Network Address Translation Definition
Network Address Translation (NAT) is a process that enables one, quality IP address to represent an entire group of computers. In network address translation, a network device, often a router or NAT firewall, assigns a computer or computers inside a private network a public address. In this way, network address translation allows the single device to act as an intermediary or agent between the local, private network và the public network that is the internet. NAT’s main purpose is khổng lồ conserve the number of public IP addresses in use, for both security & economic goals.
Bạn đang xem: Network address translation definition
Network Address Translation FAQs
What is Network Address Translation?
Network Address Translation (NAT) conserves IP addresses by enabling private IP networks using unregistered IP addresses lớn go online. Before NAT forwards packets between the networks it connects, it translates the private internal network addresses into legal, globally unique addresses.
NAT configurations can reveal just one IP address for an entire network to the outside world as part of this capability, effectively hiding the entire internal network và providing additional security. Network address translation is typically implemented in remote-access environments, as it offers the dual functions of address conservation and enhanced security.
What is the Purpose of Network Address Translation?
To communicate with the internet, a networking system requires a chất lượng IP address. This 32-bit number identifies và locates the network device so a user can communicate with it.
The IPV4 addressing scheme of past decades technically made billions of these chất lượng addresses available, but not all could be assigned to lớn devices for communication. Instead, some were exempted & used for testing, broadcast, & certain reserved military purposes. While that left over 3 billion for communication, the proliferation of the mạng internet has meant the addresses were near exhaustion.
The IPv6 addressing scheme was introduced as the solution lớn this weakness in the IPv4 addressing scheme. IPv6 recreates the addressing system so there are more options for allocating addresses, but it has taken several years lớn alter the networking system infrastructure and to implement. NAT was introduced by Cisco in the meantime & widely deployed.
How Network Address Translation Works
Network address translation permits a single device, such as a NAT firewall or NAT router or other network address translation device, to lớn act as an agent between the public network & private networks—the internet và any local networks. This allows an entire group of devices khổng lồ be represented by a single quality IP address when they do anything outside their network.
NAT works lượt thích a large company’s receptionist, with specific instructions on which calls and visitors to lớn keep out, make wait, or send through, & where they should go. For example, you can tell the receptionist not to lớn forward any visitors or calls without your request until you’re waiting for something specific; you can then leave instructions about letting that particular client communication through.
The client calls the company’s main number, because that public-facing number is the only one anyone knows. They tell the receptionist they need khổng lồ speak with you, và the receptionist a) checks the instructions and knows you want the hotline forwarded, và b) matches your extension with a danh sách to send the information to lớn the right place. The caller never gets your private line.
Network address translation works similarly. The request arrives at the public IP address and port, and the NAT instructions send it where it should go without revealing the private IP addresses of the destinations.
NAT Network Address Translation Example
As a NAT network address translation example, an inside host may want to lớn communicate with a destination network address translation web hệ thống address in the outside world. For further communication, it will send a data packet to lớn the network’s NAT gateway router.
The NAT gateway router determines whether the packet meets the condition for translation by learning the source IP address of the packet và looking it up in the table. It can locate authenticated hosts for the internal network translation purposes on its access control menu (ACL), và then complete the translation, producing an inside global IP address from the inside local IP address.
Finally, the NAT gateway router will route the packet to lớn the destination after saving the translation in the NAT table. The packet reverts khổng lồ the global IP address of the router when the internet’s web server reverts to the request. Referring back to the NAT table, the router can determine which translated IP address corresponds khổng lồ which global address, translate it to the inside local address, and deliver the data packet khổng lồ the host at their IP address. The data packet is discarded if no match is found.
Types of Network Address Translation
There are many forms of NAT và it can function in several ways.
Static network address translation SNAT. SNAT maps unregistered IP addresses using 1 to lớn 1 network address translation khổng lồ match up with registered IP addresses. It is particularly useful when a device needs to be accessible from outside the network.
Dynamic network address translation DNAT. This size of NAT selects a target from a group of registered IP addresses & maps an unregistered IP address lớn the registered version.
Reverse network address translation RNAT. RNAT allows users to connect khổng lồ themselves using the mạng internet or public network.
