Network Address Translation

Network address translation (NAT), an Internet Engineering Task Force (IETF) standard, is an immediate but temporary solution to the problem of 32-bit IPv4 addresses becoming exhausted. NAT allows an Internet Protocol version 4 (IPv4) gateway device to provide devices on a network with access to a public network or the Internet while sharing a single, globally routable IPv4 address provided by an Internet Service Provider (ISP).

Note   IPv6 does not require address translation. Typically, an IPv6 gateway device provides IPv6 routing between the internal and external networks. Windows CE supports IPv6 routing for use on gateway devices. IPv6 routing can be used alone or in conjunction with the IPv4 NAT to provide access to the external network to both IPv6 and IPv4 devices on the internal network.

Because the public network only sees the gateway, only one IP address is known for the gateway device. To provide the internal devices with access to the external network, the gateway must translate the destination of packets as the gateway passes the packets from one network to the other. To accomplish this task, ICS performs a function known as port address translation.

NAT maps private addresses to public addresses. The following list shows how NAT accomplishes this mapping:

  • It modifies the source fields of the packet from the clients private, internal IP address and port to the public, external IP address and port of the NAT device.
  • It receives incoming packets sent from the Internet to the network and compares them to the table of port mappings. It modifies the destination address and destination port in packets sent from the Internet to the network. By modifying the port information in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets, NAT can direct traffic for multiple clients over the dial-up connection. If the NAT doesn't find a corresponding port mapping, the incoming packet is dropped and the connection breaks.

For each outbound session, ICS allocates a dynamic TCP or UDP source port for use during that session. ICS then replaces the source IPv4 address for each packet with the IPv4 address of the external or Internet adapter on the NAT gateway device, and replaces the source TCP or UDP port number of the packet with the dynamic port number. ICS creates a port mapping that correlates the IP address and source port of the originating computer with the dynamic source port number just assigned.

For example, if the NAT component receives a TCP packet from a source port of 2000 on the client with an IPv4 address of 192.168.0.2, it looks for an existing mapping for the [192.168.0.2, 2000] combination of address and port. If an existing mapping cannot be found, the NAT component creates a new mapping. Using [157.55.0.1, 3373] as an example, the NAT component replaces the source address in the packet with 157.55.0.1 and the source port with 3373, updates the checksum, and passes the packet on over the public connection. The component then modifies subsequent packets from the same client and port by using the established mapping.

As responses return to the gateway device, NAT uses this mapping to restore the originating IPv4 address and originating port number. The device then forwards the resulting packets to the network.

For example, using the same [192.168.0.2,2000] mapping, if the NAT component receives a TCP packet to a destination port of 3373, it looks for an existing mapping for port 3373. If an existing mapping cannot be found, NAT drops the packet. If it finds a mapping from [192.168.0.2,2000], it replaces the destination address with 192.168.02 and replaces the destination port with 2000. It also updates the checksum, and then passes the packet on to the private connection.

Because NAT translates from one network to another, you can easily configure the IPv4 gateway to map a specific port on the public interface to a specific IPv4 device on a private network. This mapping allows you to configure the network with servers that appear to be located on the gateway device, from the perspective of the external network.

NAT is transparent to both the client and the server application. NAT traversal enables network applications to detect the presence of a local NAT device. NAT traversal in some form will likely continue until IPv6 eliminates the need for NAT.

The following list shows things recommended to do when using NAT.

  • Internet Gateway Device vendors should implement support for UPnP in their devices to support NAT Traversal.
  • Consumers should use Internet gateway devices that support UPnP and NAT Traversal to ensure the best application behavior.
  • DSL and cable modem service providers should specify, sell, and lease Internet gateway devices that support UPnP for NAT traversal.

Benefits Provided by NAT

The following list shows the benefits of using NAT:

  • NAT contributes to security. Because hosts outside of the private network observe communication through a shared IP address, NAT provides a layer of obscurity for the private network. For systems that require a greater level of security, you should enable a firewall. For more information, see IP Firewall Reference.
  • NAT is an IETF-approved solution to the problem of IPv4 name space exhaustion. Internet gateways that use NAT are often used in homes and small offices. They are used because they are inexpensive, easy to manage, and don't require users to install special software.

NAT Limitations

To allow for dynamic NAT traversal, the Internet gateway providing the NAT must support Universal Plug and Play Internet Gateway Device Spec version 9 or later.

While NAT Traversal solves several problems associated with connecting through NAT devices, several issues remain. The following table shows these issues.

Issue Comments
Many chat, multiplayer games, and peer-to-peer applications break. Network protocols may make assumptions about the network architecture that are no longer true.
Applications do not have exclusive ownership of their mappings. NAT traversal has an open trust model. This means that all applications on the private network have access to all the port mappings on a NAT. Although this allows for a great amount of flexibility of multiple points of administration, applications do not have exclusive ownership of their mappings.
Applications are responsible for conflict resolution. If an application tries to map a port that is already mapped to another client, it is up to the application to either find another port or fail gracefully.
Internet service providers are encouraged not to deploy NAT within their networks. NAT traversal does not solve the problem of an ISP distributing private addresses and using NAT to let clients connect. In this case, the NAT is outside of the Internet Gateway Device and is within the service provider's network. NAT traversal within the home or small business will fail if the NAT on the client's network is behind another NAT.
Static mappings persist indefinitely, even though services only use them on well-known ports for the life of the application. Applications are responsible for cleaning up after themselves when they are done with a port mapping.
Problems can occur if a client is behind multiple NATs. If a client is behind a NAT that is behind another NAT, problems can occur. Avoid this scenario.

See Also

Internet Connection Sharing

 Last updated on Thursday, April 08, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.