|Home||Reviews||Tools||Forums||FAQs||Find Service||ISP News||Maps||About|
how-to block ads
The most common type of NAT is NAPT, or "Many-to-one" NAT, as found in broadband routers and software such as ICS and Winroute. NAPT translates the IP and port addresses (or query ID for ICMP) in each packet that traverses it, allowing multiple computers to participate in multiple concurrent conversations.
Basic NAT also known as 'pooled NAT' or 'dynamic 1-1 NAT'
In early forms of NAT, it was assumed that in a typical private network only a few hosts were communicating with external hosts at any one time. A pool of global addresses was set aside for use with NAT, and private hosts could make as many concurrent connections to external hosts as global addresses available in the pool. Routers needed a small amount of memory to keep track of the private address currently associated with each public address, allowing translation and routing of inbound traffic.
Static 1-1 NAT
This is an even simpler scheme, used where only a few hosts in a private network ever communicate with external hosts. In this scheme, each private host has a direct and fixed mapping to a global address.
Network Address Port Translation (NAPT), also known as 'PAT' and 'many to one' or 'M-1 NAT'
This is what people generally mean when they say "NAT" -- the form of NAT used in broadband routers (NAT boxes), many firewalls, software such as Winroute and ICS, etc. In this scheme, multiple hosts can share a single address and make many concurrent connections. This is achieved by translation of IP addresses and port addresses (or query ID in the case of ICMP). Ports and query IDs are used in the TCP/UDP and ICMP protocols, respectively, for multiplexing of conversations -- i.e. to allow multiple concurrent conversations between hosts via unique identification of each. Again, the process is most easily explained via following a TCP exchange via NAPT (ignoring checksum replacements):
1. Private host sends TCP SYN flagged packet to DSLR with the following TCP header fields:
2. The NAT router receives the frame and replaces the source IP address and port (and makes the necessary checksum replacements). It then makes a record of the header details (both untranslated and translated) in the "NAT table" held in memory before forwarding the packet onto the Internet.
3. DSLR replies:
4. The NAT router receives the reply and checks the header details against all entries in the NAT table. In this case, it finds the entry made in step 2 and can therefore replace the destination address and port and forward the packet onto the private host.
In the case of ICMP, the addresses and query ID (instead of port address) are translated. Outbound traffic is monitored for TCP SYN flagged packets, and new UDP / ICMP conversations and NAT table entries (comprising the original and translated header details) are made so that each conversation (a TCP connection, a UDP exchange with a certain host and port, etc) has an entry in the table. This allows the device to translate and route inbound packets to their private destinations.
All NAT table entries are removed after a timeout period of inactivity. In the case of TCP, the entry can be removed immediately when the connection closes (a pair of FIN / ACK packets are seen). In the case of some ICMP types, the entry can be removed when a reply is received. The values for timeouts are often user modifiable. Note that the process is, again, entirely transparent to the end points of the connection.
Multi-NAT allows several NAT schemes to be used with several public IP addresses. For example, a 1-1 NAT could be used on 3 global addresses for web, mail and DNS servers whilst NAPT is employed on a fourth global address for workstations.
Thank you so much for such a clear explaination of how this basically works. No geek talk, no technobabble, just a clean step by step walkthru. Now, if we could only get a couple thousand more writers like you a lot of the help forums would no longer be needed. Thanks again.