August 5, 2010

Network Address Translation (NAT)

Why do we need NAT?

Well before I start explaining NAT, I guess it is important to know why NAT is necessary. The machines on the Internet use a 32 bit address (IP address) to uniquely identify each other. A machine can communicate with another machine in the Internet so long as it knows its 32 bit IP address. 32 bits implies there can be about 4 billion IP address. This number is far less than the population of this planet, and far smaller than the number of machines that want to access the Internet. A hacky solution to this small address space is to let multiple machines use the same IP address. NAT boxes enable you to let a large number of machines in your home/office/college access the Internet with a small number of (usually one) IP address. A machine behind the NAT box can be in one the LANs (top portion) of the figure given below.

Network Address Translation

What is a Global IP and what is a Local IP?

In the context of NAT we come across the terms Global IP and local IP address. The IP address your NAT box uses to communicate with your ISP other machines (including other NAT boxes) in the Internet is the global IP address. The IP address of the machines present in the LANs behind the NAT boxes (above NAT box in the figure) is the local IP address. The local IP addresses are typically 10.x.x.x or 192.168.x.x.

How do machines in the LAN access the Internet?

NAT stands for Network Address Translation. So as the name suggests, to the outside world all the machines behind the NAT box are seen as one machine accessing the Internet. Say, machine A with IP address wants to access which has an ip address A.B.C.D and the global IP address you have is I.P.A.D. The NAT box replaces with I.P.A.D. and sends to the packet google. The response from google is forwarded by the NAT box to you. Now if two machines M1 and M2 from the LAN access google, the NAT box needs to ensure that response from google to M1 is forwarded to M1 and not M2 and vice-versa. There are various ways in which NAT boxes do this. The main idea is that the packets between a machine in the LAN and a remote server should not be lost and garbled.

How can machines in the Internet connect to machines behind NAT?

A simple answer to this question is NO. Say a machine A.B.C.D in the internet wants to connect to M1 ( Now note that 10.x.x.x and 192.168.x.x addresses are reserved for machines behind the NAT. So if you have a NAT box in your house/office, you can assign to a machine behind your NAT box. Similarly, your neighbour can buy a NAT box and assign to his machine. So when A.B.C.D wants to connected to, how can a router in the Internet tell that it needs to connect to your machine M1 and not your neighbors machine.

What is port forwarding?

One way a remote machine with address A.B.C.D can to your machine is by connecting to you NAT box. The source address of the connection request is A.B.C.D and the destination address is I.P.A.D (the global address of your NAT box). The NAT box can then be configured to forward requests on a particular port to Say you want to run an HTTP server on M1 ( behind the NAT box. The NAT box can be configured to forward connection requests on port 80 to This is one way in which a remote IP in the Internet can connect to machines behind the NAT box.

The contents of this post are simplified to a large extent and some technical content needs to be taken with a pinch of salt.

Articles to Read:




Ashwin Rao said...

Articles to Read





Ashwin Rao said...

I found this animation to be useful.

Arvind said...

it was awesome as i understood the working behind the Nat IP very easily
The language was lucid and the best part about it was the simplicity with which you described it .
Will try to understand it more on a pratical level