Network Address Translation(NAT)

What is NAT?
NAT is like the receptionist in a large office. Assume you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client, and you ask the receptionist to put them through to your telephone.
The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches your name to your extension. The receptionist knows that you requested this call; therefore, the receptionist forwards the caller to your extension.
So while the DHCP server assigns IP dynamic addresses to devices inside the network, NAT-enabled routers retain one or many valid Internet IP addresses outside of the network. When the client sends packets out of the network, NAT translates the internal IP address of the client to an external address. To outside users, all traffic coming to and going from the network has the same IP address or is from the same pool of addresses.
NAT has many uses, but its key use is to save IP addresses by allowing networks to use private IP addresses. NAT translates non-routable, private, internal addresses into routable, public addresses. NAT has an added benefit of adding a degree of privacy and security to a network because it hides internal IP addresses from outside networks.
A NAT-enabled device typically operates at the border of a stub network. In our example, R2 is the border router. A stub network is a network that has a single connection to its neighbor network. As seen from the ISP, R2 forms a stub network.
When a host inside the stub network, say PC1, PC2, or PC 3, wants to transmit to a host on the outside, the packet is forwarded to R2, the border gateway router. R2 performs the NAT process, translating the internal private address of the host to a public, outside, routable address.
In NAT terminology, the inside network is the set of networks that are subject to translation. The outside network refers to all other addresses. IP addresses have different designations based on whether they are on the private network or on the public network (Internet) and whether the traffic is incoming or outgoing.
The following terms when discussing NAT:
Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address. In the figure, the IP address is assigned to the host PC1 on the inside network.
Inside global address - Valid public address that the inside host is given when it exits the NAT router. When traffic from PC1 is destined for the web server at, router R2 must translate the address. In this case, IP address is used as the inside global address for PC1.
Outside global address - Reachable IP address assigned to a host on the Internet. For example, the web server is reachable at IP address
Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device.

Note: In this course, we will be referencing the inside local address, inside global address, and the outside global address. The use of the outside local address is outside the scope of this course.
The "inside" of a NAT configuration is not synonymous with private addresses as defined by RFC 1918. What we call "non-routable" addresses are not always unroutable. An administrator can configure any router to pass traffic over private subnets. However, if they try to pass a packet to the ISP for any private address, the ISP drops it. Non-routable means not routable on the Internet.

How Does NAT Work?
Assume an inside host ( wants to communicate with an outside web server ( It sends a packet to R2, the NAT-configured border gateway for the network.
R2 reads the destination IP address of the packet and checks if the packet matches the criteria specified for translation. R2 has an ACL that identifies the inside network as valid hosts for translation. Therefore, it translates an inside local IP address to an inside global IP address, which in this case is It stores this mapping of the local to global address in the NAT table.
The router then sends the packet to its destination. When the web server responds, the packet comes back to the global address of R2 (
R2 refers to its NAT table and sees that this was a previously translated IP address. Therefore, it translates the inside global address to the inside local address, and the packet is forwarded to PC1 at IP address If it does not find a mapping, the packet is dropped.
Dynamic Mapping and Static Mapping
There are two types of NAT translation: dynamic and static.
Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host. This is the mapping described so far.
Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices.
Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.
For another look at how dynamic NAT works, go to


Post a Comment


NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog