Network Address Translation(NAT)

What is NAT ?

IP version 4 address space

IP version 4 addresses are only 32 bit(4 byte) long, which provides 4.29 billion(2 to the power of 32 = 4,294,967,296) unique IP addresses. From early ‘90s the number of hosts on the Internet began to grow exponentially. So we could not expect to allocate a unique IP to every host(It means 4.29 billion address space not enough for give public IP address for all available hosts).

Way to solve this issue

To solve this issue NAT devices introduced. These devices would be responsible for maintaining a table mapping of local IP(private IP) and port tuples to one or more globally unique IP(public IP) and port tuples. By using this technology firewalls and routers allow multiple devices on a LAN with private IP addresses to share a single public IP address. So the private/local IP address space behind the firewall or router(in LAN) could be reused among many different networks. Network Address Translation(NAT) limits the number of public IP addresses an organization or company must use, for both economy and security purposes.

Private IP address range

Following are the available range for private IP address spaces. There are three reserved three well-known ranges for private addresses. Most often these addresses residing behind a NAT device(firewall, routers etc)

1. 10.0.0.0 - 10.255.255.255 (16,777,216 addresses)
2. 172.16.0.0 - 172.31.255.255 (1,048,576 addresses)
3. 192.168.0.0 - 192.168.255.255 (65,536 addresses)

How it works?

Consider this scenario. Laptop(private IP - 10.0.0.1) behind the router (public - IP 202.123.211.25) need to talk with the server which publicly available with 192.248.22.100 IP address.

When laptop initiates a connection with the server, the laptop will send all traffic to the NAT router first. Then NAT router replaces the source address and port (which is the device’s private IP address and port) with routers own public address and a port before passing the traffic to the destination server(192.248.22.100). This public-private address mapping details keeps on NAT table.

In this scenario laptop connects from IP 10.0.0.1 and port 8000 . Router maps this address to its public IP(202.123.211.25) and a port(24602). Router keeps this mapping details on NAT Table. When response comes from server, server delivers the response to replaced source address which is 202.123.211.25:24602. Actually its routers’ public IP address and a port). Now router checks the corresponding private address of 202.123.211.25:24602 from the NAT table. After identifying the private address (10.0.0.1:8000) router pass the response to corresponding host(which is Laptop).

NAT types

According to the NAT restrictions NATs can be divide into 4 types.

1. Full Cone
2. Restricted Cone
3. Port Restricted Cone
4. Symmetric

1. Full cone NAT

Also known as one to one NAT. It is the only type of NAT where the port is permanently open and allows inbound connections from any external host. Anyone from the public internet that wants to reach a client behind a NAT, needs only to know the mapping scheme in order to send packets to it. Following is an example scenario.

A computer behind a NAT with IP 10.0.0.1 sending and receiving on port 8000, is mapped to the external IP:port on the NAT, 202.123.211.25:8000. Anyone on the Internet can send packets to that IP:port on the NAT and those packets will be passed on to the client machine listening on 10.0.0.1:8000.

2. Restricted cone NAT

A restricted cone NAT works in the same way as a full cone NAT but applies additional restrictions based on an IP address. The internal client must first have sent packets to IP address (X) before it can receive packets from X. Following is an example scenario.

The client sends out a packet to server1(IP - 192.248.22.100). Then NAT maps the client’s 10.0.0.1:8000 to 202.123.211.25:8000. Now server1 can sends back packets to that destination. However, the NAT will block packets coming from server2(IP - 192.248.22.200), until the client sends out a packet to server2’s IP address. Once client sends a packet to server2, both server1 and server2 can send packets back to the client.

3. Port restricted cone NAT

A port restricted cone NAT acts in exactly the same way as a restricted cone NAT but applies restrictions to ports also. In this case the NAT will block all packets unless the client had previously sent out a packet to the IP AND port (In Restricted NAT its only IP address). Following is an example scenario.

If the client sends packet to 192.248.22.100:10100(both ip and port) the NAT will only allow the packets(to the client) that come from 192.248.22.131:10100. It drops the packers comes from 192.248.22.131:10200(same ip but different port).

4. NAT

All types of NAT discussed so far don’t change the source port when NATing connections. For example when a client accesses the Internet using IP 10.0.0.1 and source port 8000 NAT changes the source IP to say 202.123.211.25 but keeps the port number the same. This is known as port preservation. A symmetric NAT maps ports to new randomly generated ones. This even applies to the connections from the same client to different destinations. Following is an example scenario.

If the client sends from 10.0.0.1:8000 to server1, it may be mapped as 202.123.211.25:12345, whereas if the client sends from the same port (10.0.0.1:8000) to a different IP, it is mapped differently (202.123.211.25:45678). server1 can only respond to it’s mapping and server2 can only respond to it’s mapping. If either one tries to send to the other’s mapped IP:port, those packets will be dropped.