Partager via


NAT Example

Applies To: Windows 7, Windows Server 2008 R2

If a small business is using the 192.168.0.0 network ID for its intranet and has been granted the public address of w1.x1.y1.z1 by its Internet service provider (ISP), then network address translation (NAT) maps all private addresses on the 192.168.0.0 network to the IP address of w1.x1.y1.z1. If multiple private addresses are mapped to a single public address, NAT uses dynamically chosen TCP and UDP ports to distinguish one intranet location from another.

Note

The addresses w1.x1.y1.z1 and w2.x2.y2.z2 represent valid public IPv4 addresses as assigned by an ISP.

The following figure shows an example of the use of NAT to transparently connect an intranet to the Internet.

If a user on the private network at 192.168.0.10 uses a Web browser to connect to the Web server at w2.x2.y2.z2, the user's computer creates an IP packet with the following information:

  • Destination IP address: w2.x2.y2.z2

  • Destination port: TCP port 80

  • Source IP address: 192.168.0.10

  • Source port: TCP port 1025

This IP packet is then forwarded to the NAT router, which translates the source addresses of the outgoing packet to the following:

  • Destination IP address: w2.x2.y2.z2unchanged.

  • Destination port: TCP port 80 – unchanged.

  • Source IP address: w1.x1.y1.z1changed to the router’s public address.

  • Source port: TCP port 5000 – changed to a dynamically assigned local port on the router.

The NAT protocol keeps the mapping of {192.168.0.10, TCP 1025} to {w1.x1.y1.z1, TCP 5000} in an internal table.

The translated IP packet is sent over the Internet. The response is sent back and received by the NAT protocol. The received packet contains the following public address information:

  • Destination IP address: w1.x1.y1.z1

  • Destination port: TCP port 5000

  • Source IP address: w2.x2.y2.z2

  • Source port: TCP port 80

The NAT protocol compares the incoming destination address and port to its translation table and finds a mapping. It uses the mapping to replace the public address and port with the original private address and port and then forwards the packet to the computer at 192.168.0.10. The forwarded packet contains the following address information:

  • Destination IP address: 192.168.0.10 – changed to the destination computer.

  • Destination port: TCP port 1025 – changed to the original port.

  • Source IP address: w2.x2.y2.z2unchanged.

  • Source port: TCP port 80 – unchanged.

For outgoing packets from the NAT protocol, the source IP address (a private address) is mapped to the ISP allocated address (a public address), and the TCP/UDP port numbers are mapped to a dynamically assigned TCP/UDP port number.

For incoming packets to the NAT protocol, the destination IP address (a public address) is mapped to the original intranet address (a private address), and the TCP/UDP port numbers are mapped back to their original TCP/UDP port numbers.

Note

NAT examines only the IP packet header. Packets that contain the IP address only in the IP header are properly translated by NAT. Packets that contain the IP address within the IP payload might not be properly translated by NAT.

Additional references