This chapter defines Network Address Translation (NAT), introduces types of NAT and How NAT works. This chapter provides the application scenarios and implementation principles of source NAT, destination NAT (including static NAT and dynamic NAT), and bidirectional NAT on the NAT firewall device.
Bạn đang xem: Network address translation definition
NAT is an address translation công nghệ that translates the IP address in an IPv4 header khổng lồ another IP address. By translating multiple private addresses carried in IPv4 headers into one quality public address, NAT allows multiple intranet users to lớn access the mạng internet using only one public address, effectively mitigating public IPv4 address exhaustion.
With the expansion of the Internet, a large number of private network users need khổng lồ access the internet through public IPv4 addresses. The rapid exhaustion of IPv4 address space causes significant depletion of public addresses. Although IPv6 technology can fundamentally solve the address exhaustion problem, most contents & applications are still based on IPv4, and therefore cannot be completely switched lớn IPv6 within a short time. The NAT giải pháp công nghệ allows public IPv4 addresses to lớn be reused, which can solve the problem of IPv4 address exhaustion for a long term.
This document uses Huawei USG6000E series firewall products as an example lớn introduce the basic principles of NAT. There may be differences in the implementation of different products and versions. Please refer to lớn the specific version of the hàng hóa documentation.In this document, FW is short for firewall.In this document, public IP addresses may be used in feature introduction and are for reference only unless otherwise specified.
Table đối chọi Types of NAT
Source NAT | Source address translation without port translation | Source IP address | No | This mode applies to lớn the situation in which public IP addresses are sufficient & only a small number of intranet users access the Internet. Private & public addresses are in one-to-one translation relationships. |
Source address translation with port translation | Source IP address | Yes | This mode applies when many intranet users access the Internet. A large number of private addresses are transmitted few public addresses. | |
Destination NAT | Static NAT: one-to-one mappings between public và private addresses | Destination IP address | Optional | This mode applies when a public address is used khổng lồ access a private address or multiple public addresses are used to lớn access multiple private addresses. |
Static NAT: one-to-one mappings between public and private ports | Destination IP address | Optional | This mode applies when multiple ports of a public address are used khổng lồ access multiple ports of a private address. | |
Static NAT: one-to-one mappings between multiple ports of a public address and multiple private addresses | Destination IP address | Yes | This mode applies when multiple ports of a public address are used to access multiple private addresses. | |
Static NAT: one-to-one mappings between multiple public addresses và multiple private ports | Destination IP address | Yes | This mode applies when multiple public addresses are used khổng lồ access multiple ports of a private address. | |
Dynamic NAT: Public addresses are randomly translated into addresses in the destination address pool. | Destination IP address | Optional | This mode applies when there are no fixed mappings between public and private addresses & public addresses are randomly translated into addresses in the destination address pool. | |
Bidirectional NAT | Source NAT + static destination NAT (static NAT) | Source IP address + destination IP address | Optional | This mode applies when both source & destination addresses need to lớn be translated & destination addresses have fixed mappings before và after NAT. |
Source NAT + dynamic destination NAT (dynamic NAT) | Source IP address + destination IP address | Optional | This mode applies when both source & destination addresses need khổng lồ be translated & destination addresses vày not have fixed mappings before and after NAT. |
A NAT policy consists of the translated address (address pool address or outbound interface address), matching condition, & action.
Address pool types include Source NAT (NAT No-PAT, NAPT, Triplet NAT, và Smart NAT) & destination address pools. You can select the address pool type or outbound interface mode based on the NAT mode.The matching conditions include the source address, destination address, source security zone, destination security zone, outbound interface, service, and time range. You can configure matching conditions according to lớn requirements lớn perform NAT on the traffic matching the conditions.
The destination NAT policy does not tư vấn the configuration of the destination security zone & outbound interface.
Actions include source address translation & destination address translation. Regardless of source address translation or destination address translation, NAT can be performed or not performed on the traffic that matches the conditions.
If multiple NAT policies are created, the policies are matched đứng đầu down. If the traffic matches a NAT policy, the remaining policies are ignored.
