Personal Networking What is Nating

NAT - Network Address Translation

NAT (Network Address Translation) is a method that is used in IP routers that connect local networks to the Internet. Because Internet access usually only has a single public and therefore routable IPv4 address, all other hosts in the local network have to be content with private IPv4 addresses. Private IP addresses may be used multiple times, but are not valid in public networks. Hosts with a private IPv4 address cannot communicate with hosts outside the local network.

So that all computers with a private IPv4 address can still access the Internet, the Internet access router must replace the private IPv4 address of the local host with its own public IPv4 address in all outgoing data packets. So that the incoming data packets can be assigned to the local host, the router also saves the port numbers of the TCP connections in a so-called NAT table.

In connection with the private IPv4 addresses, NAT is used so that data can be exchanged, e-mails sent and received, and the World Wide Web (WWW) can be accessed.
NAT is only a stopgap solution to circumvent the shortage of addresses in IPv4. In order to solve the associated problems, it is necessary in the long term to switch to an Internet protocol with a larger address space. IPv6 is one such protocol.

Why NAT?

The first IPv4 networks were initially independent networks with no connection to the outside world. Here one was content with IPv4 addresses from the private address ranges. At the same time, there were bottlenecks in public IPv4 addresses as early as the late 1990s. The increasing number of dial-in access via the telephone network had to be supplied with IPv4 addresses.
To date, an Internet connection only has one IPv4 address for one device. At that time it was unthinkable that an entire home network could be operated on an Internet connection. When a household connected a PC to the telephone network via modem and dialed into the Internet, that was something special.

Today every household with Internet access operates its own local network in which every terminal device needs an IPv4 address. In such cases, the devices are assigned IPv4 addresses from the private address spaces 10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12 in order to save the few public IPv4 addresses.
However, private IPv4 addresses cannot be routed. This means that you cannot connect to the Internet with them. For this reason, a procedure was introduced with NAT in which the private IP address is exchanged for a public IP address in outgoing data packets.

IPv6 and NAT

With IPv6, NAT becomes superfluous. The elimination of NAT significantly improves the operation of networks. Errors caused by NAT are eliminated. In addition, errors can be found and corrected more quickly.
Without NAT, protocols such as STUN become superfluous. Developers are particularly pleased because any protocol that does not have to be implemented cannot open any security gaps in the first place. But without NAT, a well-configured firewall will become more important in the future. With IPv6, the firewall should prevent attempts to connect from the outside to the inside if there was no connection from the inside to the outside beforehand.

SNAT - Source Network Address Translation


A NAT router is usually operated on an ordinary Internet connection. For example via DSL or cable modem. The router used serves as access to the Internet and as a standard gateway for the local network. As a rule, more devices want to access the Internet via the router than there are public IP addresses available. Usually only one.
For example, the router in the local network is assigned the public IP address 222.0.0.1 for its WAN port by the Internet Service Provider (ISP). Because only one public IP address was assigned by the Internet provider, the stations in the LAN are assigned private IP addresses from specially reserved address ranges. These addresses are only valid within the private network. Private IP addresses are not routed in public networks. This means that stations with private IP addresses cannot get a connection to the Internet. NAT was developed so that this works anyway.

Within the local network, the router has the IP address 192.168.0.1, which applies to the LAN port and via which the router can be directly reached and configured in the LAN. This is also the address of the standard gateway and, for example, the local DNS server. The router is the standard gateway through which all connections run. With its public IP address, the router acts as a proxy for all stations in its local area network (LAN).

If a data packet is addressed with a destination address outside the local network, the router replaces the source address with its public IP address. The port number (TCP or UDP) is replaced by another port number. In order to be able to assign the response packets to the correct station later, the router maintains a table with the changed source addresses and the associated port numbers. So when packets come back with a certain port number, NAT replaces the destination address with the correct address and port number.
In the NAT table, each entry also has a time stamp. After a certain period of inactivity, the relevant entry is deleted. This ensures that no ports are left open.
Because this procedure changes the sender address (source) of every outgoing data packet, this procedure is called Source NAT (SNAT). SNAT is usually referred to simply as NAT.

Procedure of SNAT

  1. The client sends its data packets with the IP address 192.168.0.2 and the TCP port 10101 to its standard gateway, which is a NAT router.
  2. The NAT router exchanges the IP address (LAN address) and TCP port (LAN port) and saves both with the exchanged port number (WAN port) in the NAT table.
  3. The router forwards the data packet with the WAN address 220.0.0.1 and the new TCP port 20202 to the Internet.
  4. The recipient (server) processes the data packet and sends its response back.
  5. The NAT router now uses the port number 20202 (WAN port) to determine the IP address (LAN address) for which the packet is intended in the local network.
  6. It exchanges the IP address and the port number again and forwards the data packet to the local network, where the client receives it.

