Sie sind auf Seite 1von 5

Network Address Translation

This Lecture presents the following topics:
What is NAT?
Benefits of NAT
Types of NAT
What is NAT?
Network Address Translation (NAT) is a service that modifies address and/or port
information within network packets as they pass through a computer or network
device The device performing NAT on the packets can !e the source of the packets"
the destination of the packets" or an intermediate device on the path !etween the
source and destination devices
NAT was originally designed to help conserve the num!er of #$ addresses used !y the
growing num!er of devices accessing the #nternet" !ut it also has important
applications in network security
The computers on an internal network can use any of the addresses set aside !y the
#nternet Assigned Num!ers Authority (#ANA) for private addressing (see also %&'
()(*) These reserved #$ addresses are not in use on the #nternet" so an e+ternal
machine will not directly route to them The following addresses are reserved for
private use,
- (.... to (./00/00/00 ('#1%, (..../*)
- (2/(3.. to (2/4(/00/00 ('#1%, (2/(3../(/)
- ()/(3*.. to ()/(3*/00/00 ('#1%, ()//3*../(3)
To this end a NAT5ena!led router can hide the #$ addresses of an internal network
from the e+ternal network" !y replacing the internal" private #$ addresses with pu!lic
#$ addresses that have !een provided to it These pu!lic #$ addresses are the only
addresses that are ever e+posed to the e+ternal network The router can manage a
pool of multiple pu!lic #$ addresses" from which it can dynamically choose when
performing address replacement
Be aware that" although NAT can minimi6e the possi!ility that internal computers
make unsafe connections to the e+ternal network" it provides no protection to a
computer that" for one reason or another" connects to an untrusted machine
Therefore" you should always com!ine NAT with packet filtering and other features
of a complete security policy to fully protect your network
Benefits of NAT
NAT confers several advantages,
- NAT conserves pu!lic #nternet address space
Any num!er of hosts within a local network can use private #$ addresses" instead
of consuming pu!lic #$ addresses The addresses of packets that are transmitted
from this network to the pu!lic #nternet are translated to the appropriate pu!lic
#$ address This means that the same private #$ address space can !e re5used
within any num!er of private networks" as shown in the &igure
- NAT enhances security
#$ addresses within a private (internal) network are hidden from the pu!lic
(e+ternal) network This makes it more difficult for hackers to initiate an attack
on an internal host 7owever" private network hosts are still vulnera!le to attack"
and therefore NAT is typically com!ined with firewall functionality
- NAT is seamless
8tandard client/server network services work without modification through a
NAT5ena!led device
- NAT facilitates network migration from one address space to another
The address space within a NATted private network is independent of the pu!lic
#$ address This means that the private network can !e moved to a new pu!lic #$
address without changing network configurations within the private network
9ikewise" the addressing within the private network can change without affecting
the pu!lic #$ address
- NAT simplifies routing
NAT reduces the need to implement more complicated routing schemes within
larger local networks
Types of NAT
There are three main types of NAT,
- 8ource NAT This is also called 8NAT :;as<uerade= NAT is a special type of 8NAT

- 1estination NAT This is also called 1NAT
- Bidirectional NAT When !oth 8NAT and 1NAT are configured" the result is
!idirectional NAT
Source NAT (SNAT)
8NAT is the most common form of NAT 8NAT changes the source address of the
packets passing through the >yatta system 8NAT is typically used when an internal
(private) host needs to initiate a session to an e+ternal (pu!lic) host? in this case" the
NATting device changes the source host@s private #$ address to some pu!lic #$
address" as shown in the &igure #n :mas<uerade= NAT (a common type of 8NAT)"
the source address of the outgoing packet is replaced with the primary #$ address of
the out!ound interface The destination address of return packets is automatically
translated !ack to the source host@s #$ address
The NATting device tracks information a!out the traffic flow so that traffic from the
flow can !e correctly forwarded to and from the source host
estination NAT (NAT)
While 8NAT changes the source address of packets" 1NAT changes the destination
address of packets passing through the >yatta system 1NAT is typically used when
an e+ternal (pu!lic) host needs to initiate a session with an internal (private) host? for
e+ample" when a su!scri!er accesses a news service" as shown in the &igure !elow The
source address of return packets is automatically translated !ack to the source host@s
#$ address
Bidirectional NAT
Bidirectional NAT is Aust a scenario where !oth 8NAT and 1NAT are configured at
the same time Bidirectional NAT is typically used when internal hosts need to
initiate sessions with e+ternal hosts AN1 e+ternal hosts need to initiate sessions with
internal hosts The &igure shows an e+ample of !idirectional NAT