In the NAT policy list shown in Figure 1-1, bidirectional and destination NAT policies have higher matching priorities than source NAT policies & are placed before source NAT policies. Bidirectional & destination NAT policies are ordered according to their configuration sequences, so are source NAT policies. A newly added policy or a policy with the NAT action modified is placed khổng lồ the kết thúc of NAT policies of its own type.
You can adjust the matching order of NAT policies of the same type as required. For example, you can place destination NAT policy 2 above bidirectional NAT policy 1, or place source NAT policy 2 above source NAT policy 1. However, a source NAT policy cannot be placed above bidirectional và destination NAT policies. For example, source NAT policy 1 cannot be placed above destination NAT policy 4 or bidirectional NAT policy 3.
Figure solo Example of a NAT policy list
Types of NAT: Source NAT
Overview of Source NAT
Source NAT translates source addresses of packets.
Source NAT translates private IP addresses into public IP addresses so that users on an intranet can use public IP addresses lớn access the Internet. Figure 1-2 shows the translation process.
Figure 1-2 Source NAT mechanism
FW shows the source NAT process when the host accesses the website server.
Upon receiving the packets destined from the private network lớn the Internet, the FW translates the private source addresses into public source addresses.Upon receiving the return packets, the FW translates the public destination addresses back khổng lồ private destination addresses.Based on whether port translation is performed during source address translation, source NAT falls into NAT involving only source address translation (NAT No-PAT) và NAT involving both source address translation và source port translation (NAPT, Smart NAT, Easy IP, và triplet NAT).
NAT No-PAT translates only IP addresses và maps one private address only lớn a single public address. This mode applies lớn scenarios where each private network user usually can have a public IP address in the address pool. Figure 1-3 shows its mechanism.
Figure 1-3 Mechanism of NAT No-PAT
FW shows the NAT No-PAT process when the host accesses the web server.
After the host sends a packet to the FW, the FW finds that the packet needs lớn travel from the Trust zone lớn the Untrust zone & that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.In this manner, one-to-one translation is implemented on the private and public IP addresses. If all addresses in the address pool are allocated, NAT cannot be performed for the rest intranet hosts until the address pool has available addresses.
The FW generates a server-map table that stores the mappings between host private IP addresses & public IP addresses.
Forward server-map entries allow for fast address translation when a private network user accesses the Internet, improving the processing efficiency of the FW.Return server-map entries allow for address translation when an internet user proactively accesses a private network user.NAT NO-PAT falls into:
Local No-PATThe server-map table generated by local NO-PAT contains security zone parameters. Only servers in this security zone can access the intranet host.
Global No-PATThe server-map table generated by global NO-PAT does not contain security zone parameters. Servers in all security zones can access the intranet host.
NAPT translates both IP addresses & ports to enable multiple private addresses to nói qua one or multiple public addresses. NAPT applies to lớn scenarios with a few public addresses but many private users who need to access the Internet. Figure 1-4 shows its mechanism.
Figure 1-4 Mechanism of NAPT
FW shows the NAPT process when the host accesses the web server.
After the host sends a packet to lớn the FW, the FW finds that the packet needs to lớn travel from the Trust zone to lớn the Untrust zone and that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.As both addresses & ports are translated, multiple private users can nội dung one public address to access the Internet. The FW can distinguish users based on ports, so more users can access the mạng internet at the same time. Lưu ý that NAPT does not generate server-map entries. This is different from NAT No-PAT.
Smart NAT is supplementary lớn No-PAT. Smart NAT is a mode in which an IP address is reserved for NAPT in No-PAT mode. Smart NAT applies khổng lồ scenarios where each private network user usually can have a public IP address in the address pool, but occasionally, public addresses are insufficient.
In No-PAT mode, one-to-one address translation is performed. As the number of intranet users increases, the number of addresses in the address pool may no longer meet users" internet access requirements. As a result, certain users cannot access the Internet. In this case, the reserved IP addresses can be used for NAPT so that the users can access the Internet. Figure 1-5 shows its mechanism.
