Category: networking infrastructure

Network Address Translation (NAT) is one of the key technological concepts behind the performance of communication networks and the internet at large. NAT is a mechanism for converting private (local) IP addresses into public (global) IP addresses and vice versa.

There are six main NAT types: static, dynamic, port address translation, overlapping, and masquerade.

Understanding the functionality of each NAT type — as well as its purpose — is vital in helping you choose the right one to reap the most benefits.

Network Address Translation, IPv4, and IPv6

It’s helpful to understand a little bit about how IP addressing works in order to understand the different types of NAT and the problems they solve.

NAT enables efficient use of limited IPv4 addresses — there are only 4,294,967,296 possible 32-bit IPv4 addresses, which is not enough for every device worldwide — NAT allows organizations to maintain numerous private devices while requiring only a small number of public addresses for internet access.

IPv6 is the next generation of internet protocol, designed to solve the IPv4 address shortage. Instead of 32-bit addresses, IPv6 uses 128-bit addresses. This creates an almost unlimited number of addresses — enough for every device on Earth to have its own unique identifier.

IPv6 reduces the need for NAT, but it is still important in networks where IPv4 and IPv6 coexist. These mixed environments often rely on NAT to ensure smooth communication between devices using different protocols.

As organizations transition to IPv6, understanding when and how to use NAT remains essential for maintaining efficient and reliable connections.

The six types of Network Address Translation and what they do

Once again, NAT is a technology that allows the use of private and public TCP/IP addresses by facilitating the translation between internal and external IP addresses. It involves routing and remapping IP addresses via routing devices such as firewalls and routers.

Since you can’t use a private IP address to gain access to an external network like the internet, NAT ensures that a local host has internet access by translating local IP addresses into one or multiple global IP addresses.

Conveniently, NAT allows a unique IP address to represent a whole group of devices and computers. In other words, NAT is what enables you to connect multiple electronic devices to your home router while using the same public IP address to access the internet.

NAT is typically implemented by a router. In addition to facilitating address translation, NAT can serve a number of important additional purposes:

• Network security: Obscures internal IP addresses, adding a layer of protection against external threats.
• Firewall functionality: Filters traffic and blocks unauthorized access based on security rules.
• Port forwarding: Enables external access to internal services by forwarding specific ports to the appropriate devices.
• Load balancing: Distributes traffic across multiple servers for better resource utilization and traffic management.
• Session tracking: Ensures proper routing of incoming data by tracking active connections.
• Simplified network management: Reuses private IP addresses, reducing the need for public IP allocation.
• VPN support: Allows secure communication between devices on different networks by translating IP addresses.

The following six types of Network Address Translation offer different means of improving network security, addressing connectivity issues, and solving performance problems.

1. Static NAT

Description: This is a straightforward translation that maps a single private IP address to a corresponding public IP address. A static NAT must match the number of IP addresses on the local area network (LAN) with an equal number on the outside network. For this reason, Static NAT is also called balanced NAT.

Purpose: Static networks are fixed because they provide one-to-one (or many-to-many) mapping, allowing the creation of a fixed translation to an actual address. As a result, their mappings provide a consecutive connection to the same address. Ultimately, Web and FTP servers favor using Network Address Translation because of its consistency and reliability.

Benefits: Static networks reduce the problem of overlapping addresses while also providing a degree of protection for your registered public addresses.

Static NAT can be more challenging to set up, but it is usually easier to manage and troubleshoot — leaving you with a low-maintenance network. Also, when you switch networks, you won’t face the hassle of having your IP addresses renumbered.

Limitations: Since static networks have fixed IP addresses that don’t change, they are more susceptible to spoofing and hacking, as malicious actors can easily target them. These security risks make it critical to protect your network with firewalls and encryption.

Additionally, a static NAT is bi-directional, meaning hosts can initiate connections both inside and outside the network. Of course, you need a policy to allow this, but it could still expose you to a significant security loophole.

Finally, static Network Address Translation is also more expensive than its dynamic counterpart because it requires more public IP addresses for its implementation. These increased costs extend to your internet service provider (ISP), which will typically charge you more for the privilege of a dedicated IP address. Meanwhile, the inflexible nature of static IPs also forces you to change them manually if you ever move to another location.

Best for: Static IP addresses are best for applications, processes, and protocols that require a consistent IP, such as web hosts, application servers, printers, routers, and gaming consoles.

