Understanding Network Address Translation – CompTIA Network+ N10-006 – 1.3


Network address translation, or NAT, is the process of modifying IP addresses and port numbers as traffic flows across the network. In this video, you’ll learn how source NAT and destination NAT are used to provide network services.

<< Previous: Proxy ServersNext: SONET, DWDM, and CWDM >>


The address that we generally refer to when we talk about network address translation is the IP address of a device on the network. This is the address that we want to change as it’s going from one side of the network to the other. Another address we sometimes refer to when talking about network address translation is really a port number.

So we’re really referring to not just an IP address, but we could be also referring to a UDP, or TCP port number. And many times when we’re talking about NAT, we’re really talking about changing both of these at the same time.

Now, why would you want to change an IP addresses as it’s going through the network? One reason is that you may need to have one set of addresses on the inside of your network, which are a private. And you might have one single IP address that is public that everyone else in the world sees.

So when you communicate to google.com, you’re really changing the address. And google.com sees that single external IP address no matter what the IP address is inside of your organization. We refer to that process as a source IP address change, a source NAT, because we’re changing the source addressing before it gets to the Google web servers. You may also see this referred to as port address translation, or PAT.

Another reason you might want to do network address translation is for inbound traffic. You may want to have people on the outside communicate to that public IP address. And then you determine where traffic goes once it gets to the inside of your network. That type of address translation is called destination NAT, because you are changing the destination IP address as it comes into your network.

Whenever we’re talking about NAT, we might be referring to the IP address, we might be referring to the port number. But it doesn’t necessarily have to be both of those, it could be either one of those. And we’re performing an address translation.

In this picture, we have a network on the left side. This is where we’re starting with our source NAT. We might be one of these devices like the 192.168.3.22– we’re communicating through a switch. And this router here is the one that is going to be performing the address translation.

It’s external IP address that the rest of the world sees is 1.1.1.1. As we pass through the internet, somewhere on the other side is a router that connects up another network, which is 22.22.22– and there’s a .22 device and a .222 device on the side. And you can see I’m not doing any type of address translation on the side just to keep things simple.

Inside of this router is a source NAT conversion table. And we’ve told this device if anything is passing through and communicating to the outside, please take any of these internal source IP addresses, and do a network address translation to 1.1.1.1. Let’s assume that this 22.22.22.22 is a web server.

And we have a 192.168.3.22 up here that would like to communicate to that web server. It’s going to send information in traffic from 192.168.3.22. And of course, our outgoing traffic is going to find a random port number to use. So it may use something like 3333. And it’s going to communicate to the well known port number of 80, which is a web server on that IP address of 22.22.22.22.

Of course we’ve told this NAT device that we want to perform a source NAT, which means change the source address as it’s passing through. So by the time that packet makes it to the other side of that router, it’s changed to 1.1.1.1. And we might have even changed the port number as well to 5555.

The destination IP address doesn’t change at all. We want the packet to continue on its way to its original destination. So you can see that number is exactly the same. It’s the source address that’s changed, and that’s why we call it a source network address translation.

This table is going to contain every single address translation that’s done through every device communicating through that router, or that firewall, or that network address translation device. So this might be an extensive table. So when the traffic comes back from that web server, the information is examined in the table, the address translation is done again, and it’s finally sent back to the original IP address.

The reverse of the source network address translation is the destination address translation. We commonly see this when we have a service that we’re running. Maybe we have a web server or a gaming server that’s always going to be on and always going to be available inside of our organization.

But we have private IP addresses inside of our network that can’t be accessed from the outside. That’s exactly where a destination IP address would come in. We want to change where this is going once it hits our router.

So it’s very common to change that destination IP address from the public IP to the private IP, so that it can find its way into the inside of our network. Sometimes you’ll also hear this referred to as port forwarding. And we’re using this as a static configuration– that IP address of a web server or a game server is going to assume to always be available. So if any traffic is coming into our router, the router will make the translation and always send it to that device.

Here’s the same network diagram, but I flipped things a bit. We have traffic now originating out on the internet, and making its way to this 192.168.3.22. And in this particular example, that is our web server that people will be hitting from the internet. And of course, the 192.168.3.22 is an internal address.

So we have this 22.22.22.22 that’s communicating over port 4444 to that well known port 80 of 1.1.1.1. Notice that it is going to the external address of our router that has the public IP address associated with it. When that is received by the router, it performs a destination NAT where it changes where that is going.

So instead of going to that external address, it’s now going to change that to go to 192.168.3.22. And we’ll keep the port number the same, because that device is listening on port 80 to do it’s web services. We might even have a separate service running– maybe a mail service that’s running inside of our network on a different device.

Maybe it’s running on this device– the 192.168.1.3. We can configure our destination NAT so that if we’re receiving anything to 1.1.1.1 and it’s on port 25, change the network address of the destination to be 192.168.1.3 with port number 25. And then it will redirect it down to that device, specifically. So we can host a number of services all with different port numbers on our external IP address, and we’ll have our destination NAT determine exactly where that traffic should go based on the port numbers that are in use.