NAT and IP Masquerade

Taken from http://cubicmetercrystal.com/nat/


True NAT - Network (IP) Address Translation



Network Address Translation is intended for use in large networks where a corporate/educational subnet is comprised of hosts which communicate mostly with themselves, inside the subnet. There is a large pool of external public IP addresses available for use by the NAT router/gateway, and when a client needs to communicate with the outside world, it actually receives its own unique public IP address.

In the diagram above, there are three hosts which are communicating with the public internet. They each have their own public IP associated with them. The NAT router/gateway, 192.168.1.1, performs all of the transformations by altering only the IP address in IP, ICMP, UDP, and TCP packets.

It should be observed that since port numbers are left unchanged, it is possible to receive incoming connections from external hosts, and the TCP SYN packets will arrive at the same client port as they did at the NAT port. The only caveat being that if the application level protocol is passing IP addresses in the data stream, they will be incorrect for the client host (i.e. 192.168.1.x instead of the public IP it appears to be using).





IP Masquerade (sometimes called NAPT - Network Address Port Translation)



In IP masquerading, there are significantly fewer public IP's available for use by clients (sometimes only one IP, like cable modem / DSL). To handle traffic for multiple hosts IP masquerading is used to translate not only IP addresses, but also port numbers. This is the distinguishing feature between NAT and IP masquerade. NAT only touches IP address info in packets, IP masq. modifies IP address and port numbers

In this manner, multiple TCP/UDP sessions between clients and external internet hosts are all multiplexed through the IP masquerade router/gateway, and appear to be coming from a single, or few set of IP addresses, using the different port numbers to determine which client TCP/UDP session the packet is destined for.

It should be observed that in this scenario there is no way to receive incoming connections. If a TCP SYN packet is received, the IP masquerade router/gateway has no idea which of the various client hosts, if any, should receive it. Thus, only outgoing connections are allowed.



So whats the point?

The point is that what most people consider "NAT" is really IP masquerading, as true NAT is hardly used anymore. This is not to disparge either NAT or IP masq., but rather to explain what the difference between the two is, and highlight the fact that all the talk of NAT is almost always talking about IP masquerade.

So, whenever you hear me talk about peers behind NAT firewalls/gateways, I am talking about IP masquerading, and so is everyone else. :-)





The RFC's