Network Address Translation
IP address depletion is one of the key problems that faces the Internet today. To address the IP address depletion problem Cisco has implemented a feature known as Network Address Translation (NAT). NAT, described in RFC 1631, provides a way to use IP addresses in multiple Internetworks by replacing the original source or destination IP address in an IP packet. The functionality of NAT allows privately addressed networks to connect to public networks such as the Internet. When the host on the private inside network sends a packet through the NAT router, the private addresses are converted to registered globally routable IP addresses.
NAT helps to solve other problems aside from the rapid depletion of global network address space and provides an enterprise with many advantages, some of which are listed here:
NAT reduces the instances in which addressing schemes overlap. If an IP scheme was originally set up within a private network and the network was connected to the public network, such as the Internet, or merges with another company that may use the same address, space communication could not take place because of overlapping IP address schemes. Without NAT, overlapping of address schemes could potentially take place on a global scale.
Implementing NAT automatically creates a makeshift firewall between the internal trusted network and the outside untrusted networks or the Internet. NAT allows only connections that originate inside the trusted network. Essentially, this means that a computer on an external untrusted network cannot connect to a computer on the inside trusted network unless the inside computer has initiated the contact.
NAT increases the flexibility of connecting to a public network and provides network designers with greater flexibility when designing an organization’s addressing plan. This flexibility allows for multiple pools and loadsharing/balancing features. NAT also saves on the cost of renumbering a private network address space with a unique global address space.
Although most networking devices support NAT because of its many beneficial features, NAT does have a few disadvantages that should be weighed against the benefits when determining if it is a viable solution for the enterprise:
NAT increases the overall switching delay of the packet, which is caused by the translation that must take place, but also because NAT is performed using process switching. The router must examine every packet to determine if a header rewrite is required.
NAT causes the loss of end−to−end traceability and forces some applications that use IP addressing to stop functioning because of NAT’s inherent functionality of hiding IP addresses.
At a high level, NAT has two types of networks: internal and external. Internal networks, also referred to as stub domains, are networks that have been assigned IP addresses that are considered to be private or not routable. Likewise, external networks are networks that are considered to be public and routable. NAT also has its own terminology for types of IP addresses:
Inside local IP address—The IP address assigned to a host on the inside trusted network. These addresses are typically allocated from the private IP address ranges.
Inside global IP address—A legitimate IP address that represents one or more inside local addresses to the outside network(s). These are the IP addresses that the inside local IP addresses are translated to. They are advertised outside the inside local address space.
Outside global IP address—The IP address that is assigned to a host on the outside network by its owner. These addresses are allocated from legitimate globally routable address space.
Outside local IP address—The IP address of an outside host as it appears to the inside network. This address is allocated from IP address space that is routable on the inside network.
NAT creates two types of address translations: simple and extended. A simple translation entry is an entry that simply maps one IP address to another IP address. An extended translation entry is a translation entry that maps one IP address and port pair information to another IP address and port pair.
Port Address Translation (PAT) is a variant of Network Address Translation (NAT). NAT creates a one−to−one address translation at the network layer and does not maintain port parameters per translation. PAT, on the other hand, creates a many−to−one address translation and maintains port parameters per translation. PAT allows many inside local IP address packets to be translated to one outside global address. It allows enterprises to conserve public IP addresses by translating the source of all inside addresses or all inside addresses matched by an access list to one global public IP address. When PAT is enabled on a perimeter router, the translation process chooses a unique source port number for each outbound connection request.
PAT can allow for translation of one IP address for up to 64,000 hosts. However, in most cases, a more realistic number of translations is in the vicinity of 4,000 hosts. PAT does not use well−known port numbers in its address translation, nor are any destination fields translated— only source information is translated.