DNAT - Destination Network Address Translation (Port Forwarding)


NAT dynamically converts a public IP address to several private IP addresses. Every outgoing connection is recorded with the IP address and port number. Based on the port number, NAT can assign incoming data packets to a local station. However, this assignment is only valid for a short time. This means that connections can only be established from the local network into the public network, not the other way around.
If you want to make a host within the local network permanently accessible from the public network, then this is only possible via a detour. The procedure is called Destination NAT (DNAT), commonly known as port forwarding or port forwarding. A TCP port is permanently assigned to an IP address in the router configuration. The router then forwards all incoming data packets on this port to this host.
Be careful when activating TCP ports (port forwarding). If you do not provide server services on the Internet, you should block all TCP ports of the router (from 0 to 1.023). Well preconfigured routers have already set this up automatically.
If you cannot do without port forwarding, you should set up a demilitarized zone (DMZ) for security reasons and thus keep the data traffic from the Internet out of the local network.

Problems through NAT

By using NAT, the end-to-end principle is abandoned. And that means that decentralized structures at the application level are lost or cannot arise in the first place. Thanks to NAT, only those who have public IPv4 addresses and, as a rule, the necessary change, can offer services on the Internet.

One problem is that the applications and application logs do not know about it if they are running on a host that only has a private IPv4 address. As long as protocols and applications work according to the client-server principle, this is not a problem. However, if an application follows the end-to-end principle, then auxiliary constructions are required so that hosts with a private IPv4 address can be reached.
There are bypass mechanisms for NAT for many protocols, which, however, increase the complexity and susceptibility to errors and make many systems and applications dependent on their availability. This makes many Internet applications and services more complicated, which overall also leads to more security gaps.

Example: With Internet telephony (VoIP) with signaling via SIP or H.323, a direct connection to a VoIP telephone is not possible. This requires central gateways to which the VoIP telephones register and establish regular contact so that the telephone can still be reached through the NAT router.
There are also problems with FTP, messaging and push notifications. It is assumed here that the client can be reached directly, which it is not due to the private IPv4 address.

Most bidirectional communication protocols solve this in such a way that the client sends data packets from the local network to a central server or gateway at regular intervals in order to keep the entries in the NAT table of its Internet access router up to date.
With a high number of outgoing connections, NAT tables can overflow. This means that individual connections fly out of the NAT table and can consequently break connections.

The entries in the router's NAT table are only valid for a short time. For an application that only exchanges data very irregularly, this means that the connection is constantly being broken and accessibility is limited as a result. As a result, this application may not work in a NAT environment. And so this application cannot establish itself on the Internet. Most clients are typically in a NAT environment.
Port forwarding (DNAT) is used to permanently get a hole in the NAT router. This means that an incoming data packet is sent with a specific TCP / UDP port to a specific IP address in the local network.

There are also problems with NAT where the IPv4 address of the host is communicated within the protocol. If, for example, a checksum is formed over the IPv4 address for the integrity control of encrypted IPv4 packets. But using NAT changes the addresses in the IPv4 header. As a result, protocols that rely on the integrity of the IPv4 header to be maintained fail. For example IPsec for VPN.

Due to the effects of NAT, centralized services such as Skype, Facebook and YouTube have developed that provide the content of all Internet users on a representative basis. As a result, these services have gained control over personal data and can operate any business model on the basis of this.

NAT as a security feature?

NAT is particularly referred to as a security feature in product-related descriptions. This refers to the mechanism that, as a by-product, prevents a host behind a NAT router from being directly accessible from outside. The systems in the NAT network can no longer be distinguished from one another from the outside based on their IPv4 address. Because they all get the same public IPv4 address for their external connections from the NAT router. This gives users a certain degree of privacy.

Private IPv4 addresses in combination with NAT work in a certain way like a built-in "firewall". This is because connection attempts initiated from outside are discarded if there was no outgoing connection beforehand. NAT works like a rudimentary firewall that blocks all unauthorized access from outside. This is a deliberate protective function for unauthorized and insecure data traffic.

But to call NAT a security feature is wrong, misleading and negligent. Because NAT was not designed for security. It turns out to be a security feature for local area networks rather by chance. NAT does not replace a packet filter and certainly not a full-fledged firewall. NAT only prevents data connections that were not initiated from the internal network (LAN) and thus no previous data traffic existed.
The greatest security problems are usually at the application level or are triggered by improper handling by the user, which cannot be prevented with NAT. Yes, with a real firewall.

Other related topics:

Everything you need to know about IPv6.

Collection: IPv6

A PDF file of all articles on Internet Protocol Version 6 from this website. The compilation takes into account the introduction to the basics of IPv6 with detailed descriptions and numerous tables and figures. Learn more about the possibilities and relationships in the IPv6 network.

More information and to download

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!

Everything you need to know about IPv6.

Collection: IPv6

A PDF file of all articles on Internet Protocol Version 6 from this website. The compilation takes into account the introduction to the basics of IPv6 with detailed descriptions and numerous tables and figures. Learn more about the possibilities and relationships in the IPv6 network.

More information and to download