Network address translation (NAT), a feature found in many firewalls, translates between external and internal IP addresses. With NAT, a private network can use internal, non-routable IP addresses that map to one or more external IP addresses. Furthermore, a single IP address can represent many computers within a network.
NAT works by having a firewall act as an intermediary for traffic entering and leaving the protected network. Inbound traffic is directed to a public-facing IP address, which is translated to an internal IP address to the firewall before sending the traffic on to its destination. Outbound traffic’s source addresses are similarly updated from private, internal IP addresses to public, external ones.
The technology works similarly to many organizations’ phone systems. The company publishes a single, public number for external callers. Once a customer calls this number, they are transferred to a specific internal phone based upon the details of their request.
NAT has a few different benefits, but one of the most significant is that it has dramatically increased the scalability of the IPv4 addressing scheme. The IPv4 scheme has less than 4.3 billion possible addresses, and there are over 20 billion devices connected to the Internet.
With a one-to-one mapping of IP addresses to devices, the IPv4 protocol’s pool of available addresses would have been exhausted years ago, forcing a switch to IPv6. However, with NAT, many Internet-connected devices can share the same public-facing IPv4 address, which has enabled the IPv4 standard to scale to meet demand.
NAT can be implemented in a few different ways, including:
The details of a NAT firewall configuration depend on the type of NAT used by an organization. For example, Static NAT and PAT may have a single external IP address, while Dynamic NAT has several.
For all NAT configurations, an organization is able to use private IP addresses within their local area networks (LANs). The IPv4 ranges 10.0.0.0/8, 172.16. 0.0/12, and 192.168. 0.0/16 are intended for internal use only. Devices within an organization’s LAN can be assigned one of these addresses, but these addresses are not routable outside of the organization’s network.
The translation process from internal, private address to external, public address depends on the NAT scheme used. In all cases, traffic will have to pass through a firewall that performs the translation. This firewall can rewrite the headers of inbound and outbound packets based on internal lookup tables, converting between IP addresses or assigning traffic to a particular port on a shared address.
In addition to improving the scalability of IPv4, NAT also provides significant security benefits. These include:
NAT can help to bolster an organization’s security by forcing all traffic to pass through a network firewall. However, this only provides security benefits if that firewall can detect and block malicious network traffic. To learn more about what to look for in an NGFW, check out this buyer’s guide.
Check Point NGFWs offer high-performance NAT functionality as well as enterprise-grade threat prevention capabilities. To see Check Point firewalls in action, you’re welcome to sign up for a free demo.