NAT & PAT
Network Address Translation
Port Address Translation

Two common problems are tackled here :

Internet Security - this has become the most important goal of network administrators.  The first step of any security plan, is to make users anonymous.

Internet Addresses - these are limited, and have become a very valuable commodity.

NAT enhances security by changing the IP address and port of each user, so that the outside world (the Internet) sees them as someone else (much like the Government's witness protection program).  Their identities are changed, and they become anonymous.  PAT allows groups of users to share one common IP address, which is a Godsend to corporations, small businesses, and the Internet itself, which is running out of available IP addresses. NAT and PAT are very simple, yet extremely powerful concepts.

NAT vs PAT

NAT translates IP addresses only.  PAT translates ports only, but is always used with NAT - never alone.  This means you can configure a router for pure NAT,  or NAT with PAT.  Sounds like a movie, eh  . . . The "Adventures of Nat and Pat".

NAT (1 to 1 translation) - utilizes Source IP addresses and maps them to outside Internet IP addreses.  This is also called Static NAT.

NAT with PAT (Many to 1 translation  -  overload) - utilizes Source Port IP addresses and ports to uniquely identify user workstations by their socket. A socket is simply an IP address and a port number.  This allows mapping of up to 65,536 inside "socket" addresses to 1 outside address (hence the term 'overload').  This is also called Dynamic NAT. 

NAT with PAT is also given yet another name - NAPT (Network Address Port Translation) and may be used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers as well as IP addresses.

For example, suppose local private hosts 10.0.0.1 and 10.0.0.2 both send packets from source port 2000. A NAPT device might translate these to a single public IP address 207.29.194.28 but two different source ports, say 2998 and 2999. Response traffic received for port 2998 is routed to 10.0.0.1 while port 2999 traffic is routed to 10.0.0.2.

 

NAT (Network Address Translation)

Network Address Translation (NAT) is simply that – it takes a network address, and “translates” it to another network address.  It is a simple lookup table, where each row is created  by a router command with the two addresses.  The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.

The NAT table (lookup table) in the router can be configured in two ways.  So, for "n" users:

Static NAT - for security - requires n Internet IP addresses -  assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well.  Users can all use the same port !!!

Static NAT offers enhanced security - the actual IP address of the user is hidden.  A router running NAT (RFC1631) allows the users to maintain anonymity, because their addresses are not sent out to the world.  Users will typically use addresses from one of three reserved address spaces, the most famous being the “10” Class A address range.

Source
Computer

Source
Computer's
IP Address

NAT Router's
IP Address

A

10.0.0.1

215.37.32.201

B

10.0.0.2

215.37.32.202

C

10.0.0.3

215.37.32.203

 

Dynamic NAT (NAT & PAT) - for overloading - requires 1 outside Internet IP address - assign unique, unregistered local IP addresses to all users.  Must use unique ports for each user !!!

Dynamic NAT allows overloading - multiple users access the Internet via one IP address.  This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected.  In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT.

Source
Computer

Source
Computer's
IP Address

Source
Computer's Port

NAT Router's
IP Address

A

10.0.0.1

400

215.37.32.201

B

10.0.0.2

50

215.37.32.201

C

10.0.0.3

3750

215.37.32.201

 

Unregistered IP Ranges

IANA has actually set aside specific ranges of IP addresses for use as non-routable internal network addresses. These addresses are considered unregistered, ( for more information check out RFC 1918: Address Allocation for Private Internets  which defines these address ranges) which means that no company or agency can claim ownership of them and use them on public computers. Routers are designed to not forward unregistered addresses. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to.

There is a range for each of the three classes of IP addresses used for networking.

·        Range 1 is for Class A: 10.0.0.0 through 10.255.255.255

·        Range 2 is Class B: 172.16.0.0 through 172.31.255.255

·        Range 3 is Class C: 192.168.0.0 through 192.168.255.255

Although each range is in a different class, there is no requirement that you use any particular range for your internal network. It is good practice though because it greatly diminishes the chance of an IP address conflict.

The following image shows how 3 users can all communicate on the Internet with just one IP address.  The router shown must be capable of performing NAT:

 

 

NAT Overloading Example

For this example, you have four users (each using non-routable internal network addresses ) behind a router with NAT capability.  The router has one legal IP address, 215.37.32.203, that it advertises to the Internet, but four unique ports.  A remote server may communicate with multiple workstations on this LAN by also using it's one IP address but four unique ports

Source
Computer

Source
Computer's
IP Address

Source
Computer's
Port

NAT Router's
IP Address

NAT Router's
Assigned
Port Number

A

192.168.32.10

400

215.37.32.203

1

B

192.168.32.13

50

215.37.32.203

2

C

192.168.32.15

3750

215.37.32.203

3

D

192.168.32.18

3750

215.37.32.203

4

 Here's how the overloading works.  They key is an "address translation table" set up and stored by the router:

·        An internal network (stub domain) has been set up with non-routable IP addresses that were not specifically allocated to that company by IANA.

·        The company sets up a router with NAT enabled. The router has a unique IP address given to the company by IANA.

·        A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server.

·        The router receives the packet from the computer on the stub domain.

·        The router saves the computer's non-routable IP address and port number to an address translation table. The router replaces the sending computer's non-routable IP address with the router's IP address. The router also replaces the sending computer's source port - it is simplest to use the row number of that entry in the address translation table.  For example, the first entry is for computer A, and that computer's source port (400) is stored, along with the translated port number ( 1 ).  The translation table now has a mapping of the computer's non-routable IP address and port numbers along with the router's IP address. 

NOTE1:  so now, anyone in the outside world communicating with computer A, will believe that Computer A's address and port is 215.37.32.203,  port 1  (the router's address, with port 1).  The router receives the data, translates it to 192.168.32.10,  port 400, and delivers it to Computer A via the Ethernet segment.

NOTE2:  the port numbers 1,2,3, and 4 are reserved "well-known" port numbers  (Well-Known ports are those in the range from 1 to 1023).  It is unclear how they can instead be used for the purpose of address translation, but apparently it does not cause problems.

·        When a packet comes back from the destination computer, the router checks the destination port on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address and destination port to the one saved in the address translation table and sends it to that computer.

·        The computer receives the packet from the router and the process repeats as long as the computer is communicating with the external system.

·        Since the NAT router now has the computer's source address and source port saved to the address translation table, it will continue to use that same port number for the duration of the connection. A timer is reset each time the router accesses an entry in the table. If the entry is not accessed again before the timer expires, the entry is removed from the table.

As you can see, the NAT router stores the IP address and port number of each computer in the address translation table. It then replaces the IP address with its own registered IP address and the port number corresponding to the location of the entry for that packet's source computer in the table. So any external network sees the NAT Router's IP address and the port number assigned by the router as the source computer information on each packet.

You can still have some computers on the stub domain that use dedicated IP addresses. You can create an access list of IP addresses that tells the router which computers on the network require NAT. All other IP addresses will pass through untranslated.

The number of simultaneous translations that a router will support is determined mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a typical entry in the address translation table only takes about 160 bytes, a router with 4 MB of DRAM could theoretically process 26,214 simultaneous translations! Which is more than enough for most applications.