Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide


NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Get The TCP/IP Guide for your own computer.
The TCP/IP Guide

Custom Search







Table Of Contents  The TCP/IP Guide
 9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)
      9  TCP/IP Internet Layer (OSI Network Layer) Protocols
           9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)
                9  IP Network Address Translation (NAT) Protocol

Previous Topic/Section
IP NAT Static and Dynamic Address Mappings
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 IP NAT Bidirectional (Two-Way/Inbound) Operation
Next Topic/Section

IP NAT Unidirectional (Traditional/Outbound) Operation
(Page 1 of 2)

Now that we understand the motivation behind NAT and its pros and cons, and have also covered NAT address terminology and translation table creation, it's time to get down to the nitty gritty of how it works. There are many different flavors of NAT, and four common ones are covered in this Guide. It makes sense to start by looking at the original variety of NAT described in RFC 1631. This is the simplest NAT method and therefore the easiest one to explain.

NAT was of course designed to allow hosts on a private network to share public IP addresses in accessing an Internet. Since most hosts are clients that initiate transactions, NAT was designed under the assumption that a client/server request/response communication would begin with a datagram sent from the inside network to the outside. For this reason, this first type of NAT is sometimes called Unidirectional or Outbound NAT. Since it is the oldest flavor it is also now called Traditional NAT, to differentiate it from newer varieties.

Unidrectional NAT Example

To show how unidirectional NAT works, we will of course use an example. Explaining things is always easier with examples, especially when it is a confusing thing like NAT. Let's use the same numbers from the previous two topics. We'll assume the inside network has 250 hosts that use private (inside local) addresses from the 10.0.0.0/8 address range (which I selected because it has small numbers!) These hosts use dynamic NAT sharing a pool of 20 inside global addresses from 194.54.21.1 through 194.54.21.20.

In our example, device 10.0.0.207 wants to access the World Wide Web server at public address 204.51.16.12. Table 74 shows the four basic steps that are involved in this (simplified) transaction. I did this in table form instead of bullet points so I could show you explicitly what happens to the addresses in both the request datagram (in steps #1 and #2) and the response datagram (steps #3 and #4). I have also highlighted the translated address values for clarity, and provided Figure 112, which shows the process graphically.


Table 74: Operation Of Unidirectional (Traditional/Outbound) NAT

Step #

Description

Datagram Type

Datagram Source Address

Datagram Destination Address

1

Inside Client Generates Request And Sends To NAT Router: Device 10.0.0.207 generates an HTTP request that is eventually passed down to IP and encapsulated in an IP datagram. The source address is itself, 10.0.0.207, and the destination is 204.51.16.12. The datagram is sent to the NAT-capable router that connects the organization's internal network to the Internet.

Request (from inside client to outside server)

10.0.0.207
(Inside Local)

204.51.16.12
(Outside Local)

2

NAT Router Translates Source Address and Sends To Outside Server: The NAT router realizes that 10.0.0.207 is an inside local address and knows it must substitute an inside global address in order to let the public Internet destination respond. It consults its pool of addresses and sees the next available one is 194.54.21.11. It changes the source address in the datagram from 10.0.0.207 to 194.54.21.11. The destination address is not translated in traditional NAT. In other words, the outside local address and outside global address are the same.

The NAT router puts the mapping from 10.0.0.207 to 194.54.21.11 into its translation table. It sends out the modified datagram, which is eventually routed to the server at 204.51.16.12.

194.54.21.11
(Inside Global)

204.51.16.12
(Outside Global)

 

 

 

 

 

3

Outside Server Generates Response And Sends Back To NAT Router: The server at 204.51.16.12 generates an HTTP response. It of course has no idea that NAT was involved; it sees 194.54.21.11 in the request sent to it, so that's where it sends back the response. It is then routed back to the original client's NAT router.

Response (from outside server to inside client)

204.51.16.12
(Outside Global)

194.54.21.11
(Inside Global)

4

NAT Router Translates Destination Address And Delivers Datagram To Inside Client: The NAT router sees 194.54.21.11 in the response that arrived from the Internet. It consults its translation table and knows this datagram is intended for 10.0.0.207. This time the destination address is changed but not the source. It then delivers the datagram back to the originating client.

204.51.16.12
(Outside Local)

10.0.0.207
(Inside Local)


Figure 112: Operation Of Unidirectional (Traditional/Outbound) NAT

The four steps in this process can be seen by following the steps in clockwise order. Translated addresses are shown in bold. Please refer to Table 74 for an explanation of the steps in this diagram, or to Figure 111 for an explanation of the four address types.

 

As you can see, this really isn’t rocket science, and it’s fairly easy to understand what is going on as soon as you get used to the terminology and concepts. In unidirectional NAT the source address is translated on outgoing datagrams and the destination address on incoming ones. Traditional NAT only supports this sort of outbound transaction, which is started by a device on the inside network. It cannot handle a device on the public Internet sending a request to a private address.


Previous Topic/Section
IP NAT Static and Dynamic Address Mappings
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 IP NAT Bidirectional (Two-Way/Inbound) Operation
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.