Example: In addition to one-to-one mapping, static NAT is bi-directional, allowing connections between an inside and outside address. For instance, assume you have a web server in your LAN with a private inside address of 172.17.1.0.

Perhaps you want to make it accessible when a remote host makes a request to 209.165.200.10 (an example of a registered public IP address). To do so, you or your network administrator must configure at least one interface on the router (which typically has NAT inside and NAT outside), along with a set of rules it’ll use to translate IP addresses in traffic payloads and packet headers.

In this case, a configuration for the router to allow static NAT outside-to-inside translation will look something like this: ip nat inside source static 172.17.1.0 209.165.200.10.

2. Dynamic NAT

Description: Instead of single mapping, dynamic NAT maps a group of public IP addresses to internal addresses.

For this to work, network administrators must configure an organization’s router to handle a pool of IP addresses to facilitate dynamic NAT. This way, an internal IPv4 host that wants internet connectivity can make a request to the router, which dynamically assigns an available public IPv4 address from the pool.

Similarly, when a machine in a private network needs to access an external network such as the internet, a public IP address from the available pool is assigned to it.

The nature of Network Address Translation, which requires translating private IP addresses into public ones, creates a dichotomy of inside and outside IPs. As such, dynamic NAT requires associating an unregistered IP address on the LAN’s inside list — with the pool of registered IP addresses on the outside global list.

Keep in mind that “NAT inside” represents the inside addresses, which are unregistered IPs on the private LAN behind the NAT device (typically a router). Meanwhile, “NAT outside” represents everything else, such as external networks with registered, public IP addresses (like the internet).

Purpose: Internet Service Providers (ISPs) and remote access environments use dynamic NAT to supply and conserve IP addresses.

Benefits: The dynamic nature of this type of NAT provides many advantages. In terms of security, for example, there is no static IP address to trace and target, so the periodic changes frustrate hackers with nefarious intentions. Dynamic NAT therefore hides and protects your private network and its associated devices from the malicious dangers of the outside world.

Dynamic NAT is also cheaper and more adaptable than static networks, which is reflected in its ability to connect to different locations and networks without changing IP addresses. This means you aren’t burdened with having to update your settings and reconfigure your devices because the server automatically assigns the IP addresses.

The increased connection capability provides enterprise networks with greater flexibility. Large, distributed organizations, which typically require multiple public IP addresses, often choose dynamic NAT to efficiently manage their network traffic.

Limitations: Most of dynamic NAT’s limitations are due to the technicalities of mapping several local IPs to a pool of public IP addresses. Since dynamic IP addresses are likely to change and may expire without notice, dynamic networks end up introducing more overhead due to switching and associated path delays during translation.

As a result, the overall network performance is reduced because of unreliability, unpredictability, and a lack of end-to-end traceability. For example, a router or firewall will drop traffic if a local host attempts to make a connection when all the public IP addresses from the pool have already been assigned.

Best for: Dynamic networks are ideal for when an organization can anticipate the number of fixed users that will access the internet at a given time. They have low maintenance requirements, adaptability, and cost-effectiveness that make them suitable for managing environments with significant host devices.

In terms of privacy and protection, dynamic IP addresses are best-suited for devices and scenarios that demand increased security systems and flexibility. As such, they are ideal for smartphones, laptops, tablets, and smart TVs.

Example: Assume you have a computer on an internal network with a local address of 172.178.0.1/24. Dynamic NAT will assign a registered address to your internal host from a pool of public IP addresses, such as those from 192.168.1.1 to 192.168.1.150.

To a remote server, any traffic coming from this setup will appear to originate from a public IP address. However, the NAT system is actually masking the original machine’s address of 172.178.0.1/150 and hiding your entire internal network.

Once the request has been satisfied and the source machine is idle, the network returns the public IP address (192.168.1.1) to the free pool of NAT resources.

As a result, a configuration of the router to allow dynamic NAT translation would look like this: ip nat pool NAT-POOL 192.168.1.1 192.168.1.150 netmask 255.255.255.0.

This dynamic NAT configuration ensures that when an inside host makes a request to an outside host, any private addresses in the 172.178.0.1/24 are translated to public addresses in the 192.168.1.1 to 192.168.1.150 range.

3. Port Address Translation (PAT)

Description: Like NAT, PAT is a technique to translate private IP addresses into public ones, but it does so in combination with a port. As an extension of NAT, it allows multiple devices within a private network to use a single public address.

