Overview

Network Address Translation (NAT) is a technique used to map private IP addresses to public IP addresses, anabling communication between internal networks and the internet. This capability is essential for modern networking environments where IPv4 address scarcity poses significant challenges.

Addressing Challenges

The depletion of available IPv4 public addresses has created a critical need for address translation mechanisms. Organizations require public IP addresses for internet connectivity, but the supply of routable addresses is exhausted. NAT provides a solution by allowing private network addresses to traverse public networks through address translation.

Operational Principles

NAT operates by translating source IP addresses and port numbers from private networks to valid public addresses when outbound packets leave the network. The translation device maintains a mapping table that tracks these conversions, enabling response traffic to be correctly routed back to the original internal host.

When internal hosts initiate communication with external destinations, the NAT gateway replaces the private source address with a public address from its pool. Incoming responses undergo reverse translation, where the destination public address maps back to the original internal private address.

Capabilities and Benefits

Network Address Translation provides several key advantages:

• Address Conservation: Multiple internal hosts share a single public IP address through port multiplexing
• Security Enhancement: Internal network topology remains hidden from external observers
• Network Flexibility: Organizations can modify internal IP schemes without impacting external connectivity
• Simple Integration: Compatible with existing network infrastructure

Potential limitations include increased latency due to translation overhead, complexity in configuration and troubleshooting, and incompatibility with certain protocols that embed IP addreses in payload data.

Classification of NAT Implementations

Static Address Translation

Static NAT establishes a one-to-one mapping between a specific private IP address and a public IP address. This approach requires a dedicated public IP for each private host, making it unsuitable for environments with limited public address pools. However, static NAT provides predictable addressing and simplifies firewall rule configuration.

Configuration example for static NAT:

[S1] system-view
[S1] undo info-center enable
[S1] sysname AR1

[S1] interface GigabitEthernet0/0/0
[S1-GigabitEthernet0/0/0] ip address 192.168.10.1 255.255.255.0
[S1] interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1] ip address 203.0.113.1 255.255.255.0

[S1] nat static global 203.0.113.10 inside 192.168.10.100

[S1] display nat static
[S1] interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1] nat static enable

Dynamic Address Translation

Dynamic NAT allocates public addresses from a predefined pool to internal hosts on a first-come, first-served basis. Each private address maps to a public address temporarily, with the mapping released when the session terminates. This approach provides better address utilization than static NAT but lacks session persistence.

Configuration example for dynamic NAT:

[S1] system-view
[S1] undo info-center enable
[S1] sysname AR1

[S1] interface GigabitEthernet0/0/0
[S1-GigabitEthernet0/0/0] ip address 192.168.10.1 255.255.255.0
[S1] interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1] ip address 203.0.113.1 255.255.255.0

[S1] nat address-group 1 203.0.113.100 203.0.113.200
[S1] acl number 2000
[S1-acl-2000] rule permit source 192.168.10.0 0.0.0.255

[S1] interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1] nat outbound 2000 address-group 1 no-pat
[S1] display nat outbound

Port Address Translation (PAT)

PAT, also known as NAT with Port Multiplexing or NAPT (Network Address Port Translation), enables multiple private hosts to share a single public IP address through unique port numbers. This technique dramatically improves address efficiency and represents the most widely deployed NAT variant.

NAPT Configuration

NAPT maps multiple private addresses to a single public address using distinct source ports:

[S1] system-view
[S1] undo info-center enable
[S1] sysname AR2

[S1] nat address-group 1 198.51.100.10 198.51.100.10
[S1] acl number 2000
[S1-acl-2000] rule permit source 172.16.1.0 0.0.0.255

[S1] interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1] ip address 13.1.1.30 255.255.255.0
[S1-GigabitEthernet0/0/1] nat outbound 2000 address-group 1

[S1] interface GigabitEthernet0/0/0
[S1-GigabitEthernet0/0/0] ip address 172.16.1.1 255.255.255.0

Easy IP Configuration

Easy IP derives the translated address directly from the router's external interface, eliminating the need for a separate address pool:

[S1] system-view
[S1] acl number 3000
[S1-acl-3000] rule permit ip source 192.168.1.0 0.0.0.255

[S1] interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1] nat outbound 3000

NAT Server Configuration

NAT Server enables external access to internal services by mapping public ports to private endpoints:

[S1] interface GigabitEthernet0/0/0
[S1-GigabitEthernet0/0/0] nat server protocol tcp global current-interface 8080 inside 192.168.1.10 80

Access Control Lists in NAT Contexts

Access Control Lists (ACLs) define traffic classification rules that NAT implementations reference to determine which packets require translation. ACLs consist of sequential rules with permit or deny actions, each identified by a unique rule number.

Rule syntax uses wildcard masks rather than subnet masks:

[S1] acl number 2000
[S1-acl-2000] rule 5 permit source 192.168.1.0 0.0.0.255
[S1-acl-2000] rule 10 deny source 192.168.2.0 0.0.0.255

The wildcard mask 0.0.0.255 corresponds to the subnet mask 255.255.255.0, indicating the network portion of the address.