This article is a part of a series on Network Address Translation (NAT). Use the navigation boxes to view the rest of the articles.
According to the definitions outlined in the NAT Terminology article, a Static NAT implies a translation of just the IP address, where the post-translation IP addresses are explicitly defined.
Making Internal Resources Accessible
The typical use case for a Static NAT is for a Server on a Private IPv4 network to be reached externally from the Internet.
In this example, the Internet host 54.4.5.9
needs to connect to the web server on the Inside network. The web server is on an internal network and is therefore configured with the Private IP address of 10.2.2.33
.
If the Internet host attempts to send a packet to the IP address of the server (10.2.2.33
), the packet will be dropped when it reaches the Internet. Recall, Private IP addresses are not routable on the Internet.
For a host on the Internet to reach the server, a Static NAT must be configured on the NAT device. In our example, the Router in front of the 10.2.2.0/24
network will be the NAT device, and we will configure it to translate the private IP address 10.2.2.33
to the Public IP address 73.8.2.33
.
Now, the Internet host can send a packet to the correlating Public IP address (73.8.2.33
) which will be routed through the Internet to the NAT device. The Router (acting as our NAT device) will then translate the packet to the Server’s private IP address (10.2.2.33
). When the web server responds, the router will un-translate the packet back to the original IP address of 73.8.2.33
.
The Static NAT allowed the internal host with the private IP address to be accessed by an external host.
With that in mind, there are three additional points that must be made regarding Static NAT.
Source or Destination
Whether the Source or Destination of the packet is translated is dependent on the direction the packet is traveling. The inbound packet has its Destination IP translated (from the Internet to the server). The outbound packet has its Source IP translated (from the server to the Internet).
Either way, the one IP address 10.2.2.33
always maps to the one IP address 73.8.2.33
. This is why a Static NAT is also sometimes called a one-to-one NAT.
Conserving IP Addresses
If you had 30 servers on the Inside network, each with their own Private IP address, and you wanted to use Static NAT, then you would need 30 unique Public IP addresses for the translations.
We discussed earlier that the original intent of Network Address Translation was to conserve Public IPv4 addresses. However, as you can see, a Static NAT does not actually conserve any Public IPv4 addresses. Instead, the primary purpose of a Static NAT is to expose a server with a Private IP address to the public Internet.
Bidirectional
Finally, in the example above, the initial packet was sent from the Internet host. But it could have easily been sent from the server on the Inside network. Regardless of who initiated the connection, the Static NAT would cause the Source of the outbound packets or the Destination of the inbound packets to be translated.
The key point is that a Static NAT translation is bidirectional. Whether the internal host or the external host sent the first packet, it would “pass through” the Static NAT. There are variations of NAT which we will discuss later in this article series where the translation will not be bidirectional.
Prefer video content to text? The majority of this article has been recorded and can be viewed on Youtube:
Love the learning lesson. Thanks for posting this
I’ve never read anything explained so well – great job, it makes me read more and more.
Excellent explanation
Very well explained…Thank
Thanks a lot. This article is very useful.
Will you please explain NAT take place in Checkpoint
I’m afraid I don’t have Checkpoint experience and would not be able to speak to the configuration of Checkpoint firewalls. The concepts of NAT explained in this series will still apply to Checkpoint firewalls. They will just call them something different.
Thank you!
You are really the best in teaching the networking.
Thank you, Mircea =).
Information provided in this article is crystal clear.
Thank you, Surender =)
How would one test the NATing? is it possible to do it with a ping?
the host on the internet will then send a ping request to 73.8.2.33 and that will get translated to 10.2.2.33 and will the returned Ping reply come back correctly? I have tried this on industrial routers (non-cisco) and I experience there are problems with ARP requests. Or is there any other way to test it? perhaps trying to see if telnet request works etc.
NAT is transparent to the hosts. Ping will not tell you whether you are or are not being NATed.
There are other protocols you can use (STUN, for instance), but those aren’t implemented in most operating systems and would have to be installed manually.