PAT is also known as NAT overload. It creates a fully extended translation with a translation table that contains entries for IP addresses and source/destination port information.

PAT uses port numbers to determine which traffic belongs to a particular IP address. It works by using many-to-one mapping, assigning each device a unique port number to identify it when routing incoming traffic.

Keep in mind that although Cisco uses the term PAT, other vendors use different names. For instance, Microsoft prefers Internet Connection Sharing.

Purpose: PAT was designed to conserve IPv4 addresses by using a single public IP address for a group of private hosts—despite how a more permanent solution emerged in the form of IPv6. PAT leverages unique source port numbers to distinguish communication interactions on each translation.

Benefits: PAT is more cost-effective than NAT. Thanks to its one-to-many mapping, one registered IP address with PAT can theoretically connect to thousands of internal devices, enabling simultaneous internet access for many devices.

This is because port numbers are based on 16-bit character encoding. Consequently, a router can potentially support up to 65,536 port numbers (since 16 bits can represent 65,536 addresses, which you get from calculating 2 to the 16th power).

Since the host on your private network doesn’t expose their IPs, NAT fortifies them against security threats launched from public networks.

Limitations: While PAT was developed to conserve IP addresses, it can easily result in port exhaustion. It also limits your network infrastructure from running multiple instances of the same service on the same address.

For instance, you can’t use two public web servers if they both have to listen to the default port 80 on the same address. Thus, since organizations using PAT must rely on a single IP address, it prevents them from easily running more than one of the same type of public service.

Best for: PAT is ideal for most home networks and small-time businesses or shops. Homeowners can leverage a single IP address from their ISPs and configure their router to assign internal IP addresses to devices on their network.

Example: Assume your LAN has private IP addresses in the range of 172.17.0.1, 172.17.0.2, and 172.17.0.3, and you want to access a remote server through your registered 155.4.12.1 public IP address.

Your router must maintain a Network Address Translation table because NAT’s execution — especially with PAT—requires mapping unique ports and IP addresses. This table not only keeps entry records for every distinct combination of private IP addresses and their corresponding ports, but it also keeps their global address translation and unique port numbers.

Therefore, if a host system on your local network with an IP address of 172.17.0.1 and port 1056 (172.17.0.1:1056) wanted to access Facebook, for instance, the router would translate this private address into 155.4.12.1:1056.

When Facebook receives this request and responds, the traffic will be sent to 155.4.12.1:1056. When the router gets this response, it’ll look up its NAT translation table (for the private IP address the message belongs to) and forward it to 172.17.0.1:1056.

4. Overlapping

Description: IP allocation is one of the central issues you’ll face when designing a network, whether that’s for the cloud or a traditional on-premises environment. However, network concepts like overlapping are suddenly heightened when migrating your infrastructure to the cloud.

The concept of overlapping denotes a conflict of IP addresses. This can occur because an IP address is assigned to multiple applications, devices, or logical units—especially when this is being done on the same network. Moreover, popular services like AWS and third-party products like Docker automatically reserve specific IP address ranges, which can result in conflicts when you try to use them.

In practical terms, overlapping occurs because several devices share common IP addresses. When this happens, if there are two or more networks with overlapping IP addresses, the configuration will only work if you use Network Address Translation.

Implementing this setup requires two routers/firewalls within the intermediate network to hide the identical networks and IP addresses. Inside the local private network, the router or firewall assigns a public address to one or more computers. Consequently, this creates an intermediary between the private and public networks.

Purpose: NAT overlapping eliminates the need to make manual changes to networking configurations (like the subnet environment) to avoid conflicts. It allows enterprises to connect and communicate across multiple environments, shared resources, and virtual machines. By overlapping NAT, it removes duplication, confusion, and loss of data packets.

Benefits: NAT overlapping enables you to handle IP address conflicts, letting computers communicate without the need to readdress all of those devices.

Limitations: Like most NAT scenarios, overlapping is limited to IPv4 networks. You will most likely be able to avoid this obstacle with IPv6-based networks due to the size of their address space.

Best for: Overlapping NAT is best used for preventing IP address conflicts, usually by mapping a unique IP address to a virtual private network (VPN) or virtual machine connected to the network.

