Page 3 of 4
NAT, or Network Address Translation, takes dynamic IP address allocation a step or two further. The problem that NAT aims to solve is that every data packet has two addresses - the destination and the source. The destination is simply the public IP address of the machine the packet is on its way to. The source address is the return address that the remote server uses to send a response packet back to the machine that initiated the exchange.
The problem is that while the router has an external IP address and so a response can be sent back to it how does it now which of the machine on the internal network the packet should be sent on to? This is the purpose of NAT - to allow a return path to be included with any outgoing data packets.
There are a number of different forms of NAT.
The first takes IP addresses on your local network and substitutes for them using a block of IP addresses that you have been allocated. This is just the same dynamic IP allocation that ISPs use but built into a local router. This is a very simple and reliable form of NAT but it has one huge problem all of the IP addresses used have to be public addresses. All that happens in this form of NAT is that a machine in the internal network gets the use of an external address of the duration of a packet exchange with a remote machine.
The most commonly used form of NAT is “overloading”. This makes use of a single Internet public IP address and maps all of the internal addresses to it.
How is this possible?
The answer is that all data packets not only have an IP address but a “port number”. The port number is supposed to identify what the data is to be used for.
For example, all web data is transferred using port 80, FTP connections are made using port 25 and so on. There are 65536 ports and what NAT with overloading does is to use the port numbers to code where the packet came from.
The IP address determines which machine the data packet is intended for and port numbers are used to determine which application on that machine the data is for. The router however can use port numbers to customise its one return address - i.e. the public IP address it is using . That is the remote machines sends a data packet back to the router but in this case the port number is used to identify the machine on the local network the data was intended for. The router also has to remember the port number that the local machine's request was made on and substitute this back into the data packet.
For example, if a data packet comes from a machine with an internal IP Address of 192.168.253.12 internally and your ISP has assigned the router a single external IP address of 230.123.001.23 then the router takes the outbound packet and replaces the source address by 230.123.001.23:11, i.e. same external public address but using port 11.
When the packet arrives at the destination there is the possibility that it will become confused by the return port number, but most simply make up a return packet and send it to the address and port number specified. Any applications that don't do this cause NAT a problem but there are few such problem cases left because NAT is so important.
When the router gets a data packet addressed to 220.127.116.11:01 i.e the router's public address it uses the port number to find out which internal IP address to send it to, in this case 192.168.253.12.
By mapping internal IP addresses to port numbers within a single external IP address the router can connect a fairly large number of users to the Internet using just one public IP address.
A NAT router maps internal addresses to external addresses using port numbers. (click for larger image)
Firewall for Free
Not only does NAT give you an easy way of connecting your network to the Internet, it also provides a high degree of security because of the way it works.
For example, how can someone on the Internet gain access to one of the machines on the internal network?
The simple answer is they can’t because the router only delivers packets that arrive in response to outgoing packets and none of the machines connected to the local network have valid IP addresses. That is, it is impossible for an external agent to initiate a connection to a local machine.
Of course this can also be a problem for protocols that require an external machine to make a connection.
For example, if you want to run a webserver then you need to allow external machines to connect via port 80. If you want to, you can generally set a NAT enabled router to pass all inbound packets that aren't responses to outgoing packets, to a specified internal machine which then handles requests to all port numbers i.e. it’s the one webserver, email post office, FTP server and so on in the network.
A more advanced NAT router will generally let you map inbound packets to individual machines on the basis of port numbers. So one machine can be designated as the Web server, another the FTP server and so on. This is generally called "port mapping" or "virtual servers". For this to work you must have at least a single fixed IP address allocated or you have to use dDNS.
As far as the outside world is concerned your local network has just this one IP address and looks like one big machine.