What is NAT?

What is NAT?

NAT stands for Network Address Translation.

Many devices sold as Firewalls or Routers are actually combined Firewall, Router and NAT device in one box. NAT is the mechanism that allows you to have many PC’s on your LAN all connected to the Internet through a single external IP address.

When one of the PC’s on the private side of the NAT device initiates a connection with a server on the Internet, then it is essential that the IP packets arriving at the remote server appear to have come from the external IP address on your router/firewall. To do this, the router/firewall modifies every outgoing IP packet by substituting its own external IP address for that of the internal PC that initiated the request. At the same time, it must also substitute the apparent port number of the sending device using a port that is free on its own external interface. The remote server will be fooled into thinking that it is receiving packets from the external interface of your router/firewall on the new port when in fact it is receiving packets from a PC on the LAN behind your router/firewall using some other port number. Because it is totally fooled by this deception, the remote server will always send layer 3 replies back to the IP address and Port Number on the external interface of your NAT device.

The NAT device has to keep track of the substitutions it has been making because it is responsible for reversing the substitutions whenever it receives a reply on its external interface. It must also be consistent in the way it substitutes the senders Port Number whenever a new packet is sent out from the PC on the LAN. This is called “stateful inspection” of packets because it has to keep track of the state of every Internet connection and modify the outbound and inbound packets consistently so they are forwarded to the correct internal destination when coming from the Internet (i.e. the correct PC on the LAN) and are substituted with the correct source port number and IP address when going out to the Internet.

Port Address Translation (PAT)

The description above explains how basic NAT works and you will have noticed that it actually involves Port Address Translation as well as Network (or IP) Address Translation. The term Port Address Translation is not widely used and most technical personnel do not mention it – they just refer to everything as NAT. This might be because they are unaware of the distinction or do not feel it is necessary to make the distinction. What is perhaps of more importance is to be aware of the case where NAT can occur without Port Address Translation. This is the case for One-to-one NAT.

Additional reading

Check out this article if you want a better understanding of how firewalls may permit or deny connections through NAT:

Network address translation – Wikipedia

2 thoughts on “What is NAT?”

Comments are closed.