Network Address Translation

Unit Goals

Why NAT?

There aren’t enough IPv4 addresses to go around.

NAT, or network address translation, also known as “transparent proxying” or “IP Address Overloading” or “IP Masquerading” is a way to keep IPv4 alive. Or to at least hide your real IP address.

Let’s learn by example, assuming the normal use case of a private IP network.

How NAT Works, By Example

Here’s a typical scenario:

Suppose a host on this private network, 192.168.1.5, from an application on port 9266, wants to send a TCP packet to 207.44.189.183 on port 8053.

It creates and sends off a TCP packet to the NAT box like this:

Note the trickery!

The host is sending a TCP segment to a host on its own network such that the destination in the TCP segment differs from the destination in the IP datagram that wraps the TCP segment. It’s all good. But pretty cool, right?

The NAT box maintains a mapping of (its own) port numbers to (IP, Port) pairs. So, on receiving the above segment, it makes a new entry in its table. Let’s say the next free slot in the table was at 7969. It makes an entry like so:

Then the NAT rewrites the TCP segment into:

and sends it on its way.

The remote machine sees the segment as coming from the NAT box, 24.1.0.77 at port 7969. Therefore, when it replies, it sends a segment like:

The NAT recognizes this segment as coming from the outside addressed to port 7969. So it does a lookup in the translation table and rewrites the segment to:

and sends it to the right host on its own network.

Summary