Network Address Translation (NAT)

With a WAN connection and an IP address, just about anyone can get on the Internet; its just too bad valid IP address space is so scarce and expensive. You can try renumbering your IP network to resolve conflicts, but renumbering takes time, and you risk breaking legacy applications in the process.

Additionally, with address space so tight, obtaining a registered IP address from your service provider can be difficult, not to mention expensive. IPv6 will resolve the address-space crunch, but many organizations have committed to using unregistered addresses for their networks, and the move from IPv4 to IPv6 won't happen overnight.

So, if you are planning to get onto the Internet now, you will need registered address space from your provider. NAT (Network Address Translation) can soothe some of your headaches.

NAT resolves IP address conflicts by replacing unregistered addresses with registered ones in IP packets (though the fact that NAT changes IP addressing in the packets leads IP purists to consider NAT an ugly hack).

NAT functionality is built into devices such as network routers, firewalls, ISDN routers and standalone NAT devices. NAT devices maintain state tables that map unregistered IP addresses on one side of the devices to registered addresses on the other side.

Each packet that is part of the NAT and passes through the device is translated to the proper address before being moved to the next hop. While this necessitates some processing overhead, the hit on most networks is negligible, unless you are applying NAT to a large number of hosts on a very fat pipe.

Be aware that NAT is not a security scheme and delivers no safeguards to your network. NAT masquerades IP addresses on the external interface, but this won't stop covert tricks to snoop on connections, steal sessions or otherwise compromise your network. Security such as packet filtering, tunneling and firewalling are provided by other mechanisms.

But at the same time, NAT is becoming more common on devices that examine IP packets, such as firewalls and routers; since these devices are already in the packet, the processing to swap addresses is minimal.

There are three kinds of NAT: static NAT, pooled NAT and port-level NAT (sometimes referred to as Port Address Translation, or PAT). Static NAT is the simplest to set up. Each host on the internal network is permanently mapped to an address on the external network. Pooled NAT defines a pool of addresses on the external network that are allocated dynamically to internal hosts. PAT maps internal connections to a single IP address on the external network, but with a TCP port number selected by the NAT device. Depending on what you want to accomplish, each strategy has advantages and disadvantages. The router or NAT device listens for packets that it knows about and translates the source or destination addresses as needed before passing them out another interface. This allows privately addressed machines to access resources otherwise unavailable. We have successfully mixed static NAT and pooled NAT on our Cisco Systems 4700 router. By mixing the two NAT types we were able to offer services from the unregistered address space with static NAT. However, with pooled NAT, we could allow access to the public network without having to configure each workstation.

For example, we have a Windows NT server running Microsoft Corp. Internet Information Server in our 192.168.0.0 network. This is the reserved Class B address for one of our test networks, which can't be assigned to public devices.

In order for the server to access resources on our public subnet, we have added static routes to those servers directing traffic back to our Cisco 4700 router, which interconnects our test networks with our public subnet. We don't advertise the test network via RIP (Routing Information Protocol), thus making it inaccessible to anyone outside the test environment.

This configuration allows us to reach local resources, but we often need to go directly to the Internet, and our private addresses prevent it. We set up a NAT pool on the Cisco 4700 to translate packets from the private network to one of the pooled addresses. This enabled our test devices to access any server on the Internet.

Once the NAT address has been assigned from the pool of available addresses, two-way connections can occur--meaning we can make TCP and UDP (User Datagram Protocol) connections to the Internet and outsiders can make TCP and UDP connections back to us, provided they know the necessary public network address.

With this type of configuration, we can overbook our NAT addresses and serve a larger user population with fewer addresses. Static NAT requires a distinct public address for every private address to go through translation.

Keep in mind that when the pool of available addresses is depleted, subsequent connections will fail. Luckily, some NAT routers can be configured to time-out NATs. For example, we set our Cisco 4700 router to delete NAT entries after 15 minutes. We've found that individual outbound connections rarely require longer sessions, but your mileage may vary. Since most Internet and intranet connections are brief, shorter time limits may be acceptable.

While pooled NAT provides some flexibility in your network, NAT breaks a number of network services. For example, SNMP managers track devices by their network addresses, but using NAT means those addresses are bound to change over time--today's server may be tomorrow's workstation. A possible workaround assigns a range of NAT addresses to a DHCP pool in the SNMP platform. You can then configure the SNMP manager not to set alarms when the workstation isn't responding, in the event the NAT device fails or the workstation is powered off.

Remote-access vendors for consumer-based remote dial-up devices heavily use PAT, the alternative to static or pooled NAT. Instead of translating network addresses traversing public and private networks, PAT uses a single registered network address, and maps TCP/IP and UDP/IP network and port pairs to the NAT device's registered address and an available port number above 1023. PAT can give you approximately 64,500 simultaneous TCP/IP or UDP/IP connections on a single IP address.

