One of the things we'll remember about 2015 is that it was the year ARIN finally ran out of public IPv4 space. Yet despite the depletion, IPv4 is still the dominant addressing mechanism running on the vast majority of organizations today. And in many cases, few are in any big hurry to migrate over to IPv6. The reason that most IT professionals ignored the doomsday cries regarding IPv4 exhaustion is that many companies relied on Network Address Translation (NAT) to significantly reduce the number of public IP addresses they required.
In fact, these days, it's not uncommon for small companies to operate with a single public IPv4 address. And if your company is larger and requires connectivity/redundancy using external BGP peering, then an IPv4 subnet that has 254 usable addresses will work just fine. This provides 254 publically addressable IP addresses -- plenty of addresses to operate a decent sized, publically accessible data center and thousands of employees. NAT is the key to limiting the need to have public addresses assigned to all internal devices in a 1-to-1 ratio.
In this guide, we'll explain how NAT works and walk you through the two NAT configuration options: static NAT translation and Port Address Translation.
(Image: TonisPan/iStockphoto with modification)
How NAT works
How does NAT work to limit the number of public IPv4 addresses needed? At the organization edge, the router or firewall between the internal network and the public Internet will be running NAT. The job of NAT in this scenario is to translate between publically accessible IP addresses and private-only IP addresses. Within the IPv4 addressing space, there are IP spaces that are designated as private LAN addresses. This essentially means that they cannot be routed across the Internet. These addresses are specified under RFC 1918 and consist of the following IP ranges:
Companies commonly address all internal devices using IPv4 within in these private LAN IPv4 ranges. By doing so, internal communication across private LANs and WANs works just fine with private addressing. But when a device needs to communicate out to the Internet -- or when external Internet devices need to communicate to internal device devices -- the private IP must be translated to a public IP. The job of NAT is to maintain a table that keeps track of public-to-private IP translations. This is known as a NAT translation table and looks something like the screenshot above.
As you can see, the public IP address of 18.104.22.168 (Inside global) is translated to the private IP address of 192.168.100.11 (Inside local). By doing so, privately addressed devices can communicate to the outside world.
Static NAT translation
From a configuration standpoint, network administrators can configure NAT in two ways. The first is known as a static NAT translation. This is a 1-to-1 IP translation between a single public IP address and a single private IP address. Static NATs are commonly configured for servers that are heavily used and require a number of TCP/UDP ports to be opened. In the following configuration example, were configuring three static NAT translations. The private LAN address of 192.168.100.11 will always translate to the public IP address of 22.214.171.124. The same goes for 192.168.100.12 to 126.96.36.199 and 192.168.100.13 and 188.8.131.52. Note that in addition to configuring the 1-to-1 static NAT translation rules, we must also specify which interface of the router connects to the public outside network and which one connects to the private LAN inside network (see screenshot above).
Port Address Translation
The second NAT configuration option is called Port Address Translation (PAT). The primary difference here is that the translation is 1-to-many as opposed to 1-to-1. By using a 1-to-many translation, a single public IP can be used to translate many private IP addresses. It can do this by keeping track of private IP addresses by the TCP and UDP ports they use in the NAT translation table. For example, this NAT translation table shows the public IP address of 184.108.40.206 being used by two different private IP addresses. The table can differentiate conversations by appending a number to each conversation. For example, 220.127.116.11 with a :3 translates to the private LAN address of 192.168.100.11:3.
Here is an example of how to configure PAT to the IP address assigned to the outside interface fa0/0 which is 18.104.22.168. To specify a range of private LAN IP addresses, we configure an access list. In our example, we state that any IP address in the 192.168.100.0/24 subnet will be translated to 22.214.171.124 when attempts are made to the Internet. Again, the Internet (outside) is reachable on fa0/0 and the private LAN (inside) is fa0/1 (see screenshot above).
What about IPv6?
While its technically possible to configure NAT for IPv6, there is little reason to do so. Because IPv6 has 7.9x1028 the number of publicly routable addresses compared to IPv4, most organizations will simply use publicly routable IPv6 addresses on all internal devices. Its a cleaner design and allows for a direct device-to-device communication -- the way the Internet was truly meant to work. Its important to note that NAT provides no security benefits, something that is often misunderstood in some networking circles. The one and only benefit is to reduce the number of public IPs required. And since there are more than enough public IPv6 addresses available, IPv6 negates the need for NAT.