The Different Types of NAT

We know NAT is a necessity in order to route private IPs through the use of public IPs, click here to get a refresher.

Now we are going to learn about the different ways NAT is implemented.

Dynamic NAT

Lots of computers with private IPs, use a pool of public IPs, in order to reach the Internet.

That’s dynamic NAT.  

Multiple private IPs can be translated into multiple different public IPs, per connection.  

The public IPs can change, that’s why it is called dynamic.  

Imagine Jack, Ken, Paul, and Steve all want to go to this website page: The Most Difficult CISSP Question Ever

They all have private IPs that are in the 192.168.5.0/24 subnet.

Let’s see how they use dynamic NAT in order to reach the Internet.

 

dynamic-nat-2

Users with different private IP addresses in the same subnet are going to different websites on the Internet.

Their traffic travels from their computers to a Cisco switch, and then gets sent to the firewall for translation. 

arrow

 

dynamic-nat-3There is a pool of Internet-routable IPs configured on the firewall.  

The firewall performs it’s magic to assign each incoming private IP address to one of the available public IPs.

 

dynamic-nat-4

The source IP changes from a private IP to a public IP, and the destination stays the same.

This is the concept of dynamic NAT.

 

Static NAT

1 specific private IP is configured to use 1 specific public IP to reach the Internet.

 

static1

Users Ken and Paul, with different private IP addresses in the same subnet, are going to different websites on the Internet.

Their traffic travels from their computers to a Cisco switch, and then gets sent to the firewall for translation. 

 

static2

The firewall is configured to map Ken and Paul’s private IP addreseses to two static public IPs.

Basically, whenever Ken and Paul go out to the Internet, they will be assigned these two public IPs.  

Hence, static NAT.   

 

 

static3

The source IP changes from a private IP to the assigned public IP, and the destination stays the same.

This is static NAT.  The public IP doesn’t change, that’s why it is called static.

This is the concept of static NAT.

 

PAT (Port Address Translation)

Lots of computers with private IPs, using 1 public IP, in order to reach the Internet.

That’s port address translation, PAT.  

But where does the “port” part come in?  By port, they mean source port.

You might be wondering how 1 public IP can represent so many other private IPs?

PAT distinguishes each private IP by using their connection’s source port.  It’s actually a genius technique and whoever thought of it should be awarded cold hard cash.

Just like you have destination ports like 80, 443, or 22…for every outbound connection, your computer also generates a source port.  

It is these source ports that are used to map to a public IP for port address translation.

Let’s see it in action.

pat1

Users with different private IP addresses in the same subnet are going to different websites on the Internet.

All of them have unique source port addresses.

Their traffic travels from their computers to a Cisco switch, and then gets sent to the firewall for translation. 

 

pat2

 

The firewall has 1 public IP available for users Jack, Ken, Paul, and Steve.

The firewall performs it’s magic to assign each incoming private IP address to the single available public IP address.

But each connection is made unique by the newly assigned source port number. 

This way, when traffic returns to port number 6006, the firewall knows it needs to go to user Ken.  

This is port address translation.

 

 

 

pat3

 

 

 

Study Notes!
Source port numbers are generated from your operating system.
They can range from 49152 to 65535, but different operating systems have different implementations.
__________

 

NAT can become a byzantine labyrinth of private and public IPs when it comes to troubleshooting for network engineers.  

There’s such a thing as double-NAT, translating an IP after it has gone through a previous NAT.  Or if you’re configuring a VPN using private IPs, NO-NAT’s or Manual NATs would need to be configured.  Or if NAT absolutely has to be configured for a VPN, then both encryption domains have to use the public IPs and not the private IPs, and the end nodes will have to be responsible for proper routing after decryption.  

There’s also such a thing as Destination NAT, either translated on the client-side, or server-side.  It took awhile for me to understand how NAT works, it’s not an easy topic.  It took a lot of conference calls and working under pressure while frustrated customers were experiencing loss of connectivity to their production environments or all out outages.  Trial by fire was the best way to learn, it’s really hard to understand just by reading a book, you have to “see” the packet captures and the traffic itself. 

For the CISSP exam however, all you need to know is the above concepts.

 

Thanks for reading.

Related links:
What Is An IP Address?

 

Excuse Me, Is This IP Address Free or For Sale?

Search