Monday, November 19, 2018

Understanding NAT – Network Address Translation

If you would like to send a letter to me, what would be the most important aspect for you to send it across? My address. If you would have observed, we usually write the address in a certain format – building number, followed by area, city, state and then the pin code. Why do we do that? To avoid confusion. In a similar fashion, computers when they need to talk to each other, need to use the addresses. The Internet uses the IP addressing scheme, through which each computer on the Internet is assigned an IP address and that can be used for communication. Now think, how would you communicate if these addresses go missing? Read on to find out.

A long time ago, when the Internet came into existence, the concept of IP addresses came to life. This was called the IPv4 addressing scheme. This scheme involved the addresses being recorded as say, for example, So every computer on the Internet got one such address. Over time, with the population explosion, the number of computers and devices connected to the Internet increased so much that the number of addresses went in short supply. To overcome this problem, IPV6 was introduced which could solve the problem as the number of addresses offered by this scheme was extremely large (2^128). However, this scheme also required changes to be done with the software and the hardware which we used. Intelligent minds came together to find a short-term fix until we could start using the IPV6. This solution was called NAT – Network Address Translation.

To understand NAT, let’s take an example. Imagine that you and I live in a society where there are a lot of apartments. Let’s call this place as “Security Society”. My flat number is 3331 and yours is 3335. In a similar fashion, there are hundreds of apartments in this society. When you send a letter outside, you write your complete address – Flat Number 3331, Block S, Security Society. However, the main security guard at your society’s entrance puts your letter in another envelope and changes the address to “Security Society” and hands it over to the postman for delivery. When the postmaster brings back the reply, the delivery address is just mentioned as Security Society and not the complete address. Hence, he hands it over to the security guard at the entrance and goes back. The guard understands that this letter belongs to you and hands it over to the correct address - Flat Number 3331, Block S, Security Society. 

Let’s apply the same analogy to the world of computers to understand NAT. When a message comes from an internal computer with the address of, for example, the message is stopped at the device running NAT software (security guard), which happens to have the IP address of (address changed). NAT changes the header of the packet from the internal address,, to the IP address of the NAT device, When a computer on the Internet replies to this message, it replies to the address (Security Society). The NAT device (security guard) changes the header on this reply message to (actual address – flat number) and puts it on the wire for the internal user to receive. Thus, NAT hides internal addresses by centralizing them on one device, and any frames that leave that network have only the source address of that device, not of the actual internal computer that sends the message.

NAT provides great security benefits in addition to solving the problem of the number of IPV4 address. When an attacker wants to target a system, he will not have the actual IP address and thus will continue to attack the natted IP address. Take a cue from the analogy shared above, the spam or marketing emails from companies will land up with the security guard who will just discard them and you will not be bothered.

There are 3 types of NAT implementation:

1. Static Mapping – Here the NAT software will have a bunch of public IP addresses and every private address will be mapped to a particular system always. So computer A always receives the public address x, computer B always receives the public address y, and so on. This is generally used for servers that need to keep the same public address at all times.

2. Dynamic Mapping – The NAT software will again have a bunch of public IP address, but this will get allocated dynamically to the private addresses. So if you send a request to communicate you will be given the public IP A which is first in the list, unlike static mapping where you were always mapped to public IP C.

3. Port Address Translation (PAT) – A pat on the back for you since you have made it to this point in the article. PAT is an extension of NAT and helps us to reduce the cost of buying multiple IP addresses. Here we will have only one IP address similar to one security guard at the main gate. Let’s take an example - The NAT device has an IP address of When computer A needs to communicate with a system on the Internet, the NAT device documents this computer’s private address and source port number (; port 43,887). The NAT device changes the IP address in the computer’s packet header to, with the source port 40,000. When computer B also needs to communicate with a system on the Internet, the NAT device documents the private address and source port number (; port 23,398) and changes the header information to with source port 40,001. So when a system responds to computer A, the packet first goes to the NAT device, which looks up the port number 40,000 and sees that it maps to computer A’s real information. So the NAT device changes the header information to address and port 43,887 and sends it to computer A for processing. 

Although NAT is a short-term solution, it has been well received by the networking and the security community. Eventually, the world will move to IPV6 in entirety, but NAT and PAT offer cost-efficient and secure ways to handle the problem of depleting IP address today and even in future.

What are your thoughts on this? 


prateek varshney said...

Really good explanation..Kudos man!!

One query though, in case of PAT if two internal systems want to use same service suppose 443, then is it possible?

Mayur Pahwa said...

Hi Prateek, Your query is valid and a quite common one. Let's us not confuse that if two systems would like to use the Internet using 443, PAT will map them to the same port. PAT attempts to use the original source port number of the internal host to form a unique, registered IP address and port number combination.

For example, two hosts that have been assigned the IP addresses and, respectively, could send traffic to and receive traffic from the Internet by using the single public IP address If that port number is already allocated, PAT searches for an available alternate source port number. Therefore, the host at IP address could access the Internet by using the public IP address and source port combination of Meanwhile, the host at IP address could access the Internet by using the IP address and source port combination of

Another point to add here is that in PAT, well-registered ports are hardly used for such mapping.

Hope this resolves your query. If not , feel free to ask further.