Overloading network address translation NAT. This is also known as NAT overload, port-level multiplexed NAT, single address NAT, or port address translation (PAT). This khung of dynamic NAT uses different ports to maps multiple private, local, unregistered IP addresses khổng lồ a single registered IP address and distinguish which traffic belongs khổng lồ which NAT IP address. In terms of port address translation vs network address translation, PAT is often most cost-effective when many users are connected to lớn the mạng internet through just one public IP address.
Overlapping network address translation NAT. Overlapping NAT can happen either when two organizations whose networks both use RFC 1918 IP addresses merge, or when registered IP addresses are assigned to lớn multiple devices or otherwise in use on more than one internal network. In both cases, the networks need to communicate, và the organization(s) use overlapping NAT to lớn achieve this without readdressing all devices.
The NAT router intercepts addresses, & maintains a table of them so that it can replace them with registered chất lượng IP addresses. The network address translation router must both translate registered external IP addresses lớn those quality to the private network & translate internal IP addresses khổng lồ registered unique addresses. It might achieve this either by using DNS lớn implement dynamic NAT or through static NAT.
In the network address translation context, the internal network, commonly referred khổng lồ as the stub domain, is usually a local area network LAN that uses IP addresses internally. Most stub domain name network traffic is local, remaining inside the internal network. A stub tên miền may include both unregistered and registered IP addresses.
Network Address Translation Configuration
A traditional NAT configuration requires at least one interface on a router (NAT outside); another interface on the router (NAT inside); và a configured set of rules for translating the IP addresses in the packet headers & possibly payloads.
In this example of network address translation configuration, IT configures the NAT router as follows. Whenever a device on the inside with an unregistered (inside, local) IP address needs lớn communicate with the (outside, public) network, the router translates those unregistered addresses residing on the private (inside) network to lớn registered IP addresses.
The organization receives a range of registered, chất lượng IP addresses assigned by the ISP. The assigned list of addresses are called inside global addresses.The team splits unregistered, private addresses into one small group and one much larger group. The stub tên miền will use the larger group, called inside local addresses. The NAT routers will use the small group, called outside local addresses, to lớn translate the outside global addresses or chất lượng IP addresses of devices on the public network.Most stub domain computers communicate with each other using inside local addresses. There are inside global addresses for those stub domain computers that communicate extensively outside the network, meaning they vì chưng not require translation.However, when a typical stub domain computer with an inside local address needs to lớn communicate outside the network, it sends the packet to lớn a NAT router.The NAT router checks for the destination address in the routing table. If it has an entry for that address, the NAT router translates the packet và enters that action into the address translation table. The NAT router drops the packet if the destination address is not in the routing table.The router sends the packet on using an inside global address.A public network computer sends a packet to the private network. The packet’s destination address is an inside global address and its source address is an outside global address.The NAT router confirms that the destination address maps to lớn a stub tên miền computer by checking the address translation table.The NAT router sends the packet lớn the destination computer after translating the packet’s inside global address lớn the inside local address.NAT overloading uses multiplexing, a TCP/IP protocol stack feature. Multiplexing enables a computer khổng lồ maintain multiple connections with remote computer(s) concurrently using different ports. The header of an IP packet contains:
Source Address. The originating computer’s IP address, for example, 123.123.12.1Source Port. The assigned TCP or UDP port number for this packet, for example, Port 1060Destination Address. The receiving computer’s IP address, for example, 52.220.51.237Destination Port. The TCP or UDP network address translation port number the destination computer should open, for example, Port 2170
These four numbers combined represent a single TCP/IP connection. The addresses clarify the two computers at each end, & the port numbers provide a unique identifier for the connection between the two computers. Although there are a possible 65,536 values here since each port number uses 16 bits, different ports are mapped in slightly different ways, so about 4,000 available ports is realistic.
