December 15, 2022
CISSP Study Guide: Network Address Translation (NAT)
December 15, 2022
Organizations that use private IP addresses have the advantage of using a private addressing in a network, while using the Internet at the same time, by way of implementing Network Address Translation (NAT). NAT is defined in RFC 1631 and allows communication with hosts that don’t have a valid registered IP address through the Internet. This allows hosts using private addresses or addresses that aren’t Internet-ready to be used while communicating with other hosts on the web. This is achieved by taking a registered IP address to be used in place of the private address when interacting with other hosts on the Internet. NAT changes the private IP addresses to publicly registered IP addresses inside each IP packet.
There are several types of NAT: Static NAT; Dynamic NAT; Overloading NAT with Port Address Translation (PAT).
Static NAT: the IP addresses have a fixed blueprint in relation to each other allowing the NAT router to configure a one-to-one mapping between the private address and the registered address used on its behalf. Supporting two IP hosts on a private network incorporates a second static one-to-one mapping using a second IP address in the public address domain, correlating to the number of addresses supported by the registered IP address.
Dynamic NAT: is similar to static NAT in that the NAT router creates a one-to-one mapping between an inside local and inside global address and modifies the IP addresses in packets as they go out and access the inside network; however this occurs automatically. This is achieved by setting up a series of possible inside global addresses and identifying criteria for the set of inside local IP addresses whose traffic should be translated with NAT.
With a dynamic NAT router, you can add more IP addresses to the inside local address list than in the inside global address pool. When the number of registered public IP addresses is established in the inside global address pool, the router assigns addresses from the pool until all are allocated. If a new packet comes through and it needs a NAT entry, but all the pooled IP addresses are already assigned, the router eliminates the packet. The user then needs to retry until a NAT entry times out, allowing the NAT function to continue the process for the next host that sends a packet. This can be resolved with the use of Port Address Translation.
Port Address Translation (PAT): PAT, also known as overloading NAT, is implemented in those networks where the majority of IP hosts need to connect with the Internet. If private IP addresses are used, the NAT router will require an extensive list of registered IP addresses. When employing static NAT, each private IP host requiring Internet access needs a publicly registered IP address. If a large portion of the IP hosts are reliant on Internet access during business hours, a substantial number of registered IP addresses would also be required. These situations can be resolved by overloading with port address translation.
Overloading allows NAT to support many clients with a minimal number of public IP addresses. To support multiple inside local IP addresses with only a small number of inside global, publicly registered IP addresses, NAT overload implements Port Address Translation (PAT), translating the IP address as well as translating the port number. When the dynamic mapping is established by NAT, it selects an inside global IP address and assigns a unique port number to that address. The NAT router registers every unique combination of inside local IP address and port, with translation to the inside global address and a unique port number referenced with the inside global address. The port number field has 16 bits, allowing NAT overload to use more than 65,000 port numbers, allowing it to scale well without relying on numerous registered IP addresses.
NAT is also used for organizations that use a network number registered to another company instead of private addresses. An organization that uses a network number registered with a different organization, and both have Internet access, NAT can be used to translate both the source and the destination IP addresses. Both the originating addresses and destination addresses must be modified as the packet passes through the NAT router.
Let's build your cybersecurity career together
Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.
2,000+learning activities led by highly experienced cybersecurity professionals