How Network Address Translation Works!

By: Daniel Imbellino
Updated: Dec 26, 2015

Let us start by understanding that all computers and networks alike need a unique identifier in order to communicate across networks and the internet itself. Just as you have a unique home address and a unique phone number, computers and networks need them too. In the early days of the internet the IPV4 addressing scheme was implemented to provide the ability to assign and regulate the rules and procedures for how individual addresses were implemented and assigned to networks and computers. IPV4 (Internet Protocol Version 4) consists of 32 bit addresses and for this reason the system has a theoretical maximum of 232 or 4,294,967,296 possible unique IP addresses that can be assigned to any entity (such as a desktop PC, modem, network, or router). That’s approximately 4 Billion possible network addresses that were originally available for use within the World Wide Web.

15 years ago it was thought that 4 billion addresses would suffice and we would never run out, but today IPV4 addresses are running out, and drastic changes had to be made in order to preserve the availability of IP addresses for individuals and organizations alike. This is where IPV6 comes into play, which we will talk about in just a little bit.

For now we are going to focus on how “Network Address Translation” helps to solve the problem of having a shortage of IP addresses by making certain ranges of IP addresses available for private use only, and how NAT provides added security to computer systems that stand behind routers and network interfaces.

The Internet Assigned Numbers Authority or IANA has allocated several ranges of IP addresses that can be used within private networks (meaning these are addresses that cannot be used on the public internet). These are the addresses that are typically used behind a router in an home or office setting.

Allocated IP address ranges for private use:

  • 10.0.0.0 through 10.255.255.255
  • 169.254.0.0 through 169.254.255.255 (For assigning addresses to computers that do not have access to the internet)
  • 172.16.0.0 through 172.31.255.255
  • 192.168.0.0 through 192.168.255.255

Network Address Translation works by allowing a single device, such as a router to act as an intermediary agent between the internet and a private network. Ex: You assign your router an address of 192.168.1.0, then your router assigns a range of addresses based on its own address, such as 192.168.1.1 thru 192.168.1.254, effectively allowing you to assign up to 254 possible devices to connect to your network and access the internet. The first computer to connect to your internal networks router would be assigned the 192.168.1.1 private IP address. When this computer needs to communicate across the open internet it sends a request to your router to communicate, send or receive data. The router translates the internal IP address of your PC 192.168.1.1 to your modems public IP address. Now when networks across the internet receive your request for data, they see the public IP of your modem and not the internal private IP address assigned to your computer by your router.

By assigning your computer with a private IP address that isn’t public (192.168.1.1), millions of other computers on other internal private networks can share the same address as the one assigned to your computer by your router. Since the address 192.168.1.1 is translated to a public address, any computer on any internal network can use this address. In our example we used an address range of 192.168.1.1 thru 192.168.1.0 as the available IP addressing range for our internal network. Since we have only one public IP address, which is from our modem, we can translate all our internal private addresses (254 of them) to this one external public address. In this sense we are effectively able to conserve IPV4 addresses since all external networks that communicate with our internal network only see our one public address. When data is sent back to your router to be returned to the computer that requested it, it uses a look up table, which is a catalog of which computer requested data from which network address, and then the router forwards this data back to that specific internal computer or device using its internal private address (192.168.1.1).

Also, because your internal private IP address is not shown to external public networks you communicate with, this ads a layer of security to your specific computer or device since the external networks do not know what computer they are really communicating with, all they see is the external public address and nothing more. This is simply the basic theory of how Network Address Translation works. All things being said, it’s safe to say that NAT translates internal private network address to public addresses in order to send data over the internet, and translates public addresses back to internal private addresses when receiving data from the internet.

Network Address Translation works in several ways:

With “Static” Network Address Translation an internal private IP address maps to only one public IP address that never changes, hence the word Static (meaning doesn’t change). Then there’s “Dynamic” Network Address Translation, which translates an internal private IP address to one of a number of public IP addresses. This may be useful in a large office setting that uses advanced switching and routing, in which the network can re-route a connection to an alternate switch or router in order to manage traffic on the internal network. Data sent and received over the internet from one source may alternate between external public connections and therefore be translated to any number of public IP addresses depending on availability. In many cases, this is also part of the Qos or “Quality of Service” functionality that is built into most routers.