This article assumes you have an understanding of computer networking basics.
Network Address Translation has several advantages but its primary goal is to allow a single Internet IP address to be shared on a network by multiple devices. Your home router has built in NAT capabilities and does all this automatically. It works by your ISP assigning you ONE IP address to your router, NAT then allows multiple computers to access the Internet through this shared IP address.
How Network Address Translation Works
For a network device (computer, Xbox, Iphone) to communicate with another network device there must be a way to uniquely identify itself on a network; this is what the IP address is for. Every device on a given network must have a unique IP address.
NAT uses a special range of IP addresses called private network addresses. The most common ones you will see fall in the range of 192.168.x.x. If any computers try to access the Internet using a “private” IP address routers drop the connection, thus keeping the network private an non accessible through the Internet. Because of this private networks can never communicate with each other through normal means. This allows us to use the same private network address ranges all over the world which effectively eliminates the 4 billion address space limit. Taking this a stage further, by implementing NAT we CAN join these private networks to the Internet by translating the private network addresses to the public Internet IP address for Internet traffic. Here’s an example of how it works.
Your computer IP address is 192.168.0.5
Your router address is 192.168.0.254
Your public router address is 126.96.36.199
A website you want to access is 188.8.131.52
As you can see the computer and router are both assigned IP addresses from the “private” network address range. When I try to access the website my computer sends data packets across the internet. Every packet must contain a destination IP address, destination port number (more on ports later), source IP address and source port. My source IP address would be 192.168.0.5 and the destination address would be 184.108.40.206 (the website). When the packets go through my router NAT “translates” the source IP address from 192.168.0.5 to my Internet IP address of 220.127.116.11, thus keeping the IP address unique. The website is none the wiser and sees that these packets came from a unique IP address on the Internet so it sends data back to 18.104.22.168. When the packets arrive back at my router it translates the address again changing the destination IP address from 22.214.171.124 back to my computer of 192.168.0.5.
The above example is when we are talking about Network Address Translation in the purest sense; it translates IP addresses only and doesn’t use ports in the translation process. If you have 8 computers with private IP addresses then you need 8 public IP addresses. Each public IP address maps directly to ONE private IP address; this is known as a one-to-one NAT translation. A public IP address can’t be shared by multiple devices using NAT exclusively. Generally when people talk about NAT they are actually referring to NAT and Port Address Translation interchangeably. PAT as you might have guessed translates port addresses. Before we venture into PAT however, we need to briefly touch on ports.
All programs communicate across a network using ports. Think of a port like a door on a house; the IP address is the house and the ports are different doors (or ways in) to the house. Behind each door (port) will be a program. A good example of this is a server that runs email and website services. Websites run by default on port 80, secure websites (https) on port 443, email on port 25. Ports are used to create a socket (or connection) between two computers on a particular service. This server wouldn’t know whether to accept my incoming email connection with it’s web services or email services if a port wasn’t specified. If it accepted the connection with the web services it would fail but by specifying port 25 the server knows to open the port (door) with the email service. Here is an example of how normal network connections are established without NAT.
Say we have an email server with an Internet address of 126.96.36.199 and I have my computer on the Internet with an IP address of 188.8.131.52. When I send packets to the email server it will have a destination IP of 184.108.40.206, a destination port of 25 (remember email is port 25), a source IP of 220.127.116.11 and randomly generated source port of say 54785.
NOTE: Source ports are normally always randomly generated as it doesn’t really matter what the source port is. Once this packet arrives at the email server it will learn the source port of the client because this is specified in the incoming packet. It now knows what port to send data back to.
When the packets come back the reverse happens. Now the email server sends packets to the destination IP address of 18.104.22.168, destination port 54785 (which it learnt from the incoming connection), from source IP 22.214.171.124 and source port 25. This same process happens for the rest of the data transmission and so on.
Port Address Translation (PAT)
Now imagine you have 3 computers on your network and one public IP address. They all connect to the same email server above using the same destination IP address. Once these packets go through the NAT the source IP address is translated to the public IP address. This means that all 3 connections will have the same source IP address and the same destination address. When packets come back from the email server how would the NAT know which packets are for which computer if it only looked at the destination and source IP addresses? There is nothing to distinguish them from each other. This where PAT comes in; PAT uses source ports to uniquely identify these packets like in the following example.
If two computer access the same website at 126.96.36.199 on port 80 with private IP addresses of 192.168.0.1 and 192.168.0.2 NAT translates the source IP addresses to the the same public IP address of 188.8.131.52. PAT then translates the source ports as well. 192.168.0.1 may get translated to 184.108.40.206 with source port 67565 (random port) and 192.168.0.2 translates to the same IP address with source port 78645. Now when data comes back from the website to 220.127.116.11 on port 67565 PAT knows this is for 192.168.0.1 and data on port 78645 is for 192.168.0.2. This is why NAT can’t function without PAT when using shared public IP addresses. Without port address translation there would no way to distinguish the packets from one another. When the packets come back from the web server the NAT device translates the IP and port numbers back to what they were originally and sends them on their way. NAT remembers all of these connections, IP mappings and port address translations by storing them in a NAT table.