Specifications
Appendix B: Network IP Topology
Network Address Translation Overview
Page B-4 Mitel
®
5000 Installation Manual – Issue 3.0, October 2008
Network Address Translation Overview
Network Address Translation (NAT) is an Internet standard
1
that enables a local-area network
(LAN) to use one set of IP addresses for internal traffic and a second set of addresses for
external traffic. Generally, the NAT function is provided by a router or firewall.
The main purpose of NAT is to allow an organization to use a pool of (private) IP addresses that
is separate from (public) Internet IP addresses. This alleviates a shortage of public IP
addresses. Although NAT can provide a limited amount of security, it is rarely used standalone
for security purposes
2
.
To facilitate NAT, the Internet Assigned Numbers Authority (IANA) has designated certain IP
addresses to be private
3
. This designation means that these IP addresses are not valid
(routable) on the public Internet. This allows organizations to safely use these addresses within
their networks. The designated private addresses are:
• 10.0.0.0 - 10.255.255.255 (One Class A Subnet)
• 172.16.0.0 - 172.31.255.255 (16 Class B Subnets)
• 192.168.0.0 - 192.168.255.255 (256 Class C Subnets)
NAT operates by dynamically associating each internal private IP address with an external
public IP address (and port). The NAT box (router or firewall) keeps track of the association
between internal and external addresses and re-writes the IP packet header addresses as
necessary. The association between internal and external IP addresses is generally short-lived
based on activity.
Although NAT has been widely used throughout the Internet, some protocols do not work well
with NAT. As described above, NAT translates the IP addresses in only the IP packet headers.
The root of the problem is that some protocols carry IP addresses in the IP packet payload. As
a result, private IP addresses are sometimes communicated out to the public Internet. By
design, these private IP addresses are not accessible.
It is also possible to configure persistent or static NAT assignments in which a specific outside
address is associated with a specific inside address. Although static NAT essentially allows an
inside device to be accessible from the outside, it is still NAT and therefore problematic for
some protocols when IP addresses are carried in the IP packet payload.
Some Internet applications (for example, IP telephony) do not allow use of NAT. Some firewall
vendors offer capability to “fix” NAT problems for specific protocols (for example, SIP).
Because NAT takes place where a private network connects to a public network, there are often
two NAT operations taking place – one at each end of the communication. The NAT operations
are the same at the two ends, but sometimes the impact on network protocols is different. For
the purposes of this discussion, the NAT that takes place between the server (for example, a
Mitel CS-5200/5400/5600 system) and the public network is referred to as near-end NAT. The
NAT that takes place between IP endpoints and the public network (as in a home network) is
referred to as far-end NAT.
There is a variation of NAT called PAT (Port Address Translation) in which the trusted IP
address and port are translated dynamically to an outside IP address and (different) port. For
the purposes of this appendix, the term NAT includes true PAT as well as true NAT.
1. Defined in RFC3022.
2. This is because the public address/port combinations can be easily guessed. Even with dynamic NAT,
the address associations are open for long periods of (computer) time during which the internal
computer is vulnerable to attack.
3. Defined in RFC1918.