Example: Although it can occur unintentionally, NAT overlapping is often triggered in two instances. The first of which happens when companies merge or are acquired and both continue to use the same private IP address ranges (like the RFC 1918 block of addresses, which isn’t routable over the internet). Secondly, when managed service providers with unique IP addresses add new clients, they must provide access to customers with the same IP address range—and this can trigger overlaps.

5. Masquerade NAT

Description: Masquerade follows the basic concepts of NAT, but as it translates private source IP addresses to public ones, outgoing connections use a single IP address. This allows a private network to hide behind the address bound to the public interface.

IP masquerading hinges on a Linux-based router performing smart, real-time IP address and port translation so that a private (reserved) IP address connected to the Linux box can reach the internet.

This NAT type uses a one-to-many form of Linux IP masquerading, with one computer acting as a gateway for the internal network to reach the internet. When computers on the network send requests through this gateway, it replaces the source IP address with its own before forwarding the packets to the internet.

In general, the masquerading computer keeps track of connections, along with their sources, and reroutes packets with Linux’s connection tracking feature. Essentially, the masquerading machine sort of tricks the remote server into thinking it made the request instead of an internal machine — hence the name.

Keep in mind that masquerading is only initiated by the internal network with a range of local IP addresses hidden and bound behind a public IP address.

Purpose: By hiding intranet clients, IP masquerading conceals individual devices and computers so their IP addresses are effectively invisible from the internet. Network administrators generally implement IP masquerading to deal with instances of two conflicting private network imperatives.

Remember, to be reachable on the LAN, every computer and computing device on the local intranet must have an IP address. At the same time, they also require a public IP address to access the internet — be it a fixed or dynamically assigned address. To bridge this duality, a masquerading machine acts as a router, serving as a gateway to separate the intranet from the internet.

Benefits: IP masquerading enables network administrators to implement a heavily secured network environment. With a fortified firewall, hackers find it considerably more challenging to break the security protection of a well-configured masquerade system.

Although it’s used to hide multiple addresses, it is also relatively cheap because you only have to purchase a single IP address to use with many internal systems.

Lastly, Masquerade Network Address Translation prevents external hosts from initiating traffic into your network, so it has some additional protection from outside attacks built in.

Limitations: Implementing IP masquerading comes with a performance impact, however it is not very noticeable in most instances. That said, if you have many computers creating active masquerading sessions, the processing power required is likely to affect the network’s throughput.

At the end of the day, hiding provides an extra layer of protection, but your entire network is only as secure as the masquerading machine — so it’s a weak link in the chain. Moreover, the hosts that hide behind masquerading cannot offer services like file transfer or mail delivery because their networks can’t establish inward connections.

Finally, IP masquerading requires specialized software/equipment like a Linux box or ISDN router, and it simply cannot work without a Linux machine. Likewise, some networks just won’t work through a masquerade without significant hacks or modifications.

Best for: NAT masquerading is best for concealing your internal network, allowing you to reap added security benefits. It is ideal for helping machines with non-routable IP addresses to access the internet. It is also economical, so it’s good for price-sensitive environments—because you only need to purchase one public IP address and it doesn’t necessarily require a firewall.

Additionally, masquerading networks only allow machines inside the network to initiate communication, so they are useful in work environments where employers don’t want external users initiating conversations with their employees (while still providing their staff access to the internet). However, you must enable the port forwarding feature on your router or TCP/IP connection to overcome this restriction and allow 2-way communication.

Example: Your internal network may have multiple computers, but each requires individual IP addresses within a range of private IP addresses. When a local computer requests an external service, the router will send packets to the remote host outside the LAN if you set up the system conventionally.

Meanwhile, the source address in the packet will indicate that it is from a private IP address. Since private, unregistered IP addresses aren’t officially part of the internet, they aren’t valid return addresses, meaning the receiving host can’t send a reply.

With IP masquerading, you can circumvent this problem by configuring one of the computers as a conventional router so it acts as a single gateway.

As a result, when one of the workstations on your intranet or small ethernet network wants to access a remote host (such as TechRepublic’s server), the masquerading system takes over. The computer then routes its packets to the host acting as the masquerade, which accepts the request and forwards it to the remote host.

The only host visible on the internet in this case will be the masquerade machine, which replaces the source IP address with its own before sending the packet to the destination outside the LAN.

