Network Address Translation

In Chapter 5 we took a look at how companies have moved to using private IP addresses on their internal networks. The reason for this transition is twofold. Firstly, the rapid growth of the Internet has led to a serious reduction in the number of public addresses available in the IP version 4 address space. While this is being addressed by a new version of IP (IPv6), the wide-scale deployment of IPv6 is likely to take many years to occur. The second reason for the increased use of private addresses is the benefit that they provide from a security and administration point of view. Not only do they allow administrators more flexibility in terms of addressing, these addresses are not routable on the public Internet, providing an additional layer of security for internal systems. The private internal IP address ranges specified in RFC 1918 include:

In order for hosts using private addresses to access the Internet, they require an intermediary device to process their requests. This is usually accomplished through the use of Network Address Translation (NAT), where requests from internal clients for resources on the public Internet are “translated”, such that they appear to have been initiated from a valid public Internet address.

Consider the example network illustrated in the figure below. A company has a small private network with hosts addressed in a private range – The router in the illustration is acting as a NAT device, and has one public IP address configured on its S0 interface. When internal hosts make a request for Internet resources, these requests are sent to the router, which is configured as the clients’ default gateway. The router, seeing that the request is for an external Internet address, will “translate” the packet, such that the source address and port number are changed to the public address associated with its S0 interface. The router will store a mapping in its NAT table that keeps track of which client initiated the request, so that the subsequent reply can be forwarded to the correct host.

Figure: Internal clients with private addresses gain access to the Internet through the NAT-enabled router.

Before looking at the different ways in which NAT can be implemented on a network, we should first look at what it is that we want to accomplish with NAT. For example, is our goal only to allow internal clients to access the public Internet, or do we also want to allow Internet systems to be able to gain access to certain internal servers? By default, NAT will act as a type of firewall, blocking all requests that do not originate from the internal private network. This allows internal clients to access Internet resources, but stops Internet clients from accessing our internal LAN. In cases where you have a server on your private network that must be accessible from the Internet (such as a web or mail server), NAT must be explicitly configured to forward these requests. If not, all requests that originate from the public Internet will be dropped.

There are a number of different ways in which NAT can be configured. The three most popular NAT implementation techniques are static NAT, dynamic NAT, and what is known as overloading. These techniques can be used individually, or in combination with one another.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.