Overview of Network Address Translation

This topic provides an overview of Network Address Translation (NAT). Also see these NAT topics: 

• Viewing Your NAT Setup and Statistics
• Adding NAT Rules

Network Address Translation is a method for disguising the private IP addresses you use on your LAN as the public IP address you use on the Internet. You define NAT rules that specify exactly how and when to translate between public and private IP addresses.

A private IP address is created by a network administrator for use only on a LAN, whereas a public IP address is purchased from the Internet Corporation for Assigned Names and Numbers (ICANN) for use on the Internet. Typically, your ISP provides a public IP address for your entire LAN, and you define the private addresses for computers on your LAN.

In a typical NAT setup, your ISP provides you with a single public IP address to use for your entire network. Then, you assign each computer on your LAN a unique private IP address. (Or, you define a pool of private IP addresses for dynamic assignment to your computers, as described in DHCP Configuration Overview.) On the ADSL/Ethernet router, you set up a NAT rule to specify that whenever one of your computers communicates with the Internet, (that is, it sends and receives IP data packets) its private IP address-which is referenced in each packet-will be replaced by the LAN's public IP address. 

An IP data packet contains bits of data bundled together in a specific format for efficient transmission over the Internet. Such packets are the building blocks of all Internet communication. Each packet contains header information that identifies the IP address of the computer that initiates the communication (the source IP address), the port number that the router associates with that computer (the source port number), the IP address of the targeted Internet computer (the destination IP address), and other information.

When this type of NAT rule is applied, because the source IP address in the data packet is swapped out, it appears to other Internet computers as if the data packets are coming from the computer assigned your public IP address (in this case, the ADSL/Ethernet router). 

The NAT rule could further be defined to disguise the source port in the data packet (i.e., change it to another number), so that outside computers will not be able to determine the actual port from which the packet originated. Data packets that arrive in response contain the public IP address as the destination IP address and the disguised source port number. The ADSL/Ethernet router changes the IP address and source port number back to the original values (having kept track of the changes it made earlier), and then routes the packet to the originating computer.

NAT rules such as these provide several benefits:

• They eliminate the need for purchasing multiple public IP addresses for computers on your LAN. You can make up your own private IP addresses at no cost, and then have them translated to the public IP address when your computers access the Internet.
• They provide a measure of security for you LAN by enabling you to assign private IP addresses and then have these and the source port numbers swapped out before your computers access the Internet. 

The type of NAT function described above is called network address port translation (napt). You can use other types, called flavors, of NAT for other purposes; for example, providing outside access to your LAN or translating multiple private addresses to multiple public addresses.