Figure 1-5 Mechanism of Smart NAT
When multiple hosts on the intranet simultaneously access the server, the process is as follows:
Upon receiving a packet from the intranet, the FW first checks the destination IP address, identifying that the packet is destined for the Untrust zone from the Trust zone. If the packet is permitted by an interzone security policy, the FW searches for a matching NAT policy & then finds out that address translation is required.If the NAT address pool has available public addresses, the FW replaces the source IP address of the packet with such a public IP address và then forwards the packet khổng lồ the server. At the same time, the FW adds an entry in the session table.If the NAT address pool has no available public addresses, the FW replaces the source IP address of the packet with the reserved NAPT address, replaces the source port with a new port, and then forwards the packet khổng lồ the Internet. At the same time, the FW adds an entry khổng lồ the session table.In this mode, the FW preferentially uses the No-PAT mode. After the public addresses available for No-PAT are exhausted, the reserved IP address is used for NAPT for subsequent user connections.
Easy IP uses the public IP address of the outbound interface as the post-NAT address & translates both the IP address & port. Easy IP also applies to scenarios where the interface IP address is dynamically obtained.
When the outbound interface of the FW obtains the public IP address through dial-up, you cannot địa chỉ the public IP address lớn the address pool because the public address is dynamically obtained. In this case, you need lớn configure the Easy IP mode so that the FW can translate addresses when the public IP address changes. Figure 1-6 shows its mechanism.
FW shows the Easy IP process when the host accesses the web server.
After the host sends a packet to lớn the FW, the FW finds that the packet needs khổng lồ travel from the Trust zone lớn the Untrust zone & that the packet matches a security policy. The FW also finds that the packet matches a specific NAT policy so that NAT address translation must be performed.As both addresses và ports are translated, multiple private users can chia sẻ one public address khổng lồ access the Internet. The FW can distinguish users based on ports, so more users can access the mạng internet at the same time.
Triplet NAT can translate the source addresses and ports of packets. It allows mạng internet users lớn access private users, coexisting with P2P-based tệp tin sharing, audio communication, and đoạn phim transmission.
If the FW uses quintuple NAT (NAPT) in a scenario where intranet PCs access the Internet, extranet devices cannot proactively access intranet PCs through the translated IP addresses và ports.
Triplet NAT can perfectly resolve the issue because triplet NAT has the following two features. Figure 1-7 shows its mechanism.
The ports after triplet NAT cannot be reused. This ensures the port consistency of intranet PCs but lowers the public IP address usage.Extranet devices can proactively access intranet PCs through the translated IP addresses và ports. The FW permits such access packets, even when no security policy is configured for such packets.FW shows the triplet NAT process when host A accesses host B.
After receiving a packet sent from host A, the FW determines that the packet needs lớn travel between the Trust and Untrust zones based on the destination IP address. After interzone security policy kiểm tra is performed, the FW searches for the interzone NAT policy and discovers that NAT needs lớn be performed on the packet.When receiving host C"s request lớn access host A before the server-map table ages, the FW can also search the server-map table & send the packet to lớn host A based on the mappings in the table.The FW generates a server-map table that stores the mappings between host private IP addresses và public IP addresses.
Forward server-map entries ensure that the post-NAT addresses & ports of intranet PCs remain unchanged.Return server-map entries allow extranet devices to lớn proactively access intranet PCs.Triplet NAT can be categorized into two types:
The FW supports Smart triplet NAT & determines the port assignment mode based on packet destination ports, allowing for the reuse of some public IP addresses. If a packet"s destination port number is in the configured range, the NAPT mode is used for port assignment; otherwise, the triplet NAT mode is used.
Destination NAT translates the destination addresses and ports of packets.
Source NAT translates private IP addresses into public IP addresses so that users on an intranet can use public IP addresses to access the Internet. Figure 1-8 shows the translation process.
When an extranet user accesses the intranet server, the FW performs as follows:
Upon receiving the packets destined from the extranet user to lớn the intranet server, the FW translates the public destination addresses into private destination addresses.Upon receiving the return packets, the FW translates the private source addresses back lớn public source addresses.Based on whether post-NAT destination addresses are fixed, destination NAT falls into static NAT và dynamic NAT.
