There are currently more than 350 million Internet users and an estimated 100 million hosts, a figure that will grow exponentially in the future. Luckily, NAT allows multiple client requests over a single private IP address. But what is NAT?

NAT refers to Network Address Translation. It has been developed for IP address conservation, enabling private IP networks that use unregistered IP addresses to correctly connect to the Internet. IP, meaning Internet Protocol, governs how packets are distributed over a network.

NAT has been originally developed to conserve public Internet address space, which expanded significantly as the number of computers connected to the Internet expanded at the end of last millennium. As a result, internet providers quickly exhausted the available supply of IP addresses, which threatened limit the growth of the internet, something that seems unfathomable today. Therefore, NAT was developed as the primary means to conserve IP addresses.

NAT operating on a router, connects two networks together, translating private addresses within the internal network into legal addresses, before forwarding packets to another network. NAT can be configured to show external users simply one address for the entire network to the outside world. It therefore offers extra security by concealing the entire internal network behind the given address.

NAT provides both security and address conservation and is usually applied to remote-access environments. By mapping the private IP addresses of all devices to the single public IP address, NAT enables computers on a local network to share one common outbound connection.

How Does NAT Work?

Essentially, NAT enables a single device, such as a router, to act as an agent between the Internet (a public network), and a local network (a private network), meaning that only a single unique IP address is necessary to represent an entire group of computers to outside users.

By reviewing the content of incoming and outgoing IP messages, NAT adjusts the source or destination address in the IP protocol header and the corresponding checksums – digits that represent the sum of correct digits in a string of stored or transmitted digital data that can be compared to detect data errors – to reproduce the configured address mapping.

Network Address Translation can support both fixed and dynamic mappings of one or more internal and external IP addresses. When external computers on the Internet access computers within a local network, they will only see the IP address of the router, which adds an additional level of security, since routers can be configured as firewalls, only permitting authorized systems to access computers within a network.

NAT types

Network Address Translation is categorized into two general types:

  • Static NAT allows a private IP address to be mapped to a public IP address, where the public address will always be the same IP address, meaning a static address, which enables an internal host to use an unregistered private IP address over the Internet.
  • Dynamic NAT allows a private IP address to be mapped to a public IP address by selecting from a pool of registered public IP addresses. Usually, the NAT router in a network will maintain a table of registered IP addresses, and when a private IP address demands access to the Internet, the router will select an IP address from the table that is not simultaneously being used by another private IP address.Dynamic NAT allows the network to be secured since it masks the internal configuration of a private network and blocks users from outside the network in order to screen individual usage patterns. An advantage of dynamic NAT is that it permits a private network to use private IP addresses that are not valid on the Internet but valuable as internal addresses.

NAT gateways lie between the inside network and the outside network. Systems on the internal network are generally assigned IP addresses that cannot be redirected to external networks, however, several externally valid IP addresses will be designated to the gateway.

The gateway, which makes outbound traffic from an inside system appear to be arriving from a valid external address, takes incoming traffic intended for a valid external address and delivers it to the correct internal system.

This system enhances security by redirecting each outgoing or incoming request through a translation process that allows incoming streams to be qualified or authenticated and then matched to outgoing requests.

What Problems Does NAT Solve?

problem solving

After answering what is NAT – we can look at the problems it solves. The primary purpose of Network Address Translation is to increase the number of computers that can operate on a single public IP address and to hide the private IP addresses of hosts on a LAN.

Network Address Translation can have many benefits and a few drawbacks. Benefits include the following:

  • It has reduced the exhaustion of IPv4 addresses by using private addressing and assigning fewer IP addresses to networks using the internet.
  • It has enabled inside local networks to be addressed, thereby enhancing flexibility by allowing private IP addressing to be implemented in any organization.
  • It has enhanced network security since private IP addresses cannot be used on the Internet, therefore, data on private networks cannot be seen unless an attacker has access to the private network.

The drawbacks of Network Address Translation include the following:

  • It reduces network performance since switching delays can result in the translation of IP addresses in packet headers.
  • It may modify values needed by a virtual private network (VPN) making it difficult for these protocols to work.

Why VPN Is Vital?

A VPN allows a private network to reach across a public network, enabling users to both send and to receive data across shared or public networks as if they were directly connected to the private network. Applications operating across a VPN can take advantage of the functionality, security, and management of a private network.

VPN technology was created to enable remote users and other offices to securely access corporate systems as well as other resources. Data is delivered through secure tunnels to enhance security, while VPN users use authentication – such as passwords or differentiated identification methods – to access the VPN.

Also, Internet users can secure transactions with a VPN in order bypass geo-restrictions and censorship, or to connect to proxy servers to safeguard personal identity and location and remain anonymous on the Internet.

Some Internet sites, however, block access to VPN technology in order to prevent the dodging of geo-restrictions. In turn, many VPN providers have been designing strategies to avoid these roadblocks.

VPN offers a means to execute network address translation, known as VPN NAT.

What is VPN NAT?

check mark badge

VPN NAT is different from conventional NAT in that it translates addresses before applying protocols. VPN NAT executes address translation prior to the SA validation by designating an address to a connection when the connection begins. The address will remain associated with the connection until the connection is ended.

It is necessary for VPN users to be aware of NAT since it can keep a VPN client from making a connection from a private IP address.

Also, given that NAT does not work with protocols that use encryption, a VPN solution that involves a Network Address Translation can complicate a VPN implementation.

There are two different types of VPN NAT:

1.      A VPN NAT that prevents IP address conflicts

This type of VPN NAT allows users to avoid possible IP address conflicts when configuring a VPN connection between networks or systems with similar address structures.

For example, when two companies want to create VPN connections using a designated private IP address range. For example, 10.*.*.*.

This type of VPN NAT must be configured based on whether the system is the initiator or the responder to the VPN connection.

If the system is the connection initiator, the local addresses can be translated into addresses that are compatible with the VPN connection partner’s address.

If the system is the connection responder, the VPN partner’s remote address can be translated into addresses that are compatible with the local address structure scheme.

This type of address translation should only be configured for dynamic connections.

2.      A VPN NAT for hiding local addresses

This type of VPN NAT allows users to hide the real IP address of the local system by translating the address into a different address that is made publicly available.

When the VPN NAT is configured, the user can indicate that each publicly available IP address will be translated to a pool of hidden addresses, allowing the traffic load to be balanced for individual addresses over multiple addresses.

VPN NAT for local addresses requires that the system act as the responder for its connections.

Final thoughts

Originally seen as a solution to combat IPv4 depletion, Network Address Translation now is vital for security and administration. Dynamic NAT automatically enables firewall-style protection between the internal network and the outside networks or the Internet. By only allowing connections from inside the stub domain, NAT prevents outside users from connecting to an internal FTP server.

Though some internal services can be made available to the outside world via Static NAT or inbound mapping, which maps certain TCP ports to specific internal addresses, NAT essentially keeps private information private.

In terms of administration, Network Address Translation provides regulatory enforcement as well as network organization and expansion since certain routers allow advanced filtering and traffic logging to enforce professional and ethical behavior.

It is possible to move web services to a different computer through inbound mapping without having to do any changes on external clients. Internal changes, such as removing a computer, can be executed easily since there is no one-to-one mapping of internal and external addresses.

Network growth can also be accommodated by increasing the range of unregistered IP addresses configured in a Dynamic Host Configuration Protocol (DHCP) server. As a result, the popularity of NAT is growing as quickly as IPv4 depletion.