Page187
Network Address Translation
Network Address Translation (NAT) is used to translate IP addresses. It is frequently used to translate RFC 1918 addresses as they pass from Intranets to the Internet. If you were wondering how you could surf the public Web using a PC configured with a private RFC 1918 address, NAT is one answer (proxying is another).
Three types of NAT are static NAT, pool NAT (also known as dynamic NAT), and Port Address Translation (PAT, also known as NAT overloading). Static NAT makes a one-to-one translation between addresses, such as 192.168.1.47 ➝ 192.0.2.252. Pool NAT reserves a number of public IP addresses in a pool, such as 192.0.2.10 ➝ 192.0.2.19. Addresses can be assigned from the pool, and then returned. Finally, PAT typically makes a many-to-one translation from multiple private addresses to one public IP address, such as 192.168.1.* to 192.0.2.20. PAT is a common solution for homes and small offices: multiple internal devices such as laptops, desktops, and mobile devices share one public IP address. Table 5.5 summarizes examples of the NAT types.
| NAT Type | Example |
|---|---|
| Static | 192.168.1.47 ➝ 192.0.2.252 |
| Pool | 192.168.1.17 ➝ 192.0.2.10 192.168.1.21 ➝ 192.0.2.11 192.168.1.56 ➝ 192.0.2.12 |
| PAT | 192.168.1.* ➝ 192.0.2.20 |
NAT hides the origin of a packet: the source address is the NAT gateway (usually a router or a firewall), not the host itself. This provides some limited security benefits: an attack against a system’s NAT-translated address will often target the NAT gateway, and not the end host. This protection is limited and should never be considered a primary security control. Defense-in-depth is always required.
NAT can cause problems with applications and protocols that change IP addresses or contain IP addresses in upper layers, such as the data layer of TCP/IP. IPsec, VoIP, and active FTP are among affected protocols.