Dynamic NAT | Public addresses are randomly translated into addresses in the destination address pool. | Dynamic NAT applies when there are no fixed mappings between public và private addresses & public addresses are randomly translated into addresses in the destination address pool. |
Static NAT | One-to-one mappings between public & private addresses. | This mode of static NAT applies when a public address is used lớn access a private address or multiple public addresses are used to access multiple private addresses. |
One-to-one mappings between public & private ports. | This mode of static NAT applies when multiple ports of a public address are used to access multiple ports of a private address. | |
One-to-one mappings between multiple ports of a public address and multiple private addresses. | This mode of static NAT applies when multiple ports of a public address are used khổng lồ access multiple private addresses. | |
One-to-one mappings between multiple public addresses and multiple private ports. | This mode of static NAT applies when multiple public addresses are used lớn access multiple ports of a private address. | |
NAT Server. | This mode of static NAT applies to lớn scenarios where there are fixed mappings between private IP addresses & public IP addresses, between private IP addresses and public port numbers, between private port numbers and public IP addresses, and between private port numbers & public port numbers. NAT server is implemented by running the nat server command. |
Static destination NAT translates the destination IP address of the packet, & there is a fixed mapping between the pre-NAT và post-NAT addresses.
For the sake of security, extranets are generally not allowed lớn proactively access intranets. Occasionally, however, a method is expected khổng lồ permit access from extranets. For example, a company intends to lớn provide resources for customers & employees on business trips.
Figure 1-9 shows the mechanism of static destination NAT based on the NAT policy.
As shown in Figure 1-9, when the host accesses the server, the FW performs as follows:
Upon receiving a packet destined for 1.1.1.10 from an internet user, the FW searches for a matching NAT policy and then performs destination address translation on the packet.When receiving subsequent packets sent from the host lớn the server, the FW directly translates their addresses according khổng lồ session entries.Dynamic destination NAT dynamically translates the destination IP address of the packet, & there is no fixed mapping between the pre-NAT và post-NAT addresses.
Static destination NAT can meet the requirements of most destination address translation scenarios. In some cases, however, the post-NAT address is expected lớn be not fixed. The scenario where điện thoại devices access wireless networks through destination address translation is a case in point.
Figure 1-10 shows the mechanism of dynamic destination NAT based on the NAT policy.
FW shows the destination NAT process when host A accesses the server.
After receiving the packet from Host A, the FW translates the destination address of the packet that matches the NAT policy, randomly selects an address from the address pool as the translated address, and translates the destination IP address of the packet from 172.16.16.2 khổng lồ 192.168.1.2.Bidirectional NAT translates both source information và destination information in packets. Bidirectional NAT is not an independent function. Instead, it is only a combination of source NAT & destination NAT. Bidirectional NAT applies to lớn the same flow. When receiving the packet, the firewall translates both its source & destination addresses.
Bidirectional NAT applies manly lớn the following scenarios.
When an extranet user accesses an intranet server, bidirectional NAT can be used to lớn translate both the source & destination addresses of the packet and save the effort of setting the gateway on the intranet server, simplifying configuration.
As shown in Figure 1-11, when the host accesses the server, the FW performs as follows:
The FW performs address translation for the packet that matches the bidirectional NAT policy.The FW selects a public IP address from the destination NAT address pool lớn replace the destination IP address of the packet và replaces the destination port number with the new port number.The FW checks whether the packet passes the security policy. If so, the FW replaces the source IP address of the packet with a private IP address picked from the NAT address pool & the source port with a new port, & then forwards the packet to the intranet. At the same time, the FW adds an entry in the session table.Upon receiving the packet that the server replies lớn the host, the FW searches the session table & the entry created is matched. Accordingly, the FW changes the source và destination addresses of the packet to its original source and destination addresses và the source và destination ports to its original source and destination ports. Then the FW forwards the packet lớn the Internet.Users on the intranet attempt to lớn access the public address of the intranet server on the same subnet in their own security zone.
As shown in Figure 1-12, when the host accesses the server, the FW performs as follows:
The FW performs address translation for the packet that matches the bidirectional NAT policy.The FW selects a public IP address from the destination NAT address pool to replace the destination IP address of the packet & replaces the destination port number with the new port number.The FW checks whether the packet passes the security policy. If so, the FW replaces the source IP address of the packet with a private IP address picked from the NAT address pool & the source port with a new port, and then forwards the packet to the intranet. At the same time, the FW adds an entry in the session table.Upon receiving the packet that the hệ thống replies lớn the host, the FW searches the session table và the entry created is matched. Accordingly, the FW changes the source & destination addresses of the packet to lớn its original source and destination addresses and the source và destination ports khổng lồ its original source and destination ports. Then the FW forwards the packet lớn the host.Network address translation (NAT), a feature found in many firewalls, translates between external and internal IP addresses. With NAT, a private network can use internal, non-routable IP addresses that maps to one or more external IP addresses. Furthermore, a single IP address can represent many computers within a network.
