Hands on: Getting to grips with Network Address Translation

No matter what kind of Internet connection you have and regardless of whether you have a fixed or dynamically assigned public IP address, chances are you’re using network address translation (Nat) somewhere in your setup.

Usually implemented on the Internet router, gateway or firewall, Nat technology provides several benefits, including the ability to share a single public IP address between multiple users.

It does this by altering outbound packets sent from Lan devices so they all appear to come from the one shared public IP address. Nat then routes the return traffic back to the appropriate local systems, doing away with the need to assign public addresses to each and every host on your Lan.

Nat also has the effect of ‘hiding’ local IP addresses, giving at least a basic level of security against would-be hackers. But it can also cause problems, especially when you want to host your own public email, web, VPN (virtual private network) and other servers.

The problem in a nutshell

The main problem with Nat stems from the fact that it hides local addresses. This is good in terms of security, but bad if you want to allow remote users to connect to a local web, email or VPN server: the local address simply won’t work and the only publicly accessible address you’re likely to have will be assigned to the Internet router.

To host your own servers, either you have to bypass Nat altogether or find a way of forwarding traffic destined for those systems onto the appropriate ‘hidden’ local addresses.

Where more than one server application is involved, you may need a way of directing different types of traffic to the correct hosts – SMTP, Pop3 and Imap packets to the mail server; HTTP/HTTPS traffic to the web server, encrypted IPSec tunnels to the VPN server and so on.

Most Nat-enabled devices have this functionality built in. But how it’s implemented, what the options involved are called and how you configure them can vary enormously.

The hardware DMZ

Before looking at examples, there is one alternative: to sidestep the issue of Nat altogether. That doesn’t mean turning it off, but using hardware arranged to create a so-called demilitarised zone (DMZ) where local network ports are provided that are on the Internet side of the Nat defences.

Because they fall outside the scope of the Nat technology, anything attached to these ports can be assigned public IP addresses of their own, doing away with the need for any special measures to overcome Nat problems; assuming you’ve been allocated a block of addresses by your ISP (see The right address LINK).