What is NAT?
Network Address Translation (NAT) is a service that modifies address, port, or both types of information within network packets as they pass through a computer or network device. The device that performs NAT on the packets can be the source of the packets, the destination of the packets, or an intermediate device on the path between the source and destination devices.
NAT was originally designed to help conserve the number of IP addresses used by the growing number of devices accessing the Internet, but it also has important applications in network security.
The computers on an internal network can use any of the addresses set aside by the Internet Assigned Numbers Authority (IANA) for private addressing (refer to RFC 1918). These reserved IP addresses are not in use on the Internet, so an external machine does not directly route to them. The following addresses are reserved for private use:
- 10.0.0.0 through 10.255.255.255 (CIDR: 10.0.0.0/8)
- 172.16.0.0 through 172.31.255.255 (CIDR: 172.16.0.0/12)
- 192.168.0.0 through 192.168.255.255 (CIDR: 192.168.0.0/16)
A NAT-enabled router can hide the IP addresses of an internal network from the external network by replacing the internal, private IP addresses with public IP addresses that have been provided to it. These public IP addresses are the only addresses that are ever exposed to the external network. The router can manage a pool of multiple public IP addresses from which it can dynamically choose when performing address replacement.
Be aware that, although NAT can minimize the possibility that internal computers make unsafe connections to the external network, it provides no protection to a computer that, for one reason or another, connects to an untrusted machine. Therefore, you should always combine NAT with packet filtering and other features of a complete security policy to fully protect your network.
For more information, refer to IPsec Site-to-Site VPN Reference Guide.