NAT's the way

You may have come across the acronym NAT in the course of your networking travels. It stands for network address translation and describes a useful networking technology - so good, in fact, that almost all shared Internet connections employ it.

Put simply, NAT allows a network of PCs to access the Internet via a single IP address. Why should we need this? Surely there are enough IP addresses to go round?

More IPs please

Theoretically there are (count 'em) 4,294,967,296 unique IP addresses. The actual number available is somewhat smaller at about 3.3 billion, thanks to the way the addresses are separated into classes and because some are set aside for testing or other special uses. It sounds a lot, but it isn't enough.

The long-term solution to this is to redesign the format to allow for more possible variations. This is currently being developed (it's called IPv6), but will take several years to implement.

In the meantime we use NAT, as laid down in the RFC 1631 document. Network address translation allows a single device, such as a router, to act as an agent between the Internet and a local or private network. This means that only one IP address is required for a group of computers - see this screen shot.

NAT can be provided either by hardware (a router) or software (a proxy server). Either way, it hides your internal IP addresses from the outside world. With NAT you use a range of private IP addresses on your LAN (local area network). These are private in that there are no computers connected to the Internet with an IP address in that range. So long as they're not directly connected to the Web or each other, many thousands of computers around the world can have identical IP addresses.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private local networks:

• 10.0.0.0 - 10.255.255.255
• 172.16.0.0 - 172.31.255.255
• 192.168.0.0 -
• 192.168.255.255

Also, IP addresses 169.254.0.0 to 169.254.255.255 are reserved for automatic private IP addressing.

Back of the 'net

Another benefit of NAT is apparent in network administration. For example, you can move your Web server (or server) to another host PC without having to worry about broken links. You simply change the inbound mapping at the router to reflect the new host. Making changes to your internal network is also easy, because the only external IP address either belongs to the router or comes from a pool of global addresses.

NAT and DHCP (dynamic host configuration protocol) work well together, too. You can choose a range of unregistered IP addresses for your private network and have the DHCP server dole them out as necessary.

It also makes it much easier to scale up your network when you want. You can just increase the range of available IP addresses configured in DHCP to immediately have room for additional computers.

Monkey business

NAT is devilishly clever. It monkeys about with each packet of data it receives from or sends to the Internet - on the fly. It substitutes a globally-registered IP address into the source IP address as part of a message leaving the private network. It then restores the private address into the destination part of a reply message entering the private network.

So, when data is requested by a workstation, a NAT router will automatically doctor the incoming packets, removing the public IP address from them and substituting the correct private code for that workstation. If you think about it, that's a pretty nifty juggling trick.

Safe and sound

As well as greatly simplifying Internet access, NAT brings a bonus in the shape of added security. It automatically provides firewall-style protection. That's because it only allows connections that originate on the inside of the network.

This means, for example, that an internal client can connect to an outside FTP server, but an external client will not be able to connect to an internal server because it would have to originate the connection. NAT won't allow that. It's harder to attack hosts when you can't reach them. No inbound connections are allowed through the NAT translator unless it is specifically configured for them. This makes NAT routers into cost-effective low-end firewalls, though most routers now come with built-in hardware firewalls, too - see here.

Only the router has a single "public" IP address and so it, or a proxy server, has the job of working out which incoming packet belongs to which workstation. As a result, the only IP address intruders can see is the port on the NAT device that connects you to the Internet. And what's attached to that address is a simple router and not a PC, which makes it just that little bit harder to hack. If the router does have password protection, it's essential to use it to deter intruders.

NAT is not totally impervious to external attack either: there are several tools - called IP spoofers - that can deduce internal "private" addresses and present themselves as local users. A simple NAT device can't keep hackers from running DoS (denial of service) attacks on you, but individuals rarely get attacked like that. It will keep out people looking for file shares, rogue mail servers and Web servers. You're even protected from most port-based exploits.

With a NAT device and a good antivirus program, you should be safe from most Internet attacks. However, most modern routers these days include an advanced firewall that does "stateful packet inspection" or SPI.

This allows the NAT devices to filter out specific kinds of data such as SYN flood attacks, IP Spoofing, Teardrop attacks and others. SPI is a general term that can describe a router that filters more kinds of attacks than basic NAT, by closely examining packet data structures.

Hosting problems

NAT can cause headaches if you want to host a Web server. It will prevent any workstation on the Internet connecting to a Web (or FTP) server on your network that's got a private IP address. Luckily, there's a way around this. Most NAT devices allow you to create mapped links between the Internet and your LAN, a technique called port forwarding.

So in the case of a Web server you simply tell your router to forward all requests that come in on port 80 on its public IP address to port 80 of the private IP address of the server. In the case of an FTP server, you'd forward port 21 and so on.

Personally, I use Small Business Server 2003's Remote Web Workplace. For this to work, it requires about half a dozen ports to be forwarded at the router.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger Gann

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?