The Internet has a very long history of utilizing mechanisms that may breathe new life into older technologies, stretching it out so that newer technologies may be delayed or obviated altogether. IPv4 addressing, and the well-known depletion associated with it, is one such area that has seen a plethora of mechanisms employed in order to give it more shelf life.
In the early 90s, the IETF gave us Classless Inter-Domain Routing (CIDR), which dramatically slowed the growth of global Internet routing tables and delayed the inevitable IPv4 address depletion. Later came DHCP, another protocol which assisted via the use of short term allocation of addresses which would be given back to the provider's pool after use. In 1996, the IETF was back at it again, creating RFC 1918 private addressing, so that networks could utilize private addresses that didn't come from the global pool. Utilizing private address space gave network operators a much larger pool to use internally than would otherwise have been available if utilizing globally assigned address space — but if they wanted to connect to the global Internet, they needed something to translate those addresses. This is what necessitated the development of Network Address Translation (NAT).
In fact, Network Address Translation (NAT) and Port Address Translation (PAT) later, played a major role in delaying the exhaustion of the IP addresses.
Whenever we are accessing the network of home, office, campus, etc it means that we are accessing these as private network; and the time we are connected to the Internet or ISP means we are accessing the public network.
To access the public network, we need a valid registered unique public IP address. After having the public IP address, we can assign them to the host which want to access the public network or want to be the part of that network. This can be achieved either by directly assigning Public IP to the host or with the help of NAT/PAT.
NAT/PAT having these components:
- Private network and Public network
- Private IP address and Public IP address
- Inside local and Inside Global
Types of NAT:
- Static NAT
- Dynamic NAT
- PAT
Working of NAT
Step 1
The host PC11 with the private IP address 192.168.10.11, wants to access an email server gmail.com in public network domain. So its connection attempt reaches to the router first.
Step 2
The router checks a matching logic against that private IP, and allocates a valid public IP address, e.g., 119.18.50.4, from the defined pool of public addresses (allotted by ISP).
Step 3
The router will also make an entry in NAT table for PC11.
Step 4
Now the PC11 has a new public IP 119.18.50.4 and with this new public IP, it can visit the public network and access server gmail.com.
Step 5
When response is received from the gmail.com, routers will check its NAT table and forward the response to the particular host e.g., PC11.
This is the basic way the router handles the NAT.
Selection of the NAT type
There are basically three situations for using the NAT/PAT:
Situation 1
When we need to allocate a fixed public IP address against the private IP address and in this type of mapping, we use 'Static NAT'. For example, we have a web server in our private network and we want to allow the users from the Internet or Public network to access that web server.
Situation 2
When we have a pool of Public IP addresses and the allocation of these addresses to the private IP addresses are not predefined and are not fixed. It works on 'First come, first serve' basis and the same public IP can be allocated to the another host after use. In this case, we use 'Dynamic NAT'.
Situation 3
Each and every public IP address costs you, to overcome this problem we can use PAT. In this case, we can allocate the single public IP address to the number of private IP addresses simultaneously, with the help of separate port no.
Configuration of NAT/PAT
We will use this diagram for our configuration.
Interface Ethernet0/0 is connected with inside network and having network address, 192.168.10.0/24.
Interface Ethernet0/1 is connected with DMZ network and having network address, 172.16.1.0/24.
Interface Serial4/0 is connected with ISP network and having network address, 100.100.100.0/30.
We need to configure default route on Luminis-R, to access anything on the Internet.
On ISP configure the static route as given below:
Static NAT
In the DMZ network, have a Webserver hosting a website LuminsIndia.com. The users from the outside network (Internet), can access this server. Public IP address we will use is, 119.18.50.64
The configuration of 'Static NAT' for this network is:
Dynamic NAT
In the inside network, we can have 254 hosts as per the network address 192.168.10.0/24. We have a pool of 10 public IP addresses (119.18.50.1- 119.18.50.10).
Verification:
PC11 to gmail.com
NAT translation table
PC11 to hotmail.com
NAT translation table
PC22 to gmail.com
NAT translation table
PC22 to hotmail.com
NAT translation table
PC33 to gmail.com
NAT translation table
PC33 to hotmail.com
NAT translation table
Luminis-Server to gmail.com and hotmail.com
NAT translation table
Gmail-Server to Luminis-Server
Hotmail-Server to Luminis-Server
Dynamic NAT would allow only n number of hosts to access the Internet, where n is equivalent to the number of public IP addresses in its pool. This type of NAT is not much scalable and the replacement of it is Port Address Translation.
Port Address Translation (PAT)
When we are connected with Internet, definitely we have a public IP address for that connection. In PAT we can use that same IP while allocating the public IP to the multiple hosts inside the private network.
How can it be possible to assign a single IP to the multiple devices?
PAT differentiates the single IP between the multiple devices with the help of Ports. Total number of ports are 65,536 we can say that a single IP address can be allocated to the number of devices depending upon -- how many ports are available at that time. And theoretically it's possible to allocate more than 64,000 sessions along with a single public IP address.
Clear the translation table entry of NAT, with the following command
Configuration of PAT, with this command.
The word overload is used for PAT.
Verification:
PC11 to gmail.com and hotmail.com
NAT translation table
PC22 to gmail.com and hotmail.com
NAT Translation Table
In the NAT translation table, for both the hosts PC11 and PC22 a single IP address used and it is differentiating with the port number.
Last Words
NAT's contribution to the reliability and existence of the Network society as known today has turned out to be extremely valuable. Conservation of IP addresses is the primary benefit of NAT through NAT Overloading. Private networks hide their real identity therefore remain secure without revealing their network topology to the outside world.
Something important to keep in mind is that NAT implementation tries to preserve the original source port all the way through the translation.
Since, NAT worked very well for many, many years, and slowed the address depletion a great deal. But in order to perform that translation, you still needed to acquire at least one globally addressable IP. As such, this only served to slow down depletion but not prevent it - carriers were still required to provide that globally addressable IP from their own address space. With the explosive growth of the Internet of Things, carriers likewise began to run out of address space to allocate.
NAT came to the rescue again. Carriers took notice of the success of NAT in enterprise environments and wanted to do this within their own networks, after all, if it worked for customers it should likewise work for the carriers too. This prompted the IETF to develop Carrier Grade NAT (CGN), also known as Large Scale NAT (LSN). CGN aims to provide a similar solution for carriers by obviating the need for allocating publicly available address space to their customers. By deploying CGN, carriers could over-subscribe their pool of global IPv4 addresses while still providing for seamless connectivity, i.e. no truck-roll.
So while the world is spared from address depletion yet again, the use of CGN technologies opens a new can of worms for carriers. No longer does one globally routable IP represent a single enterprise or customer - due to the huge over-subscription which is afforded through CGN, an IP can service potentially thousands of customers. The caveat here is -- Any successful DoS or DDoS attack would have potential to affect the exponentially large number of users simultaneously.
What do you think of NAT/PAT and now CGN?
Your feedback is very valuable. Kindly spare a minute to leave your comment here.
Thanks,
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM