Skip to content Skip to site navigation Skip to service navigation

Network Address Translation

References

  • Private addresses: RFC 1918
  • NAT: RFC 1631

Private Address Ranges

A NAT router typically acts as an intermediary between devices on private address ranges and the rest of the Internet. These private addresses are not routed anywhere on the Internet:

     10.0.0.0      -   10.255.255.255  (10.0.0.0/8)
     172.16.0.0    -   172.31.255.255  (172.16.0.0/12)
     192.168.0.0   -   192.168.255.255 (192.168.0.0/16)

Any site is permitted to use one or more of these address ranges for their own purposes. However, without NAT, devices on these private networks would not be able to access or be accessed by devices on the Internet.

How Can I Tell If I'm Using NAT?

If you can reach sites on the Internet, but you have an address on one of the private address ranges, you're behind a NAT router.

What is NAT?

There are several types of NAT described in the NAT RFC. The most common use is to "hide" an entire network of devices with private addresses behind a single routable address. A NAT router, either a computer or a dedicated hardware "appliance" has connections both to the Internet and to a network with a private address range. As mentioned previously, devices on private networks cannot by themselves access information on the Internet. A NAT acts as an intermediary as follows:

  1. A device on the private network makes a request for information on the Internet.
  2. Packets travel to the NAT router, which rewrites the packet header so that it appears that the packets are coming from the router's public address. (Note: if you are behind a NAT router, you can go to this page to see what address and name your computer appears to be to Internet hosts.)
  3. The NAT router maintains a session table, so that replies can be forwarded back to the originator on the private network.

NATs as Firewalls

What would happen if a device on the Internet tried to contact a device on the private network behind a NAT router? It can't contact devices on the private net directly, because no Internet router will forward packets with private network addresses. It could try to send packets to the NAT router, but the NAT router has no way of knowing which device on the private network should receive the information, so the packets are simply dropped. This basically gives NAT routers a firewall functionality with minimal configuration on the user's part.

Last modified July 14, 2022