Home > Articles > Security > Network Security

  • Print
  • + Share This

Network Address Translation

Network Address Translation (NAT) is the process of mapping one IP address to another. NAT is usually implemented to provide an internal private IP address space access to the Internet via a pool of real, routable IP addresses. For the length of the IP session, there is a 1 to 1 mapping between internal and external IP addresses.

Due to the poor allocation of IPv4 addresses, large numbers of IP addresses are generally not allocated to anyone but ISPs. More likely than not, your internal network is using an RFC-1918 defined private IP address space. For these clients to communicate with Internet connected hosts, they must have their IP addresses translated to non-private IP addresses. NAT accommodates this need.

Because RFC-1918 addresses are not routable—meaning most if not all ISPs should drop routes for those networks—using private IP address ranges affords your network an extra layer of insulation against direct attack.

There is one obvious problem with NAT, and that is the 1 to 1 mapping requirement. If you are allocated 32 real IP addresses for your Internet connection, but you have 250 nodes that at any one time need external access, you have a capacity problem.

Luckily there is a variation of NAT known as Network Address Port Translation. It's also known as Port Address Translation (PAT) and IP Masquerading. The basic concept is to map the internal IP address and port to an external IP address and range of ports (such as 60,000 through 64,000) along with the destination IP address and port. This builds up a session table that allows the NAPT device to track communication between client and server, and forward traffic appropriately.

Because there is not a 1:1 mapping of IP addresses with NAPT, it's difficult to near impossible to initiate connections from the outside to internal resources.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.