Network Address Translation (NAT)

Network Address Translation or NAT for short, is a method of solving the shortage of IP addresses. The Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the Internet Protocol (IP) address allocation. You must apply to receive a public IP network address. Unfortunately, even though there are 4,294,967,296 possible unique addresses, there are no public IP addresses available anymore. They've all been assigned. You must "rent" IP addresses from your local Internet Service Provider (ISP). They usually own the rights to a block of IP addresses and will rent them out for a fee.

NAT is called by different names depending on which branch of IT you are dealing with. With routers, it goes by NAT, with Unix and firewalls, it often goes by IP masquerading. At one point, I believe that in the Microsoft world, it was called an IP proxy at one time. It sometimes goes by the name Network Address and Port Translation or NAPT. We'll just call it NAT on this page.

2012 was when there were no more public IP addresses available.

NAT to the Rescue

So, what can you do? There are no more public IP addresses available? NAT is the solution. It allows you to hide a complete network using private IP addresses behind a single public IP address. For each class of IP, there is a range of private IP addresses that you can use:

Private Address Ranges
Class A  10.0.0.0 - 10.255.255.255 network mask 255.0.0.0
Class B  172.16.0.0 - 172.31.255.255 network mask 255.255.0.0
Class C  192.168.0.0 - 192.168.255.255 network mask 255.255.255.0

Network Address Translation

In the above network, there is one public IP address of 142.110.123.210 at the router WAN port. On the LAN side, the network consists of the private address range of 192.168.1.0/24. The router is running network address translation. All LAN traffic gets translated to the public IP address. To the rest of the world, the public port looks like one very busy PC!

As a LAN packet passes through the router, the router replaces the LAN source IP address with the public IP address. As many different devices live on the LAN, there has to be a mechanism to keep track of which returning response belongs to which LAN IP address. There is a NAT translation table that keeps track of which packet belongs to which device.

Symmetric NAT

Symmetric NAT is used for outgoing (egress) communications. The LAN source IP address is translated to the public IP address. The LAN source port is mapped to a unique external port such as 21000. The NAT translation table keeps track of the mappings. When a response from the Internet comes in to the public IP address, the translation table looks up the destination port in its translation table. If it matches 21000 then it sets the destination IP address to the LAN IP address and resets the port to the original value. Just remember that this is a two way communication.

With Cisco routers, you can assign multiple IP addresses to the public facing Ethernet interface. I needed to open the PBX and a tftp/ftp server to the outside world for my lab environment. I gave the public side Ethernet interface a primary IP address and a secondary IP address then used one to one mapping to point to my internal servers. The public interface is configured as the NAT outside port. For Cisco, the relevant configuration is as follows:

 interface FastEthernet0/0
 description WAN port, .240 is PSTNserver, .249 is ITSP
 ip address 10.163.95.249 255.255.255.0 secondary
 ip address 10.163.95.240 255.255.255.0
 ip nat outside

interface FastEthernet0/1
description LAN interface
ip address 192.168.202.1 255.255.255.0
ip nat inside

ip nat inside source list 120 interface FastEthernet0/0 overload
access-list 120 permit ip any any
   

The LAN interface is configured as NAT inside. The "ip nat inside source list 120 ..." indicates that the LAN traffic must be translated to the FastEthernet0/0 port (WAN) connection. The "overload" command enables Port Address Translation. The last line is a "form of a firewall" rule called an Access Control List (ACL). The ACL is number 120 and in this example, it allows any source IP address to go to any destination IP address. Not much security here. There are whole courses available for understanding ACLs and the security implementations to lock down your router. ACLs are beyond the scope of this NAT page.

Static Port Mapping

For the incoming (ingress) communications to your network, you can statically map the external port to an internal IP address. In this case, the public IP address is mapped directly to one internal LAN IP address. This is good if you have one or two servers running and one is a PBX. NAT can cause big headaches for VoIP and especially the SIP/RTP protocols - the problems will be talked about later on this page under PAT. I used static port mapping of NAT to solve a VoIP problem.

The Cisco commands seem to be written backwards. In the following, commands the inside interface is written before the outside. Logically, I would think it would be written that anything coming in on this outside interface would go to this local IP address. It's written opposite. Here's the relevant Cisco configuration:

ip nat inside source static 192.168.203.254 10.163.95.240
ip nat inside source static 192.168.202.252 10.163.95.249
 

NAT Methods

Naturally as with everything concerning the Internet, there are many other "methods" of NAT: "one to one"/full cone, restricted cone, port restricted and symmetric NAT. Each has its merits and functions. The two that I've mentioned will work in 90% of the cases. I'm not going to go into detail on all of these methods, a google search will provide you with more information then you would care to know about NAT.

PAT - Port Address Translation

For VoIP, the bad guy in this equation of NAT is PAT (Port Address Translation). When a packet transverses (goes through) NAT, NAT changes the TCP or UDP port to another one so that it can track the packet in its NAT translation table. When the packet returns, it is changed back to the original port. So in addition to changing the IP address, the port gets changed too!

For the most part this works very well. Except that for the SIP protocol, there are two protocols sent for voice communications: SIP (Session Initiation Protocol) and RTP (Real Time Protocol). SIP is used for setting up the call, RTP is used for carrying the voice conversation.

Instead of tracking just one port, two ports must be translated. To make matters worse, the SIP header contains information identifying the RTP packet's port. If the RTP port is translated to anther port, then the SIP header will point to the wrong RTP port used! The result is a problem called "one way audio". Where one party can call the other party and only one party can hear the other. This is a typical symptom of a NAT problem.

The problem becomes even worse if there is NAT at both ends of the call! Now, each end is performing NAT and PAT translations! Static port mapping for your PBX is one way to overcome this problem but firewall rules or access control lists are absolutely necessary. Static port mapping opens up your PBX to the Internet which is not really a good idea! Providing whitelists of acceptable IP addresses and VPN(Virtual Private Network) connections to remote clients are necessary security measures.

If this page has helped you, please consider donating $1.00 to support the cost of hosting this site, thanks.

Return to

TelecomWorld 101

Copyright July 2013 Eugene Blanchard