IP addresses as a means of addressing on the Internet are increasingly becoming a luxury and exclusive item. Not just anyone can get a valid IP address easily these days. That is why a mechanism is needed that can save IP addresses. The simple logic for saving IP addresses is to share a valid IP address number to several other IP clients. Or in other words, several computers can access the Internet even though we only have one valid IP address. One of these mechanisms is provided by Network Address Translation (NAT).
Figure 6.13. Network Address Translation
NAT functions to translate from private to public address, the main difference between NAT, PAT and Proxy is that NAT only translates while proxy is an external representative, the difference lies in the cache / buffer.
1. Use of NAT
Use NAT if:
- If you need a connection to the Internet and your hosts/computers do not have a global IP address.
- If you change to a new ISP and you are required to use the IP address of the new ISP for your network.
- NAT is used for IP addressing problems.
NAT technology allows local/private IP addresses to connect to public networks such as the internet. As a router, NAT is placed between the local network (inside network) and the public network (outside network), and translates local/internal addresses into unique global IP addresses before sending packets to external networks such as the internet. With NAT, local/internal networks will not be visible to the outside world/internet. Quite a lot of local IPs can be passed to the internet just by translating to one public/global IP.
2. Advantages of Using NAT
If you need to change your internal IP because you are changing ISPs or two intranets are merging (e.g. merging two companies), NAT can be used to translate the appropriate IP addresses. NAT allows you to add IP addresses, without changing the IP address on your host or computer. This eliminates duplicate IPs without re-addressing your host or computer.
3. What If Inside Local IP Addresses Are Translated?
The following is an illustration of NAT being used to translate addresses from inside the network to the destination outside.
Figure 6.14. The process of an Inside Local IP address being translated
4. Two Types of NAT
The two types of NAT are Static and Dynamic, both of which can be used separately or together.
4.1 Static
Static Translation occurs when a local address (inside) is mapped to a global/internet address (outside). Local and global addresses are mapped one to one Static.
4.2 Dynamics
a. NAT with Pool (group)
Dynamic Translation occurs when the NAT router is set to understand the local address to be translated, and the global address pool to be used to connect to the internet. This Dynamic NAT process can map several local address pools to several global address pools.
b. NAT Overload
A number of local/internal IPs can be translated to one global/outside IP address. This greatly saves the use of IP allocation from the ISP. Sharing/using one IP address together uses the port multiplexing method, or changing the port to the outbound packet.
5. NAT components
NAT can pass local network addresses ('private') to 'public' networks such as the Internet. 'Private' addresses that are on the local / "inside" network, send packets through the NAT router, which is then changed by the NAT router to the ISP's IP address so that the packet can be forwarded through the public network or the Internet. Initially this feature was only available on firewall pass-through gateways. But now it is available on all Cisco routers.
The NAT components can be seen in the following image:
Figure 6.15. NAT components
6. NAT Mechanism
A TCP packet consists of a header and data. The header has a number of fields in it, one of the important fields here is the source and destination MAC (Media Access Control) addresses, the source and destination IP addresses, and the source and destination port numbers.
When machine A contacts machine B, the packet header contains A's IP as the source IP address and B's IP as the destination IP address. The header also contains the source port number (usually chosen by the sending machine from a set of port numbers) and a specific destination port number, such as port 80 (for the web).
Then B receives the packet on port 80 and chooses a reply port number to use as the source port number replacing port 80. Machine B then reverses the source & destination IP addresses and the source & destination port numbers in the packet header. So now B's IP is the source IP address and A's IP is the destination IP address. Then B sends the packet back to A. During the open session, data packets travel back and forth using the selected port numbers.
Routers (normal ones -- without Natd) modify the source & destination MAC address fields in the header when routing packets through them. The source & destination IP addresses, port numbers, and sequence numbers are not touched at all.
NAT also works on this basis. It starts by creating an internal translation table for all internal network IP addresses that send packets through it. Then it sets up a table of port numbers that will be used by valid IP addresses. When a packet from the internal network is sent to NAT to be forwarded out, NAT does the following:
- Record the source IP address and port in the translation table.
- Replaces the packet's originating IP number with its own valid IP number.
- Assigns a special port number to packets sent out, inserts it in the translation table and replaces the original port number with this special port number.
When a reply packet comes back, Natd checks the destination port number. If it matches a specific port number that was previously assigned, it looks in the translation table and looks for a machine on the internal network that matches it. Once it finds one, it rewrites the destination port number and IP address with the original source IP address and port number that was used to initiate the connection. It then sends the packet to the intended machine on the internal network. Natd maintains the contents of the translation table as long as the connection is open.
An example of the Natd Mechanism can be seen in the following image:
7. Difference between NAT and Proxy
Similar to NAT, a small network with a proxy can place several machines to access the web behind a machine that has a valid IP address. This is also a cost-saving step compared to having to rent several accounts from an ISP and install a modem & phone line on each machine.
However, this proxy server is not suitable for larger networks. After all, adding more hard disk and RAM to the proxy server to make the proxy run efficiently is not always possible (due to cost constraints). Furthermore, the percentage of web pages that can be served by the proxy cache will decrease as the free space on the hard disk decreases, so using the proxy cache is no better than using a direct connection. In addition, each concurrent connection will generate an additional process in the proxy. Each of these processes must use the same disk I/O channel, and when the disk I/O channel is saturated, a bottleneck occurs.
NAT offers a more flexible and scalable solution. NAT eliminates the need to configure proxy/sock in each client. NAT is faster and can handle network traffic for thousands of users simultaneously.
In addition, the address translation implemented in NAT makes it impossible for crackers on the Internet to directly attack systems on the internal network. Intruders must attack and gain access to the NAT machine first before preparing attacks on machines on the internal network. It is important to note that, while with NAT the internal network is protected, for security reasons, packet filtering and other security methods are still needed in the NAT machine.
8. Advantages and Disadvantages of Using NAT
| Keuntungan | Kerugian |
|---------------------------------------------------------------------------------------|----------------------------------------------------------------|
| Menghemat alamat IP legal (ditetapkan oleh NIC atau service provider) | Translasi menimbulkan delay switching. |
| Mengurangi terjadinya duplicate alamat jaringan IP. | Menghilangkan kemampuan ‘trace’ (traceability) end-to-end IP. |
| Meningkatkan fleksibilitas untuk koneksi ke Internet | Aplikasi tertentu tidak dapat berjalan jika menggunakan NAT. |
| Menghindarkan proses pengalamatan kembali (readdressing) pada saat jaringan berubah. | - |