(Network Address Translation) An IETF standard that allows an organization to present itself to the Internet with far fewer IP addresses than there are nodes on its internal network. The NAT technology, which is implemented in a router, firewall or PC, converts private IP addresses (such as in the 192.168.0.0 range) of the machine on the internal private network to one or more public IP addresses for the Internet. It changes the packet headers to the new address and keeps track of them via internal tables that it builds. When packets come back from the Internet, NAT uses the tables to perform the reverse conversion to the IP address of the client machine. NAT is also provided with Windows Internet Connection Sharing (see ICS).
One disadvantage of NAT is that it defeats "Internet transparency," which means that packets remain intact from end to end (see RSIP).
NAT Adds Security
NAT not only conserves public IP addresses, but it also enhances security by keeping internal addresses hidden from the outside world. NAT prevents several kinds of first-level attacks, but not all, and must be used in conjunction with a personal firewall in a home network and more robust firewalls in a company (see firewall).
Static and Dynamic NAT
In static NAT, there is a manual assignment of a public address to each internal machine, and that assignment is used all the time. Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.
Port Address Translation (PAT)
The most common NAT method used today is port address translation (PAT), which is also called "NAT overloading," "network address port translation" (NAPT) and "NAT/PAT." PAT is used in large enterprises as well as small offices and the home. Just like any department in a company, families want simultaneous Internet access for several people, and cable modems, DSL and ISDN connections have only one public IP address.
PAT ensures that a different TCP port number is used for each client session with a server on the Internet. When the response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines which user to route the packets to. It also validates that the incoming packets were indeed requested. See NAT traversal, UDP hole punching, private IP address and proxy server.
NAT/PAT
By using a different port number for each user, the NAT device knows which client PC to route the incoming packets to.
One disadvantage of NAT is that it defeats "Internet transparency," which means that packets remain intact from end to end (see RSIP).
NAT Adds Security
NAT not only conserves public IP addresses, but it also enhances security by keeping internal addresses hidden from the outside world. NAT prevents several kinds of first-level attacks, but not all, and must be used in conjunction with a personal firewall in a home network and more robust firewalls in a company (see firewall).
Static and Dynamic NAT
In static NAT, there is a manual assignment of a public address to each internal machine, and that assignment is used all the time. Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.
Port Address Translation (PAT)
The most common NAT method used today is port address translation (PAT), which is also called "NAT overloading," "network address port translation" (NAPT) and "NAT/PAT." PAT is used in large enterprises as well as small offices and the home. Just like any department in a company, families want simultaneous Internet access for several people, and cable modems, DSL and ISDN connections have only one public IP address.
PAT ensures that a different TCP port number is used for each client session with a server on the Internet. When the response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines which user to route the packets to. It also validates that the incoming packets were indeed requested. See NAT traversal, UDP hole punching, private IP address and proxy server.
NAT/PAT
By using a different port number for each user, the NAT device knows which client PC to route the incoming packets to.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2008 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- MS08-067 worms squirming in the wild
- MS08-067 worms squirming in the wildI will not be directly affected.I use Linux. (This is a trap for the Windows fanboys to proclaim that Linux would be as vulnerable if it was as popular as Windows.)thanks sincerely, RyanThis time you were really clear that there was a fix, and...
- Discussion threads 2008-11-04
- CIERS1 - CCIE 360 R&S Prep Boot Camp 1
- View Available Dates and LocationsThis intensive Boot Camp-style course is designed to help the CCIE Routing & Switching candidate determine exactly where they are in their process of preparing for the CCIE R&S practical exam and to fill technology gaps through lecture and labs....
- Training 2008-11-01
- Netman (zip)
- As a great assistant to office work, Netman can work without installation, so it is a user-friendly and absolutely safe remote control freeware. It is Nat accessible which enbales you to remotely control any PC anywhere on the Internet. By enterring partner's IP and password that appears on the software,...
- Software downloads 2008-10-28
- Zombie PCs: 'Time to infection is less than five minutes'
- Zombie PCs: 'Time to infection is less than five minutes'Ok, agreed, OpenBSD is more secure.But, NOT Windows!!!Have to agreeJust stay away from Porn and warez, and you are pretty much immune to this stuff, regardless of what platform you are using.you ought to read the articlebefore posting. The article...
- Discussion threads 2008-10-21
- A question about web server volume failures
- A question about web server volume failuresWrite heavy loadI don't think you can compare a write-heavy do-not-call registry to a mostly static wordpress site.It wouldn't hard to mock-up a simple registry site and test it.The question you seem to be askig is.. how do i make my site scalable.Lets start...
- Discussion threads 2008-10-07
- Netgear unveils new energy-efficient Draft N routers
- The networking world has finally caught on to the whole green movement, with Netgear following in the footsteps of D-Link in releasing new routers that claim to be more eco-friendly. The Wireless-N Router (WNR2000, pictured) and Wireless-N Modem Router (DGN2000) both come packaged in material that's at...
- Blog posts 2008-09-29
- The depressing future of the Internet
- A brief overview of how the Internet came about: some years ago, some military boffs thought it'd be awesome if computers could talk to each other, so the US could nuke the hell out of other countries without actually being near there. A smart professor from England then came up...
- Blog posts 2008-08-28
- Is LogMeIn the route to laptop Linux?
- Is LogMeIn the route to laptop Linux?Linux is cheaper than WindowsAnd since they do the same thing, why not go with the cheaper option?And really you're right in that the other OS is more important to the end user. But as far as the sale of this "terminal", what it...
- Discussion threads 2008-08-26
- Gbridge (exe)
- Gbridge extends Google's Gtalk network service to a self-forming VPN, and provides many cool features running on top of the VPN. SecureShare, AutoSync and LiveBrowse: Drag&Drop a folder to create a share and select which friend can access. Before syncing the full folder, your friends can remotely browse the folder,...
- Software downloads 2008-08-21
- TeamViewer (dmg)
- TeamViewer is a simple and fast solution for remote control, desktop sharing and file transfer that works behind any firewall and NAT proxy. To connect to another computer just run TeamViewer on both machines without the need of an installation procedure. With the first start automatic partner IDs are generated...
- Software downloads 2008-08-06
- Free-Riding, Fairness, and Firewalls in P2P File-Sharing
- Peer-to-peer file-sharing networks depend on peers uploading data to each other. Some peers, called free-riders, will not upload data unless there is an incentive to do so. Algorithms designed to prevent free-riding typically assume that connectivity is not a problem. However, on the Internet, a large fraction of the peers...
- White papers 2008-08-04
- Responding to the DNS vulnerability and attacks
- Responding to the DNS vulnerability and attacksThis is good to know ...[i]Furthermore, if you have a server behind a NAT device, some NAT devices will undo the UDP port randomness introduced by the patch. Fortunately, Linux iptables and OpenBSD’s pf are not vulnerable, but many popular NAT devices are.[/i]I've...
- Discussion threads 2008-07-28
- Responding to the DNS vulnerability and attacks
- The DNS vulnerability, which has completely dominated the news in the security world the last two weeks, has been a concern for so many. On the front of good news and getting things protected, the IBM ISS has team has published some great information. The Frequency X...
- Blog posts 2008-07-28
- Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soon
- Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soonTTLSomething I wish I'd asked during the webcast and which I can't quite get my head around:It was said that setting a long TTL doesn't help because of the way delegation works - has to...
- Discussion threads 2008-07-24
- Open Discussion: Software firewalls
- Open Discussion: Software firewallsRE: Open Discussion: Software firewallsI use both Windows Firewall in Vista and the built in hardware firewall in my router. I just don't see the need for a resource hungry, third party solution any more when the built in firewall in Windows does an admirable job.Fire ...
- Discussion threads 2008-07-11
- RDP Web Portal (zip)
- RDP Web Portal is a customizable portal that enables users to connect to their desktops, workstations or servers from anywhere on the internet via Remote Desktop Protocol. It is convenient way to manage remote access to computers for your entire company Configure computer visibility per user Simple to install and...
- Software downloads 2008-06-20
- Live Desktop (exe)
- Live Desktop is the fast, simple, and secure remote automation utility to help you access your remote PC desktop by Windows Live Messenger in real time. It supports Universal Plug and Play UPnP protocols to access the private network through the NAT gateway, to simple access the authorized system by...
- Software downloads 2008-06-18
- SNAA - Securing Networks with ASA Advanced
- Instantly save $400 off the standard course price when you register on TechRepublic or ZDNet! Offer ends August 22, 2008.View Available Dates and LocationsIn this Authorized Cisco course, you will take your knowledge and skills on configuring, maintaining, and operating Cisco ASA 5500 Series Adaptive Security to the...
- Training 2008-06-01
- ASACAMP - ASA Lab Camp
- Instantly save $400 off the standard course price when you register on TechRepublic or ZDNet! Offer ends August 22, 2008.View Available Dates and LocationsBased on our Cisco SNAF and SNAA courses, our exclusive, lab-based course is designed to provide you with the most ASA-based lab experience in 5 days...
- Training 2008-06-01
- Google bets future on improving Client, Connectivity, and Cloud
- On Wednesday morning, Vick Gundotra, Engineering VP at Google opened the Google I/O developer's conference in San Francisco. I jotted down a few (ok, a lot of) notes for this and other sessions that I'd like to share with you. This is not quite a transcript, but rather a paraphrasing...
- Blog posts 2008-05-29
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Intel Xeon 7400 highlights available now!
-
With key platform innovations built-in, the Intel Xeon processor 7400 series offers more headroom, reliability, and the highest expandability for large-scale server consolidation. See highlights from Summer IDF, SAP Tech-Ed, VMWorld, and more.
- Get blogs, videos and more from past tech events >>
All-in-One Printers
- 10 things to look for in an all-in-one printer A multifunction printer may offer the convenient, consolidated functionality your organization needs, but there are a lot of choices out there. Before making a selection, be sure to consider these key factors.
- From our sponsors
- HP Small Business LaserJet Printers
-
HP Laser Jet M3035 MFP series Starting at $1,599. SHOP NOW
- New HP Color LaserJet CP3525n Printer Starting at $699. SHOP NOW
-