Dynamic NAT & NAT Overloading Configuration
In dynamic network address translation:
The organization sets up a router enabled for NAT that contains a range of unique IP addresses from IANA.A stub domain name computer attempts lớn connect to an outside computer.The router receives the stub tên miền computer’s packet.The NAT-enabled router saves the non-routable IP address from the sending computer lớn an address translation table. The router maps the first available IP address outside the zone of chất lượng IP addresses khổng lồ the sending computer to lớn replace the non-routable IP address.The router now checks each packet’s destination address when it arrives from the destination computer, & verifies which stub domain name computer the packet belongs lớn with the address translation table. If it finds no match, it drops the packet. Otherwise, it locates the alternative for the destination address saved in the address translation table & sends it.The computer receives the packet & the process continues as long as the external system and the computer communicate.In NAT overloading:
As in the previous dynamic NAT example, a stub tên miền or internal network has been mix up with non-routable, non-unique IP addresses not specifically allocated for them, so the organization sets up a router enabled for NAT that contains a unique IP address from IANA.A stub domain computer attempts to connect to an outside computer.The NAT-enabled router receives the stub domain name computer’s packet.The NAT router saves the non-routable IP address and port number from the sending computer lớn an address translation table. The router maps a port number và the router’s IP address to lớn the sending computer to replace the non-routable IP address & port number.The router checks the destination ports of packets that return from the destination computer and confirms which stub domain name computer the packet belongs to. It replaces the destination port & address with the saved versions from the address translation table & sends them.The computer receives the packet & the process continues as long as the external system và the computer communicate.The NAT router will continue to lớn use the same port number throughout the connection, as it has the computer’s source port and address saved to lớn the address translation table. If the communication ends without the entry being accessed again, the router removes the entry from the table.Xem thêm: Cách Làm Bài Tập Toán Lớp 4, Hướng Dẫn Làm Bài Tập Toán Lớp 11 Trắc Nghiệm
In contrast khổng lồ the computer described above in the traditional NAT configuration, this is how stub domain computers might appear khổng lồ external networks:
Source Computer 1
IP Address: 192.168.24.11Computer Port: 620NAT Router IP Address: 215.37.32.203NAT Router Port Number: 1
Source Computer 2
IP Address: 192.168.24.12Computer Port: 80NAT Router IP Address: 215.37.32.203NAT Router Port Number: 2
Source Computer 3
IP Address: 192.168.24.13Computer Port: 1560NAT Router IP Address: 215.37.32.203NAT Router Port Number: 3
The NAT-enabled router stores each source computer’s IP address and port number. It uses its own registered IP address & port numbers lớn replace the IP address và the port number that correspond to lớn that packet’s source computer in the table. In place of the source-computer information on each packet, any external network sees the NAT router’s IP address và the assigned port number.
Some stub domain name computers do use dedicated IP addresses. In these situations their IP addresses can pass by the NAT router untranslated if you create an access danh sách of IP addresses that clarifies for the router which network computers require NAT.
A router’s Dynamic Random Access Memory (DRAM) is the main factor that determines the number of simultaneous translations that it can support. A typical address-translation table entry requires about 160 bytes, so for most applications, a router with 4 MB of DRAM is sufficient.
According to IANA và RFC 1918, there are specific ranges of IP addresses for use as internal network addresses that are non-routable. These addresses are unregistered, meaning no agency or company can use them on public computers or claim ownership over them. Instead of forwarding unregistered addresses, routers are designed lớn discard them. Therefore, a packet from an unregistered sending computer address could reach its registered computer destination, but the first router the reply came lớn would discard it.
To reduce the chance of an IP address conflict, it pays khổng lồ follow the range for each of the three classes of IP addresses in your internal networking:
Range 1: Class A – 10.0.0.0 through 10.255.255.255Range 2: Class B – 172.16.0.0 through 172.31.255.255Range 3: Class C – 192.168.0.0 through 192.168.255.255However, this is a best practice, not a requirement.
NAT Router
Using NAT overload, a NAT router creates a network of IP addresses for a local area network LAN and connects the public network that is the internet to that LAN network. The router executes the NAT permitting communication between WAN or internet & the host devices or computers on the LAN network. Because NAT routers appear khổng lồ be a solo host with a solo IP address to the internet, they are used for small scale industries and trang chủ purposes.
Advantages of Network Address Translation
Advantages of NAT
Address conservation. NAT conserves IP addresses that are legally registered and prevents their depletion.
Network address translation security. NAT offers the ability khổng lồ access the mạng internet with more security & privacy by hiding the device IP address from the public network, even when sending and receiving traffic. NAT rate-limiting allows users khổng lồ limit the maximum number of concurrent NAT operations on a router and rate limit the number of NAT translations. This provides more control over the use of NAT addresses, but can also be used khổng lồ limit the effects of worms, viruses, and denial-of-service (DoS) attacks. Dynamic NAT implementation creates a firewall between the internal network and the internet automatically. Some NAT routers offer traffic logging and filtering.