However, the actual number of workstations that can be supported is somewhat lower, because many intranet applications, such as HTTP, are actually made up of many smaller connections.

Using PAT on a public network, TCP and UDP traffic appears to come from a single address. The advantage is clear for SOHO (small office/home office) setups and remote medium-sized offices that are connecting to the Internet via an ISP: If you're using a remote-access device that supports PAT, a single IP address is all that you need for your entire network.

In fact, many SOHO remote-access devices support dynamic IP address assignment via PPP. Your ISP need not support your NAT and in fact will be unaware of it. If you ever switch to a different ISP, you won't have to change your IP networking. Obviously, there is a trade-off when you have multiple users sharing a modem or ISDN BRI link, but the savings in both ISP charges and management are well worth it.

Up to this point, we have talked about using NAT and PAT to make registered addresses available for use by workstations with unregistered addresses. Another interesting use of NAT is as an alternative to DNS round-robin for load-balancing busy servers. DNS round-robin resolves multiple IP addresses to a single DNS name. The DNS server will step through the IP address entries when it replies to DNS name requests. The effect is to have many IP addresses resolvable by the same name. For example, an HTTP server farm can be load-balanced with DNS round-robin. However, IP clients cache the DNS/IP address resolution locally, so each subsequent request goes to the same IP addresses, thwarting DNS round-robin.

With NAT-based load-balancing, the router or NAT device charged with load-balancing relates multiple private-destination IP addresses to a single public IP address. Each subsequent TCP connection request is sent to the next private IP address in the NAT. NAT simplifies load-balancing by eliminating the need to change DNS tables. In addition, the cached DNS requests on client machines won't alter the load-balancing, unlike DNS round-robin. But of course, NAT load-balancing will only work with NAT, not PAT.

Whenever you alter IP addressing, you need to think carefully about the impact on any security scheme you have in place.

For example, firewalls use IP addresses, along with TCP port numbers, destination addresses and sometimes other information in the IP header, to decide whether or not to block network traffic. Depending on where you place your NAT device, you may have to alter your firewall rules, because NAT changes the source or destination addresses, depending on direction.

If a NAT device, such as an internal router, is placed on the protected side of the firewall, you will have to change any firewall rules that govern traffic flow to and from the private network behind the NAT device. In many setups, NAT is implemented on the firewall, providing control of both access to the network and to address translation. You should not place the NAT outside your firewall unless you can tightly restrict which network connections are translated. Any mischievous hackers who can fool the NAT into thinking they have a legitimate connection will be able to access your network as if they were authorized users.

If your enterprise is stepping out to the edge of networking technology and implementing a virtual private network (VPN) using IPSec (IP Security), misplacement of the NAT will break your VPN. Essentially, you need to place your NAT device on the protected sides of the VPN, not in the middle, because NAT changes the IP address field of the IP packet, one of the untouchable fields in the IPSec header. IPSec secures the entire packet so you know which station sent the original packet. If the IP address is changed, security will be defeated because the original address has been altered. The packet then could be falsified.

Although NAT offers a variety of benefits, such as removing the need to renumber your network, reducing the costs of ISP accounts and providing better load-balancing, NAT's potential threat to some management and security functions demands that you always use caution when rolling it out.

When to use NAT
Network Address Translation can be implemented in a network consisting entirely of private IP addresses or in an environment with private and globally unique IP addresses. NATs can provide access to the Internet for clients located on the internal network, or NATs can allow users on the Internet to connect to servers on the private internal network. The proper use of an NAT is to hide internal servers from the outside world (i.e., the Internet) or to utilize a few registered, globally unique IP addresses to provide Internet connectivity to several users on a private network.

When not to use NAT
NAT is a good feature to use if you are trying to avoid the cost of purchasing registered IP addresses; however, there are some scenarios that prevent the use of NAT. For example, since the entire private network is sharing a pool of addresses to connect to the Internet, logging and tracing Internet activity for specific users is sometimes not possible. Additionally, the translation being performed by NAT can cause transport delays and increase router CPU usage. This means time-sensitive applications could be affected by the NAT and could time out or lose connectivity. Furthermore, if a router's CPU utilization is already high, NAT can add even more overhead, greatly affecting the router's performance.

Things to consider
The decision to implement NAT should be based on a number of factors. A few items to consider include: 

• The number of clients or servers that need to be connected to the Internet
• The cost of purchasing globally unique, registered IP addresses
• The importance of traceability and logging
• CPU usage, transport delay, and application sensitivity.

Once you have considered these factors, you may find NAT to be an efficient, cost-effective means of connecting to the Internet.