IPv4 Private Address Space
As you know, there are not enough public IPv4 addresses to assign a unique address to each device connected to the internet. Networks are commonly implemented using private IPv4 addresses, as defined in RFC 1918. The range of addresses included in RFC 1918 are included in the following table. It is very likely that the computer that you use to view this course is assigned a private address.
|Class||RFC 1918 Internal Address Range||Prefix|
|A||10.0.0.0 – 10.255.255.255||10.0.0.0/8|
|B||172.16.0.0 – 172.31.255.255||172.16.0.0/12|
|C||192.168.0.0 – 192.168.255.255||192.168.0.0/16|
These private addresses are used within an organization or site to allow devices to communicate locally. However, because these addresses do not identify any single company or organization, private IPv4 addresses cannot be routed over the internet. To allow a device with a private IPv4 address to access devices and resources outside of the local network, the private address must first be translated to a public address.
NAT provides the translation of private addresses to public addresses, as shown in the figure. This allows a device with a private IPv4 address to access resources outside of their private network, such as those found on the internet. NAT, combined with private IPv4 addresses, has been the primary method of preserving public IPv4 addresses. A single, public IPv4 address can be shared by hundreds, even thousands of devices, each configured with a unique private IPv4 address.
Without NAT, the exhaustion of the IPv4 address space would have occurred well before the year 2000. However, NAT has limitations and disadvantages, which will be explored later in this module. The solution to the exhaustion of IPv4 address space and the limitations of NAT is the eventual transition to IPv6.
What is NAT
NAT has many uses, but its primary use is to conserve public IPv4 addresses. It does this by allowing networks to use private IPv4 addresses internally and providing translation to a public address only when needed. NAT has a perceived benefit of adding a degree of privacy and security to a network, because it hides internal IPv4 addresses from outside networks.
NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are known as the NAT pool. When an internal device sends traffic out of the network, the NAT-enabled router translates the internal IPv4 address of the device to a public address from the NAT pool. To outside devices, all traffic entering and exiting the network appears to have a public IPv4 address from the provided pool of addresses.
A NAT router typically operates at the border of a stub network. A stub network is one or more networks with a single connection to its neighboring network, one way in and one way out of the network. In the example in the figure, R2 is a border router. As seen from the ISP, R2 forms a stub network.
When a device inside the stub network wants to communicate with a device outside of its network, the packet is forwarded to the border router. The border router performs the NAT process, translating the internal private address of the device to a public, outside, routable address.
Note: The connection to the ISP may use a private address or a public address that is shared among customers. For the purposes of this module, a public address is shown.
How NAT Works
In this example, PC1 with private address 192.168.10.10 wants to communicate with an outside web server with public address 18.104.22.168.
In NAT terminology, the inside network is the set of networks that is subject to translation. The outside network refers to all other networks.
When using NAT, IPv4 addresses have different designations based on whether they are on the private network, or on the public network (internet), and whether the traffic is incoming or outgoing.
NAT includes four types of addresses:
- Inside local address
- Inside global address
- Outside local address
- Outside global address
When determining which type of address is used, it is important to remember that NAT terminology is always applied from the perspective of the device with the translated address:
- Inside address – The address of the device which is being translated by NAT.
- Outside address – The address of the destination device.
NAT also uses the concept of local or global with respect to addresses:
- Local address – A local address is any address that appears on the inside portion of the network.
- Global address – A global address is any address that appears on the outside portion of the network.
The terms, inside and outside, are combined with the terms local and global to refer to specific addresses. The NAT router, R2 in the figure, is the demarcation point between the inside and outside networks. R2 is configured with a pool of public addresses to assign to inside hosts. Refer to the network and NAT table in the figure for the following discussion of each of the NAT address types.
The address of the source as seen from inside the network. This is typically a private IPv4 address. In the figure, the IPv4 address 192.168.10.10 is assigned to PC1. This is the inside local address of PC1.
Inside global address
The address of source as seen from the outside network. This is typically a globally routable IPv4 address. In the figure, when traffic from PC1 is sent to the web server at 22.214.171.124, R2 translates the inside local address to an inside global address. In this case, R2 changes the IPv4 source address from 192.168.10.10 to 126.96.36.199. In NAT terminology, the inside local address of 192.168.10.10 is translated to the inside global address of 188.8.131.52.
Outside global address
The address of the destination as seen from the outside network. It is a globally routable IPv4 address assigned to a host on the internet. For example, the web server is reachable at IPv4 address 184.108.40.206. Most often the outside local and outside global addresses are the same.
Outside local address
The address of the destination as seen from the inside network. In this example, PC1 sends traffic to the web server at the IPv4 address 220.127.116.11. While uncommon, this address could be different than the globally routable address of the destination.
PC1 has an inside local address of 192.168.10.10. From the perspective of PC1, the web server has an outside address of 18.104.22.168. When packets are sent from PC1 to the global address of the web server, the inside local address of PC1 is translated to 22.214.171.124 (inside global address). The address of the outside device is not typically translated because that address is usually a public IPv4 address.
Notice that PC1 has different local and global addresses, whereas the web server has the same public IPv4 address for both. From the perspective of the web server, traffic originating from PC1 appears to have come from 126.96.36.199, the inside global address.