6. Reverse NAT

Description: Reverse Network Address Translation (RNAT) is a sub-type of static NAT that translates a public IP address into a private one. While static NAT is bi-directional, RNAT’s translation only goes in one direction — and since it goes in the reverse direction of general NAT, it earned the name Reverse NAT.

Purpose: The primary purpose of RNAT is to allow servers with private, non-routable IP addresses to connect to the internet, meaning users can connect to themselves via the internet or other public networks. It also allows you to administer hosts in the LAN remotely behind a NAT firewall.

Benefits: The so-called reverse direction of RNAT makes it possible to publish a service or server from a private LAN to the internet. Since it allows you to administer network hosts remotely behind a firewall, it improves practicality and security. It is also helpful for capturing and redirecting domain name server (DNS) and network time protocol (NTP) requests.

Limitations: Since hosts hide behind NAT-enabled routers, RNAT lacks end-to-end connectivity.

Best for: Besides publishing a server or service from a LAN, reverse NAT is also ideal for scanning remote IP addresses.

Example: Depending on your router, there are several ways of implementing a reverse NAT configuration. If you have a feature-rich Cisco router, for example, you can simply follow the static NAT instructions for allowing external traffic to reach a specific host, perhaps by permitting traffic on TCP/IP port 80.

On the other hand, if you have a Netgear, D-Link, or Linksys router, you can explore how they allow port forwarding given their respective parameters. In any case, the general methods for implementing reverse NAT require providing the local IP address you want to be accessed from outside and identifying (or activating) the local server’s internal port that will be used to respond to external traffic and internet connections.

Is NAT really that important?

Yes, because NAT is immensely beneficial — and it serves as a fairly effective line of defense against malicious attacks.

Of course, NAT is not a panacea to network issues, so it’s a good idea to incorporate network monitoring tools in your cloud computing infrastructure to ensure applications and services run smoothly.

In any case, there are a number of higher-level benefits that come with NAT.

IP conservation

As previously mentioned, NAT is a powerful solution for mitigating the depletion of IPv4 addresses. It conserves the number of IPv4 addresses in use by allowing private, local networks using unregistered IP addresses to communicate with wide area networks (WAN) and the internet.

In many instances, this conservation delays the need for an organization to migrate to IPv6.

Enhanced security

NAT enhances security by directly preventing internet access to private IP addresses on internal networks. It essentially acts as a firewall, building a fortified moat around your private network to bolster security against malicious attacks.

Additionally, NAT improves privacy by hiding your network’s topology so hackers cannot get “a lay of the land” to equip them for launching successful attacks.

Network boundaries

NAT creates network boundaries by separating private and public networks. This boundary boosts the privacy of your local addresses and the systems attached to them. At the end of the day, the local address behind your NAT firewall/router is private — and therefore can’t be routed across the internet.

Cost-effectiveness

Without NAT, every device worldwide would need its own public IP address. This would mean registered IP addresses would be very scarce, making communication networks expensive to maintain.

NAT also boosts cost efficiency in other ways, such as by reducing the frequency of address overlapping. Likewise, NAT has reduced the price of maintaining a LAN by making IP routing commonplace, even in residential homes.

Speed and improved network performance

Although path delays can happen while switching, NAT still helps network performance by allowing many devices to share a common IP address.

Increased flexibility

NAT allows networks to connect to the internet through a bunch of configurations, which means it can be used for a wide range of purposes.

Four downsides to using Network Address Translation

While NAT’s benefits tend to outweigh its liabilities by a fair amount, you should still be aware of the downsides so you can prevent or circumvent them.

Increased performance problems

Due to the additional layer of processing and translation required for NAT, network performance problems like latency and packet loss are often induced.

Limited connectivity

While NAT provides an overall enhancement to network communications, it can also limit end-to-end connectivity in other ways. For instance, NAT limits the direct connection and communication of devices hosted on different private networks. This means that some strict NAT configurations will cause connectivity to lag and slow down internet surfing.

Bottlenecked traffic

Since all traffic must pass through the Network Address Translation router, it can lead to a more limited bandwidth that slows or impedes the free flow of packets.

Issues with tunneling protocols

To execute its processes, NAT frequently modifies the header values in a packet. This action can interfere with the integrity checks conducted by IPsec and other tunneling protocols, such as those used in VPNs (Virtual Private Networks). As a result, Network Address Translation can disrupt the proper functioning of tunneling protocols, complicating secure communication across networks.