Read The Firewall Buyer"s Guide Learn More
How Does NAT Work?
NAT works by having a firewall act as an intermediary for traffic entering và leaving the protected network. Inbound traffic is directed lớn a public-facing IP address, which is translated to lớn an internal IP address to lớn the firewall before sending the traffic on khổng lồ its destination. Outbound traffic’s source addresses are similarly updated from private, internal IP addresses to public, external ones.The technology works similarly khổng lồ many organizations’ phone systems. The company publishes a single, public number for external callers. Once a customer calls this number, they are transferred to a specific internal phone based upon the details of their request.
Importance of NAT
NAT has a few different benefits, but one of the most significant is that it has dramatically increased the scalability of the IPv4 addressing scheme. The IPv4 scheme has less than 4.3 billion possible addresses, và there are over trăng tròn billion devices connected lớn the Internet.
With a one-to-one mapping of IP addresses to lớn devices, the IPv4 protocol’s pool of available addresses would have been exhausted years ago, forcing a switch to IPv6. However, with NAT, many Internet-connected devices can giới thiệu the same public-facing IPv4 address, which has enabled the IPv4 standard to lớn scale to lớn meet demand.
Types of Network Address Translation
NAT can be implemented in a few different ways, including:
Static NAT: Static NAT maps an internal IP address to an external one on a one-to-one basis. This doesn’t help with the scalability of IPv4 but does make a system reachable from outside of the network without disrupting internal addressing schemes.Dynamic NAT: With Dynamic NAT, a firewall has a pool of external IP addresses that it assigns to lớn internal computers as needed. Like Static NAT, this creates a one-to-one mapping between internal & external IP addresses; however, these mappings are not permanent.Port Address Translation (PAT): PAT is used to lớn create many-to-one mappings between internal & external IP addresses. The firewall uses the same IP address for multiple systems but assigns a different TCP or UDP port lớn each. Since a single IP address can have 65,535 ports associated with it, PAT allows a single external IP address to represent thousands of devices on a private network. PAT is the application of NAT that allows IPv4 addresses lớn scale.NAT Configuration
The details of a NAT firewall configuration depend on the type of NAT used by an organization. For example, Static NAT và PAT may have a single external IP address, while Dynamic NAT has several.
For all NAT configurations, an organization is able to lớn use private IP addresses within their local area networks (LANs). The IPv4 ranges 10.0.0.0/8, 172.16. 0.0/12, and 192.168. 0.0/16 are intended for internal use only. Devices within an organization’s bậc thang be assigned one of these addresses, but these addresses are not routable outside of the organization’s network.
The translation process from internal, private address khổng lồ external, public address depends on the NAT scheme used. In all cases, traffic will have to lớn pass through a firewall that performs the translation. This firewall can rewrite the headers of inbound and outbound packets based on internal lookup tables, converting between IP addresses or assigning traffic lớn a particular port on a shared address.
How Does Network Address Translation Improve Security?
In addition to improving the scalability of IPv4, NAT also provides significant security benefits. These include:
Improved Privacy: NAT makes an organization’s internal network structure opaque from outside of the network. External systems see a single IP address or a phối of frequently changing ones, making it difficult lớn create a maps of an organization’s internal network for use in later attacks.NAT in kiểm tra Point NGFW
NAT can help to lớn bolster an organization’s security by forcing all traffic khổng lồ pass through a network firewall. However, this only provides security benefits if that firewall can detect and block malicious network traffic. To learn more about what to look for in an NGFW, check out this buyer’s guide.
Xem thêm: Danh Sách Thành Tích Trong Sự Nghiệp Của Lionel Messi, Hai Thế Giới Tương Phản Của Messi
Check Point NGFWs offer high-performance NAT functionality as well as enterprise-grade threat prevention capabilities. Lớn see kiểm tra Point firewalls in action, you’re welcome lớn sign up for a không tính tiền demo.