What protocol can be used to translate a private IP address to a public IP address?

Network Address Translation

As mentioned in the discussion of subnetting, there are a limited number of IP addresses available, and with the proliferation of public networks there is fierce competition to obtain valid IP address space. During the initial rush for public address space, several things became very clear:

• There is not enough public address space to go around.

• Not every individual workstation needs a publicly routable IP address.

• More public networks mean larger routing tables.

To solve issues like these, an Internet protocol called Network Address Translation (NAT) was developed. NAT is used to translate private IP addresses (non-routable) into public IP addresses (routable).

The section on subnetting mentioned that several IP address ranges are reserved for private networks and are not routed on public networks. Many companies have large, internal networks built using those private IP addresses (such as 10.10.10.XXX) but would still like those networks to be able to exchange traffic with the openly routable public networks. To accomplish this, a device (typically a firewall or router) will translate the many private IP addresses into a single or several publicly routable IP addresses.

For example, Acme.com has more than 2,000 workstations and servers using private IP addresses that need connectivity to the Internet. Instead of spending a large amount of time converting all of those IP addresses to publicly routable addresses (which would also be very costly), Acme.com leases a dedicated connection and a few public IP addresses from a local provider and purchases a NAT-capable firewall. Acme.com configures the firewall with one internal and one external interface (the internal interface has an IP address on the 10.10.10.XXX subnet and the external interface has one of the public IP addresses being leased from the service provider).

The firewall is then configured to perform NAT on all internal traffic with a destination outside the Acme.com private network, or Internet-bound traffic. When Internet-bound traffic is pointed at the internal address of the firewall, the firewall stamps the outbound packets with its public, routable address and sends them on their way. When response packets are received from outside sources, the firewall performs NAT in reverse, stripping off its own external, public IP address and stamping the packet with the correct internal, private IP address before sending it on into the private Acme.com network.

Figure 3.7 illustrates an example of NAT being performed. An internal workstation (10.1.1.123) wants to visit the CNN Web site at http://www.cnn.com. When the packet reaches the firewall, the firewall translates the 10.1.1.123 source address to the globally routable 63.69.110.110 address, the IP address of the firewall's externally visible interface. When the CNN Web site responds, it will respond to the firewall's address just as if the firewall had originally requested the information. The firewall must then remember which internal workstation requested the information and route the packet to the appropriate destination.

Figure 3.7 Network Address Translation for Acme.com.

In addition to translating outbound traffic, NAT can be used to provide limited external connectivity to internal resources. For example, your company maintains an intranet server with a private IP address of 10.1.1.12, but you'd like your traveling employees to be able to access that Web server from any external IP address (ISP connection, remote location, and so on) and you don't want to place that Web server outside your NAT-capable firewall. Depending on the firewall's capabilities, you can tell the firewall to take any traffic destined for a specific public IP address (63.69.110.111) and automatically translate that to the internal, private IP address (10.1.1.12).

What is Network Address Translation (NAT)?

A Network Address Translation (NAT) is the process of mapping an internet protocol (IP) address to another by changing the header of IP packets while in transit via a router. This helps to improve security and decrease the number of IP addresses an organization needs.

How does Network Address Translation work?

A NAT works by selecting gateways that sit between two local networks: the internal network, and the outside network. Systems on the inside network are typically assigned IP addresses that cannot be routed to external networks (e.g., networks in the 10.0.0.0/8 block).

A few externally valid IP addresses are assigned to the gateway. The gateway makes outbound traffic from an inside system appear to be coming from one of the valid external addresses. It takes incoming traffic aimed at a valid external address and sends it to the correct internal system.

This helps ensure security. Because each outgoing or incoming request must go through a translation process that offers the opportunity to qualify or authenticate incoming streams and match them to outgoing requests, for example.

NAT conserves the number of globally valid IP addresses a company needs and -- in combination with Classless Inter-Domain Routing (CIDR) -- has done a lot to extend the useful life of IPv4 as a result. NAT is described in general terms in IETF RFC 1631.

What are the various types of NAT techniques?

The NAT mechanism ("natting") is a router feature, and is often part of a corporate firewall. NAT gateways can map IP addresses in several ways:

• from a local IP address to one global IP address statically;
• hiding an entire IP address space comprised of private IP addresses behind a single IP address;
• to a large private network using a single public IP address using translation tables;
• from a local IP address plus a particular TCP port to a global address or a pool of public IP addresses; and
• from a global IP address to any of a pool of local IP addresses on a round-robin basis.

In some cases, network administrators define policies that allow the gateway device to assign mappings based on the intended destination ("pick this external address for communications to partner A's area network; pick that external address for communications to partner B's").

Policies can also be used on the protocols being used ("assign out of this pool for HTTP traffic, that pool for HTTPS") or on other factors.

A newer way to use NAT focuses on translating an ISP provider's IPv4 addresses to IPv6, and vice versa. This provides integration of IPv4 infrastructure and end nodes into IPv6 environments, and allows IPv6 services to interact with IPv4 systems.

Example of the different sections of an IPv6 address.

What is the difference between dynamic NAT (DNAT) and static NAT (SNAT)?

A dynamic NAT is common in larger organizations with complex internal networks. It uses several available IP addresses during the translation.

An example of this can be seen with Cisco, which has developed a technique that uses a NAT overload to map several private IP addresses to a single public IP address.

Conversely, a static NAT, also common in large organizations, provides a 1:1 mapping between an internal IP address and a public network IP address.

Which method is used to translate private IP addresses to public IP addresses?

What is the protocol in charge of translate the private IP addresses to public IP addresses and vice versa?

Which protocol is used for IP address translation?

How do I change my private IP address to a public IP address?