Network Address Translation (NAT)

NAT was developed to address a couple of concerns. First, the number of public IP addresses available on the Internet was becoming depleted. Second, because of the interconnectivity of networks, it was possible for an administrator to assign a set of IP addresses to a network that someone else might be using. This is a common situation when two companies and their respective networks are combined. NAT addresses these two concerns by providing a mechanism by which any number of IP addresses can be translated to a different range of IP addresses, or in some cases a single or smaller range of IP addresses.

To address the limitation of available IP addresses NAT can be used to translate hundreds or even thousands of IP addresses to just a couple of IP addresses or even a single IP address, thereby allowing a company to provide Internet access to their hosts without needing to allocate thousands of IP addresses on the Internet to do so. To address the issue of invalid networks, or in many cases duplicate networks, NAT can be used to allow each network to appear as a completely different network. Figure 3-13 illustrates the process of NAT and Internet connectivity.

In this example, when Host A attempts to access the Internet, the firewall translates the request from having a source address of 10.1.1.100 to having a source address of 209.165.201.10 and transmits the data across the Internet. The firewall then stores this translation in its translation table so that it knows how to deal with the return traffic. When host B receives the data, it thinks it is communicating with 209.165.201.10 and addresses the return traffic accordingly. When the firewall receives the return traffic, it refers back to its translation table and determines that the traffic should be delivered to 10.1.1.100. The firewall repackages the packet, this time changing the destination IP address to be 10.1.1.100 and transmits it accordingly. In doing so, hosts A and B can communicate with each other, for all intents and purposes completely unaware that NAT is occurring.

Because NAT effectively hides the actual IP addresses that are in use, many networks have elected to use it in conjunction with private IP addresses. Private IP addresses are defined in RFC 1918 and are a predefined set of IP addresses that cannot be used on the Internet and therefore are referred to as being nonroutable. Because NAT prevents Internet-connected hosts from being able to ascertain what IP address is being used behind a NAT router, organizations have elected to implement the private IP addresses so that they can pretty much do whatever they want with them without concern with how they may interact with the Internet or other networks. The RFC 1918 IP addresses are as follows:

• 10.0.0.0/8

• 176.16.0.0/12

• 192.168.0.0/16

Note

RFC 3022 and RFC 2663 define NAT.

NAT Implementations

There are four primary NAT implementations. They all accomplish the same function, the translating of traffic from one IP address to another, but they go about the translation process in different manners. They are as follows:

• Static NAT Static NAT is sometimes referred to as traditional NAT, and refers to the mapping of one IP address to another IP address. Consequently, static NAT implementations require the same number of IP addresses as need to be translated. For this reason, static NAT is not an effective method of saving the number of IP addresses required for access to a network or the Internet.

• Dynamic NAT Dynamic NAT functions in a similar fashion to static NAT, but instead of each IP address having a one-to-one translation, a dynamic pool of IP address can be used for the translation. Doing so enables you to reduce the number of IP addresses in use because the pool of addresses can be smaller than the total number of IP addresses that must be translated.

• Port Address Translation Whereas static and dynamic NAT perform a translation from IP address to another, Port Address Translation (PAT) allows for the translation of a number of IP addresses to a single IP address. This is done by translating requests by TCP or UDP port. The translating router or firewall builds a NAT table, but instead of assigning an IP address for the outbound communications, it assigns a port number. When the response comes back to that port number, the translating router or firewall reverses the process.

• Bidirectional NAT In most cases, NAT is used to translate data in a single direction, typically from an internal or protected network to an external or unprotected network. Bidirectional NAT provides for the use of NAT regardless of the direction of the traffic flow.

NAT and IPsec: The Issues and the Solutions

Although NAT works in most cases, not all traffic can be successfully translated (in particular, when the original data cannot be manipulated, such as the case with IPsec). The reason for this is that the NAT process actually changes the data packet while it is being translated. Because of the nature of IPsec, when the data packet is rebuilt using NAT, the receiving router detects that the data has been changed (the source IP address is no longer the correct source IP address) and discards the packet. To address this, a process known as NAT traversal (NAT-T) has been developed.

NAT-T encapsulates the complete IPsec packet into either a TCP or UDP packet, which is then translated accordingly. By doing this, the traffic can be translated as required without the original IPsec data being changed. Figure 3-14 illustrates the encapsulation process and subsequent NAT.

Figure 3-14. NAT-T Encapsulation

Note

RFC 3947 and RFC 3948 define NAT-T.