how-to block ads
Network Address Translation (NAT) is a technique that allows multiple devices to share one or more IP addresses. It is normally employed at the gateway between a private network and the Internet -- allowing the devices on the private network to share a global ISP assigned address.
This is achieved by modification of the headers of each packet traversing the device. At a minimum, the IP address (and IP header checksum) is replaced (translated). For packets outbound to the Internet, source addresses are translated from private -> public. For packets inbound from the Internet, destination addresses are translated from public -> private.
NAT is an Internet Engineering Task Force (IETF) standard for the sharing of an IP address. It was proposed in the 70s as a solution to the problem of decreasing IPv4 address space. Prior to its inception, everything attached to the Internet had a unique, global IPv4 address. The introduction of NAT (and that of reserved, private address space) allowed multiple privately addressed hosts to share a single global IP address.
The subnets reserved for private use are:
172.16.x.x - 172.31.x.x or 172.16/12 (Class B)
192.168.x.x or 192.168/16 (Class C)
169.254.x.x or 169.254/16 - 'Auto-configuration'A host that is set to obtain an IP address via DHCP (Dynamic Host Configuration Protocol) but which fails to do so will attempt to assign itself a random address from the auto-configuration subnet.
The reserved addresses are reusable, not globally unique and therefore not routable on the Internet. Although by far the most common configuration, the use of private addresses is not mandatory, and it is possible to use any address type with NAT. For the purposes of this FAQ, it is assumed that NAT separates a private network and the Internet.
NAT is a type of routing in which the packet headers of each packet are modified by the interchange of (at least) a private address and a public address. The process is probably explained most clearly by following a conversation through NAT:
1. A host in a privately addressed subnet attached to the Internet via a NAT router sends a connection initiation (SYN flagged) TCP packet to www.dslreports.com (which it has previously resolved to an IP address). The ethernet frame containing the packet is addressed to the private interface of the NAT router (the host's default gateway).
2. The NAT router receives the frame and changes the source IP address from the host's private address to a public (global) address, recalculates the checksum and forwards the packet out onto the Internet.
3. DSLR replies with a TCP SYN / ACK flagged packet IP addressed to our global address.
4. The NAT router receives this and changes the destination IP address to the host's private address before passing it on to the host.
Headers contain:Note that the process is completely transparent to the end points of the connection. Neither the private host nor DSLR has any idea that the translation has taken place. The process is the same for UDP. For a description of how NAT deals with ICMP error messages, see here.