred on port 20. Thus, with NAT, after a connection request on port 21 from a remote FTP server, the gateway expects a connection on only one port and will reject the connection request on port 20 from the client. There is a mechanism derived from NAT called “port triggering” that allows the connection to certain ports (port release) to be authorized if a condition (request) is fulfilled.

Therefore, it is a conditional port forwarding that allows a port to be opened only when requested by an application. In this way, the port does not remain permanently open.

NAT (Network Address Translation)