We rely on NAT for our Internet access and to allow external access to our internal services. In this video, you’ll learn about private IP addresses, port address translation, and port forwarding.
<< Previous Video: Prioritizing Traffic Next: Access Control Lists >>
If we look at IP version 4 and the number of bits that are available in an IP address, we know that we have a maximum of about 4.29 billion possible addresses. But it’s been estimated that there are over billion devices that are connected to the internet, and that number is increasing as time goes on. So how are we able to communicate between all of these devices, if we know that there are only four 4.2 nine billion addresses available to go around?
Adding to this complication is that we have exhausted the IPv4 address space. There are no more IPv4 network addresses that can be assigned to different organizations. So how do we make all of this communication work given these restrictions that we have on IP addresses? One of the ways we do this is by using NAT or network address translation. This isn’t the only thing that NAT is able to provide, but it’s one of the major uses of network address translation in today’s networks.
We realized early on that we were running out of IP addresses, so what we managed to do was carve out a grouping of IP addresses that we could set off to the side and call private IP addresses. These private IP addresses would be used inside of our organizations, and these IP addresses would not be routable across the internet. If you look at the first column of this particular table, these are the private IPv4 addresses.
You may see these referred to as RFC 1918 addresses, because that’s the RFC where we define these particular groupings. One IP address ranges is 10.0.0.0 through 10.255.255.255. So if you see an IP address that’s somewhere in that range, that would be a private address. It would not be routable over the internet. Another one of these ranges is 172.16.0.0 through 172.31.255.255. And the last private address range is 192.168.0.0 through 18.104.22.168.
We use these private IP addresses inside of a single organization, and then we use network address translation to be able to translate those private addresses into something that is a public address that can be routed over the internet. Let’s look at an example of performing this network address translation between a private address and a public address.
This would be Vala’s workstation on one side of the conversation. Her IP address is 10.10.20.50. And if we look at our previous table, we know that any IP address that starts with a 10 is a private IP address, and it’s on this local internal subnet. There’s a router that connects our internal network to the rest of the internet. This external router IP address is 22.214.171.124.
And somewhere out on the internet is professormesser.com, the IP address associated with that server is 126.96.36.199. If Vala wants to communicate to professormesser.com, she’ll send an IP communication. The source IP will obviously be her source IP address of 10.10.20.50, and the destination IP will be the IP address of the professormesser server, and she’ll send that out to the router that maintains the connection to the internet.
But this router recognizes that there’s no way to reroute a 10. address out over the internet. That’s a private IP address. So this router performs a network address translation and translates that source IP address to something that can be routed on the internet, and it simply uses its external IP address to do that. So now that it’s changed this packet to show a different source IP address, we’re able to send that off across the internet.
The professormesser.com server will receive Vala’s request, and then it will send a response back to Vala. But of course, the destination IP address is going to be the one that originally came in as the source IP address of 188.8.131.52. This router again recognizes that this is inbound on 184.108.40.206, and it looks up at its table realizes this information needs to go to Vala. So it performs another network address translation translating it back to 10.10.20.50, and that packet is able to find its way back to Vala’s workstation.
If all of our networks were like this one that had a single device, then this type of network address translation would work. But of course, there may be hundreds or thousands of devices on the inside of our network, but we still need to provide some way to perform network address translation. We do this through a type of NAT called NAT overload. You might also hear this referred to as PAT or port address translation. You might also hear it called a source NAT, because we’re performing a network address translation on the source IP address.
Let’s take the same scenario where Vala’s needs to communicate to professormesser.com. She’ll create a packet that has a source IP address and port number and a destination IP address and port number. You can see that the source IP address is 10.10.20.50. That is Vala’s address. And she randomly chose 3233 as the source port number. The destination IP is going to be the IP address professormesser.com, and since Vala is communicating to the web server, she’s communicating out to port 80 on that destination server.
As this packet makes its way to the internet router, the router again realizes that it needs to perform a network address translation. Inside of the router is a network address translation table where it keeps track of all of these different translations that it’s doing. It knows that Vala’s private address internally is 10.10.20.50, and in this particular traffic flow, she’s using a source port number of 3233.
This router is going to now perform the network address translation, and that new external IP address is going to be 220.127.116.11, and this router is going to use a port number of 1055 now to designate this particular traffic flow. Now that we have an external IP address, this particular packet is routed properly off to professormesser.com. When professormesser.com replies back to Vala, this traffic then hits the router again. The router looks at the network address translation table, makes the proper changes back to Vala’s internal IP address, and the response is sent back to Vala on 10.10.20.50 using the original port number of 3233.
There’s another type of network address translation you may find on your routers called port forwarding. This allows someone on the outside to gain access to the devices that you might have on the inside of your network. So if you’re hosting your own web server or gaming server and that device has a private IP address, you’ll use port forwarding to be able to take the external communication and allow it access to that internal private IP.
To do this, we would map or configure the external IP and port number and associate that with an internal IP and port number. In this example, someone communicating to the external IP address on my router over a port number 8088 has that information translated to port 80 and communicates internally to my private IP address of 10.1.10.221. You might also hear this referred to as a static NAT or a destination network address translation, because now we’re translating the destination IP address that’s being sent from a different device.
Since this network address translation is static, it’s one that is available 24 hours a day, seven days a week. It doesn’t expire. It doesn’t time out. If anybody at any time chooses to communicate to my public IP address over that particular port number, they will always be forwarded to my internal IP address and port number. This port forwarding is an inbound communication.
So in this scenario, we have devices that are out on the internet communicating to my internal devices. These internal devices, you can see, have a 192.168 address, which means they are private IP addresses. And it’s this router that’s providing the network address translation.
We’ve already configured this router to say that if anyone is inbound on 18.104.22.168, which is our external address, translate that to 192.168.3.22, which is our server on the inside of our network using a private IP address. So if we’re sending traffic from one of these devices on the internet, it will then hit our particular router and that’s where the translation occurs to be able to then send the traffic inside of our network to the appropriate device.