Many firewalls use a technique called network address translation (NAT) to hide the actual IP address of a host from the outside world. When that’s the case, the NAT device must use a globally unique IP to represent the host to the Internet; behind the firewall, however, the host can use any IP address it wants. As packets cross the firewall, the NAT device translates the private IP address to the public IP address, and vice versa.
One of the benefits of NAT is that it helps slow down the rate at which the IP address space is assigned because a NAT device can use a single public IP address for more than one host. It does this by keeping track of outgoing packets so that it can match up incoming packets with the correct host. To understand how this process works, consider this sequence of steps:
A host whose private address is 192.168.1.100 sends a request to 184.108.40.206, which happens to be www.google.com. The NAT device changes the source IP address of the packet to 220.127.116.11, the IP address of the firewall. That way, Google will send its reply back to the firewall router. The NAT records that 192.168.1.100 sent a request to 18.104.22.168.
Now another host, at address 192.168.1.107, sends a request to 22.214.171.124, which happens to be www.microsoft.com. The NAT device changes the source of this request to 126.96.36.199 so that Microsoft will reply to the firewall router. The NAT records that 192.168.1.107 sent a request to 188.8.131.52.
A few seconds later, the firewall receives a reply from 184.108.40.206. The destination address in the reply is 220.127.116.11, the address of the firewall. To determine to whom to forward the reply, the firewall checks its records to see who’s waiting for a reply from 18.104.22.168. It discovers that 192.168.1.100 is waiting for that reply, so it changes the destination address to 192.168.1.100 and sends the packet on.
Actually, the process is a little more complicated than that because it’s very likely that two or more users may have pending requests from the same public IP. In that case, the NAT device uses other techniques to figure out to which user each incoming packet should be delivered.
Published on Tue 20 May 2008 by Phil Helmsley in Networking with tag(s): network address translation