Network Address Translation

Top  Previous  Next

 

As covered above, a gateway is a device with two addresses -- one on each network it's connected to.

 

So, you have just one address coming out of your LAN into the WAN. What happens if you have 5, 10 or even 100 computer on your LAN, all trying to use the gateway at the same time for connecting to the internet?

 

This is where Network Address Translation (NAT) comes into play. With NAT, all computers in the LAN "hide" behind the gateway:

 

A host on the LAN makes an outbound connection to somewhere on the WAN.

 

The packets first arrive at the gateway (on their way out).

 

The gateway then modifies the packets, so as to make them appear as if:

 

It (the gateway) has originated them itself.

 

The packets come from one specific port in the gateway (and not necessarily the port from which they originally came). This port is actually mapped to the LAN host which originally sent the packet. The gateway now knows that packets arriving to port 30189 (for example) should be forwarded internally to host 192.168.0.17 and to port 80 (for example).

 

The gateway sends the packets on their way.

 

The packets arrive at their remote destination host.

 

The remote host replies, and directs the reply to the IP address and port of the router which previously sent the packets.

 

The router gets the reply (to port 30189 in our example), modifies the packet and forwards it internally to the host which originally made the outbound c/connection.

       

an009_nat

 

note_glossary-term

A colon (:) mark at the end of an IP address refers to the port for that address. So, the designation 64.233.187.107:80 refers to port 80 of the IP address 64.233.187.107.

 

Many Hosts Can Originate Outbound Connections

 

The biggest advantage of using NAT is in limiting the amount of "real" IP addresses you need. You can have hundreds of computers communicate with various hosts on the internet, using just one "real" IP address. This translates into significant savings in cost.

 

Below you can see four different workstations on the same LAN communicating at the same time with three different web servers on the WAN through just one "real" IP address (that of the router):

 

an009_nat_1

 

No Host Can Receive an Inbound Connection

 

The biggest disadvantage of using NAT is that it's impossible to originate inbound connections. Supposing you have a host internally, within the network, and you wish to originate a connection to this host from outside (from some host on the WAN); The router will not know where to direct the incoming connection. No internal host tried to originate an outbound connection to this remote host, and so no internal host is currently mapped to that port on the router and expects a connection from that external host. So, when the packet comes to the router, it goes nowhere (is 'dropped'):

 

an009_nat_2

 



note_tip-wt

For more information regarding NAT, including other implementations of NAT, please see the Wikipedia article titled "Network address translation".