What is NAT and how does it ‘translate’ an address?

NAT stands for network address translation; this is a process of modifying an IP packet as it transits a network.  This involves a router or firewall modifying the IP information in packets that are passed through the network boundary that is performing the address translation. The most common use of NAT is to translate a private address to a public addresses at a firewall/router, which separates an intranet network from the internet. As traffic originates from the internal side of the network boundary, the IP information in the packet is changed to a public IP address that is routable on the internet. Once traffic returns to the firewall, the NAT translations table that is stored on the device maps the public IP back to the private IP address, and forwards the information to the correct internal IP address that requested it.

While you can do different types of NATing, the most widely used configurations are dynamic NAT and static NAT. The most common setup uses dynamic NAT for user traffic and static NAT for devices that need to exit on the same public IP address each time, such as a mail server sending mail, or if you have a device you need to access via an external address that doesn’t change over time, such as a web server.

Below are a few types of NAT:

The following two types of NAT are dynamic. Dynamic NAT uses a designated IP/range or pool of addresses that are configured on the firewall/router. As internal user traffic travels out to the internet the addresses are pulled from the pool and mapped to the private addresses. This information is stored in a NAT translations table.

One to one NAT:

This type of NAT resolves a single private address to a single unique public IP address as it passes through the firewall. This involves setting up a public NAT pool of addresses to be used in mapping to private addresses in a 1:1 ratio. This means each address on the private LAN will correspond to one particular public IP address as it exits the device performing NAT. Remember both a router and a firewall commonly perform NAT functions.

Many to one NAT/Nat Overload:

This type of NAT resolves MANY private addresses to a single unique public IP address or a small group of public IP addresses. This NAT utilizes PAT or port address translation so each translated private IP address can use the same public address, but with a unique port number to separate their traffic from others.

These two methods above only allow for traffic flow when the initial request for information originates from inside the protected internal side of the network, hosts on the internet are not allowed to reach the inside with these two types of dynamic NAT.

This is where static NAT comes in.

Static NAT:

This is a way to staticly map one internal IP address to one public IP address permanently. This is done manually and is separate from dynamic NAT. This allows for a privately addressed host to be assigned a permanent public IP with which to communicate with on the internet. This also allows for connections originating from the internet to reach the privately addresses device, via its static public mapping. This type of NAT is also required for mail servers to function properly, because if a mail server dynamically uses different public addressed to send mail, it may be blocked by the receiving end if it changes addresses. A static NAT must be entered in this scenario so the mail server exits the network using the same public IP address each time it sends mail.

Also, one thing to be aware of, though we won’t cover the various ways it can be performed, is NAT traversal. Certain things do not work well with NAT; therefore, there are mechanisms in place to work around it. For example, IPSEC VPN doesn’t work well with NAT due to the fact IKE and tunnel negotiation uses specific ports to contact security gateways (firewalls/vpn concentrators). NAT translates IP’s and ports (PAT), and this causes problems for things like IKE which require a specific port to talk on. This is why most home routers have IPSEC pass-through, port forwarding, etc. solutions to allow it to work since most PC’s are behind a NAT device at your home. Many PC’s, wireless routers, etc have default settings that allow for NAT traversal or NAT-T to remedy this issue so it’s not noticed.

To follow up on other posts that involve setting up NAT on a firewall check out the post titled “Basic Cisco ASA firewall setup“