NAT operation (2024)

As shown in Figure 52, when an internal host accesses an external network, the NAT device uses a public IP address to replace the private source IP address. In Figure 52, NAT uses the IP address of the outgoing interface as the public IP address. All internal hosts use the same public IP address to access external networks and only one host can access external networks at a given time.

A NAT device can also hold multiple public IP addresses to support concurrent access requests. Whenever a new external network access request comes from the internal network, the NAT device chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks simultaneously.

The number of public IP addresses that a NAT device needs is usually far less than the number of internal hosts because not all internal hosts access external networks at the same time. The number of public IP addresses is related to the number of internal hosts that might access external networks simultaneously during peak hours.

Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses to be mapped to the same public IP address, which is called multiple-to-one NAT.

NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers.

Figure 53: NAPT operation

As shown in Figure 53, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 1 and 3 are from different internal addresses but have the same source port number. NAPT maps the three IP packets to the same external address but with different source port numbers. Therefore, the packets can still be differentiated. When receiving the response packets, the NAT device forwards them to the corresponding hosts according to the destination addresses and port numbers.

NAPT improves utilization of IP address resources, enabling more internal hosts to access the external network at the same time.

NAPT supports the following NAT mapping behavior modes:

• Endpoint-Independent Mapping—The NAT device uses entries, each of which includes the source IP address, source port number, and protocol type to translate addresses and filter packets. The same NAPT mapping applies to packets sent from the same internal IP address and port to any external IP address and port. The NAT device also allows external hosts to access the internal network by using the translated external addresses and port numbers. This mode facilitates communication among hosts that connect to different NAT devices.

• Address and Port-Dependent Mapping—The NAT device uses entries each including the source IP address, source port number, protocol type, destination IP address, and destination port number to translate addresses and filter packets. For packets with the same source address and source port number but different destination addresses and destination port numbers, different NAPT mappings apply so that the source address and port number are mapped to the same external IP address but different port numbers. The NAT device allows the hosts only on the corresponding external networks where these destination addresses reside to access the internal network. This mode is secure but inconvenient for communication among hosts that connect to different NAT devices.

NAT hides the internal network structure, including the identities of internal hosts. However, some internal hosts such as an internal Web server or FTP server might need to be accessed by external hosts. NAT meets this need by supporting internal servers.

You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like 20.1.1.12:8080 as an internal Web server's external address and port number.

In Figure 54, when the NAT device receives a packet destined for the public IP address of an internal server, it looks in the NAT entries and translates the destination address and port number in the packet to the private IP address and port number of the internal server. When the NAT device receives a response packet from the internal server, it translates the source private IP address and port number of the packet into the public IP address and port number of the internal server.

Figure 54: Internal server operation

Typically, the DNS server and users that need to access internal servers reside on the public network. You can specify an external IP address and a port number for an internal server on the public network interface of a NAT device, so that external users can access the internal server using its domain name or pubic IP address. In , an internal host wants to access an internal Web server by using its domain name, when the DNS server is located on the public network. Typically, the DNS server replies with the public address of the internal server to the host and thus the host cannot access the internal server. The DNS mapping feature can solve the problem.

Figure 55: Operation of NAT DNS mapping

A DNS mapping entry records the domain name, public address, public port number, and protocol type of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name in the message against the DNS mapping entries. If a match is found, the private address of the internal server is found and the interface replaces the public IP address in the reply with the private IP address. Then, the host can use the private address to access the internal server.

Easy IP uses the public IP address of an interface on the device as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.

Apart from the basic address translation function, NAT also provides an application layer gateway (ALG) mechanism that supports some special application protocols without requiring the NAT platform to be modified. This allows for high scalability. The IP addresses or port numbers contained in such protocol messages need address translation.

The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling Protocol (PPTP), Domain Name System (DNS), Internet Locator Service (ILS), H.323, Session Initiation Protocol (SIP), and NetBIOS over TCP/IP (NBT).

NAT allows users from different MPLS VPNs to access external networks through the same outbound interface, and allows the VPN users to use the same private address space.

1. Upon receiving a request from an MPLS VPN to an external network, NAT replaces the private source IP address and port number with a public IP address and port number, and records the MPLS VPN information, such as the protocol type and router distinguisher (RD).

2. When the response packet arrives, NAT replaces the public destination IP address and port number with the internal IP address and port number, and sends the packet to the target MPLS VPN.

This feature can also apply to internal servers so that external users can access an internal host of an MPLS VPN. For example, suppose a host in MPLS VPN 1 needs to provide Web services for the Internet. It has a private address of 10.110.1.1. To achieve this purpose, configure NAT to use 202.110.10.20 as the public IP address of the host so that the Internet users can use this IP address to access Web services on the host.

NAT allows hosts in multiple MPLS VPNs to access each other by using the MPLS VPN information carried in the external IP address.