Flexibility. NAT provides flexibility; for example, it can be deployed in a public wireless LAN environment. Inbound mapping or static NAT allows external devices to lớn initiate connections to lớn computers on the stub domain in some cases.
Simplicity. Eliminates the need khổng lồ renumber addresses when a network changes or merges.Network address translation allows you to lớn create an inside network virtual host lớn coordinate TCP load-balancing for internal network servers.
Speed. Compared khổng lồ proxy servers, NAT is transparent to lớn both destination và source computers, allowing for quicker direct dealing. In addition, proxy servers typically work at the transport layer or layer 4 of the OSI Reference mã sản phẩm or higher, making them slower than network address translation, which is a network layer or layer 3 protocol.
Scalability. NAT và dynamic host configuration protocol (DHCP) work well together, with the DHCP vps doling out unregistered IP addresses for the stub tên miền from the menu as necessary. Scaling up is easier, since you can increase the available range of IP addresses the DHCP configures lớn make room for additional network computers immediately instead of requesting more IP addresses from IANA as needs increase.
Multi-homing. Multiple connections khổng lồ the internet, called multi-homing, helps maintain a reliable connection and reduces the chance of a shutdown in case of a failed connection. This also enables load-balancing via reducing the number of computers using any single connection. Multi-homed networks often connect khổng lồ multiple ISPs, each assigning a range of IP addresses or a single IP address lớn the organization. Routers use network address translation lớn route between networks using different network address translation protocols. In a multi-homed network, the router uses part of the TCP/IP protocol suite, the border gateway protocol (BGP), to communicate; the stub tên miền side uses internal BGP or IBGP, và routers communicate with each other using external BGP or EBGP. Multi-homing reroutes all data through another router should one of the connections to an ISP fail.
Disadvantages of NAT
Resource consumption. Network address translation is a công nghệ that consumes memory resources và processor space, because it must translate IPv4 addresses for all outgoing and incoming IPv4 datagrams and retain the details from translation in memory.
Delays. Path delays are caused by translation results in switching path delays.Functionality. Some applications & technologies will not function as expected with NAT enabled.
Traceability. Network address translation complicates protocols for tunneling. IPsec is the secure protocol recommended for network address translation.
Layer issue. A router is a device for the network layer, yet as a NAT device it is required to lớn tamper with the transport layer in the size of port numbers.
Does Avi Offer a Network Address Translation Software Solution?
Avi Networks’ Avi Platform, a software-defined application services fabric, enforces access control policies và captures and analyzes end-to-end application traffic, delivering services far beyond load balancing.
When new application servers are deployed, the servers need external connectivity for manageability. In the absence of a router in the hệ thống networks, the Avi SE can be used for routing the traffic of hệ thống networks by using the IP routing feature of Service Engines. The Avi Service Engine (SE) NAT functionality covers this, and serves as a NAT gateway for the entire private network of servers.
NAT will function either through IP routing on Service Engine, the SE mặc định gateway feature, or in the post-routing phase of the packet path. To lớn use outbound NAT functionality, it’s necessary lớn enable IP routing on the Service Engine and use the SE as a gateway.
Avi supports outbound NAT for TCP/UDP, & ICMP flows.
There are three outbound NAT use case options:
NAT Flows (show NAT flow information)NAT Policy Stats (show NAT policy stats)NAT Stat (show NAT statistics)The platform also enables Source NAT or SNAT for application identification. The source IP address used by Avi SEs for hệ thống back-end connections can be overridden through an explicit user-specified address—the source NAT (SNAT) IP address. The SNAT IP address can be specific as part of the virtual service configuration.
In some deployments, to provide differential treatment based on the application, it’s essential lớn identify traffic based on source IP address. For example, in DMZ deployments security, firewall, visibility, và other types of solutions may need to lớn validate clients using the source IP before passing traffic on khổng lồ an application.
Source NAT can be used with either high availability (HA) mode: elastic HA or legacy HA. The configuration requirements differ depending on whether the SE & back-end servers are in the same subnet (connected at Layer 2) or in different subnets (connected at Layer 3).
For more on the actual implementation of load balancing, security applications and web application firewalls check out our Application Delivery How-To Videos.
