So we all use NAT daily, but what is it really doing? This is more of a ‘beginners’ guide than anything else. The IPv4 address space is rapidly running out. A long time ago, if you were a company with 150 users needing internet access, you would need a /24 public IP block. Essentially any device needing internet access would need to have a public, routable IP. Bigger companies needed much bigger blocks and so some were even given /16′s – Enough addresses to give 65536 devices a public IP. However this was never going to work forever. The IPv4 block is limited in size so we could not simply give all companies /16′s – Not only that but home users started needing more than a single IP address. ISP’s did not have enough IP’s to give each customer 8 or 16 addresses. S NAT was introduced. Essentially NAT ‘translates’ an IP address from one to another. This allows you to use RFC1918 addresses internally. Essentially this gives you 16 843 007 addresses to use, and that can all be ‘translated’ behind a single public IP address (or range, it doesn’t matter) Not only that, but that SAME RFC1918 address space can be used by everyone. It doesn’t matter it my home PC and your home PC are both 192.168.1.1, as these will be translated when going off to the internet. But what exactly is happening? I think we need an analogy here. Let’s imagine that you and I live in the same street. Let’s also imagine that you and I both live in an apartment block (or flat as well call it in the U.K.) Let’s also say that I live in apartment 10 in my building and you live in apartment 10 in yours. How will the postman be able to deliver our post correctly if we both live at number 10 in the same street? That’s easy in the real world. Each building on the street will have it’s own number. All the public numbers on the street have to be unique. You can’t have 2 number 10 Bond Streets. A similar thing is happening when you NAT traffic, but your router/firewall/NAT device is going to do all the hard work for you. Let’s way through an example. I’m now at home and want to go to Cisco.com. My PC’s IP address is 192.168.1.10. Let’s also say my wife wants to get to Cisco.com at the same time. Her laptop’s IP address is 192.168.1.20. My laptop will source an IP packet that has a source address of 192.168.1.10 and a destination of 18.104.22.168. My wife’s laptop will source an IP packet with a source of 192.168.1.20 and a destination of 22.214.171.124. Let’s pretend that my public IP is 126.96.36.199 – When these packets hit my router, the router will take my packet and change the source IP to 188.8.131.52 and use a high random port number (eg: 184.108.40.206:5000) and then send the packet off to Cisco.com. It will then take my wife’s packet and do the same, but use a different port. As an example let’s use 220.127.116.11:600 and also send it off to Cisco.com. Cisco.com now receives both packets, and responds to both of them. When responding to mine, it’ll reply with a destination of 18.104.22.168:500. when it replies to my wife’s, it’ll reply with a destination of 22.214.171.124:600 As this is a public address, it goes back to my router. Once there, the router will check the destination port. When it sees a port of 500, it knows that it created this port session earlier, and the original IP was 192.168.1.10. It will strip the destination IP address and insert 192.168.1.10 and then send it off on the LAN. The same thing happens for the next packet. The router will convert 126.96.36.199:600 to 192.168.1.20 and send it off to the LAN.
Let’s have a look at a real world example. I’ve set up NAT through a Juniper SSG and these are the logs:
Here I’ve initiated pings from 2 internal machines to the same external IP address. You can see 10.1.1.50 is my first machine and 10.1.1.51 is my second. As far as 188.8.131.52 is concerned, all these pings are coming from the same 192.168.1.3 external address. The firewall will keep a session table and will know what to change the destination IP to when the packet comes back. Unfortunately I cannot actually show this in the picture above :(
Note that NAT can actually be used more than once in the same path. If you notice in the picture above I’m actually getting to 184.108.40.206 via 192.168.1.3. How is that possible when 192.168.1.3 is a private address? I’m actually NAT’d once more through a ZyXEL router. NAT can be layered many times, but it’s not something I would do.