Network Address Translation Reference

Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across different networks. In most cases NAT will be used to connect one or more LAN to the internet. Typically NAT will be done by routing devices.

Every established connection of a NAT router has its own NAT session. All depending connection information (addresses, ports and timeouts) are stored in a NAT table. Based on this stored information, the router can send answer packets back to the right client. After a NAT session has finished or expired, the entry on the NAT table will be removed. The maximum amounts of concurrent sessions, depending on the power of the used hard- and software.

On every new connection of an internal client, the internal source address will be replaced by the public address of the router. During this process, the source port of the client also will be replaced by an unused one of the router. The mapping will be saved in the NAT table. The whole operation is also known as PAT (Port and Address Translation).

The following example shows how NAT works. There is an private network (LAN) with the address 192.168.0.0/24 and a router with the public address 205.0.0.2/32.

FIXME Picture/table showing this example.

NAT is designed to transmit packages for existing NAT sessions. If the router receives network packages for an expired or non existing session they will be handled by the default firewall (iptables) rule - in most cases those packages get dropped.

Destination NAT (Port forwarding)

Destination NAT(DNAT), also known as Port forward is a technique for transparently changing the destination IP address of an routed network package and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet.

DNAT is commonly used to publish various services located in a private network on a publicly accessible IP address. This use of DNAT is also called DMZ when used on an entire server, which becomes exposed to the WAN, becoming analogous to an undefended military demilitarised zone (DMZ).

FIXME Picture/table that show how DNAT works.

Source NAT

The meaning of the term Source NAT varies by different vendors. Many of them have proprietary definitions for SNAT, for example Microsoft uses the acronym for Secure NAT, Cisco Systems uses it for stateful NAT.

A common expansion is source NAT (SNAT), the counterpart of destination NAT (DNAT) and is used on IPFire. It is a technique for transparently changing the source IP address of an routed network package.

SNAT will be used on environments with multiple public IP addresses, whether various services located in a private network should be accessible by different IP addresses.

FIXME Picture/table that show how SNAT works.

Application Layer Gateways (ALGS)

FIXME Add information about ALGs for SIP, FTP, etc.

Edit Page ‐ Yes, you can edit!

Older Revisions • January 26, 2014 at 8:24 pm • Michael Tremer