| Although NAT might sound like the perfect answer to virtually any scenario that involves a private network with Internet connectivity, it isn't a panacea. In fact, it wouldn't be very difficult to find knowledgeable network engineers who regard NAT as akin to crabgrass or kudzu, to name a pair of human-induced agricultural disasters. NAT, by its very nature, conceals source and/or destination IP addresses. Many problems can emanate from that basic, inescapable fact. You can categorize these problems by their impact area: 
 Each of these is examined briefly in the next sections. Technical IncompatibilitiesThe most egregious problem is that NAT breaks any network-based application that requires end-to-end session integrity. This is a direct result of NAT's interception of inbound and outbound IP packets and rewriting their headers to achieve the desired address translation. Some of the specific technologies that are at least partially incompatible with NAT include SNMP, IPSec's authentication and encryption technologies, and the emerging Mobile IP. Many network engineers believe that NAT is directly responsible for the inability of IPSec and Mobile IP to achieve any meaningful degree of market acceptance. ScalabilityOther problems with NAT have nothing to do with technical incompatibilities. For example, NAT imposes a potentially substantial overhead on any router that supports the translation function. This overhead can be substantial enough, depending on the configuration, to prevent graceful scalability. Hardware-based appliances have appeared on the market to prevent such adverse effects on your network, but not everyone who needs to implement NAT can afford to purchase another device. Consequently, the point about NAT's impacts on router performance remains valid. Another problem is that the probability of experiencing address problems increases greatly with NAT. The problem becomes worse, not better, with each additional translator you configure in your network. Think about it: The more translation devices you have in your network (ideally, you'd have one for each egress point), the more address tables you would have. Keeping them synchronized can be challenging, time-consuming, and onerous. Logistical ChallengesThere are logistical challenges, too, with a NAT network. For example, security is a double-edged sword. This chapter has treated NAT's privacy-enhancing aspect as a positive attribute. However, that capability also has a dark side. Debugging a problem or chasing a hacker can run into a brick wall at a NAT simply because the true source IP address is hidden from destinations. Although such challenges aren't showstoppers, they are just some of the little "gotchas" that await any network administrator who must implement and use NAT. In all honesty, NAT has become an unavoidable part of the Internet technology base. Recent policy changes regarding the availability of directly registered address space (as discussed in earlier chapters) have made it all but necessary for many organizations that no longer qualify for their own address space. Regardless of how you feel about it, NAT is here to stay! | 
