Network address translation

NAT redirects here. For other uses, see Nat.

As network address translation modies the IP address information in packets, it has serious consequences on the
quality of Internet connectivity and requires careful attention to the details of its implementation. NAT implementations vary widely in their specic behavior in various addressing cases and in their eect on network trac.
Vendors of equipment containing implementations do not
commonly document the specics of NAT behavior.[2]

In computer networking, network address translation

(NAT) provides a method[1] of modifying network address information in Internet Protocol (IP) datagram
packet headers while they are in transit across a trafc routing device for the purpose of remapping one
IP address space into another. The term NAT44 is
sometimes used to more specically indicate mapping
between two IPv4 addresses; this is the typical case
while IPv4 carries the majority of trac on the Internet. NAT64 refers to the mapping of an IPv4 address to
an IPv6 address, or vice versa.

1 Basic NAT
The simplest type of NAT provides a one-to-one translation of IP addresses. RFC 2663 refers to this type of NAT
as basic NAT; it is often also called a one-to-one NAT.
In this type of NAT, only the IP addresses, IP header
checksum and any higher level checksums that include
the IP address are changed. Basic NATs can be used to
interconnect two IP networks that have incompatible addressing.

Network administrators originally used network address

translation to map every address of one address space to a
corresponding address in another space, such as when an
organization changed Internet service providers without
having a facility to announce a public route to the network. As of 2014 NAT operates most commonly in conjunction with IP masquerading, which is a technique
that hides an entire IP address space - usually consisting
of private network IP addresses (RFC 1918) - behind a
single IP address in another, usually public address space.
Vendors implement this mechanism in a routing device
that uses stateful translation tables to map the hidden
addresses into a single IP address and that readdresses the
outgoing Internet Protocol packets on exit so they appear
to originate from the routing device. In the reverse communications path, the router maps responses back to the
originating IP addresses using the rules (state) stored
in the translation tables. The translation table rules established in this fashion are ushed after a short period
unless new trac refreshes their state.

2 One-to-many NAT
The majority of NATs map multiple private hosts to one
publicly exposed IP address. In a typical conguration,
a local network uses one of the designated private IP
address subnets (RFC 1918). A router on that network
has a private address in that address space. The router is
also connected to the Internet with a public address assigned by an Internet service provider. As trac passes
from the local network to the Internet, the source address
in each packet is translated on the y from a private address to the public address. The router tracks basic data
about each active connection (particularly the destination
address and port). When a reply returns to the router,
it uses the connection tracking data it stored during the
outbound phase to determine the private address on the
internal network to which to forward the reply.

The method enables communication through the router

only when the conversation originates in the masqueraded
network, since this establishes the translation tables. For
example, a web browser in the masqueraded network can
browse a website outside, but a web browser outside can
not browse a web site hosted within the masqueraded network. However, most NAT devices today allow the network administrator to congure translation table entries
for permanent use. This feature is often referred to as
static NAT or port forwarding - it allows trac originating in the outside network to reach designated hosts
in the masqueraded network.

All datagram packets on IP networks have a source IP

address and a destination IP address. Typically packets
passing from the private network to the public network
will have their source address modied while packets
passing from the public network back to the private network will have their destination address modied. More
Because of the popularity of this technique to conserve
complex congurations are also possible.
IPv4 address space, the term NAT has become virtually
To avoid ambiguity in how to translate returned packets,
synonymous with the method of IP masquerading.
further modications to the packets are required. The
1

2
vast bulk of Internet trac is TCP and UDP packets, and
for these protocols the port numbers are changed so that
the combination of IP address and port information on
the returned packet can be unambiguously mapped to the
corresponding private address and port information. RFC
2663 uses the term network address and port translation
(NAPT) for this type of NAT. Other names include port
address translation (PAT), IP masquerading, NAT overload and many-to-one NAT. This is the most common
type of NAT, and has become synonymous with the term
NAT in common usage. This method enables communication through the router only when the conversation originates in the masqueraded network, since this establishes
the translation tables. For example, a web browser in the
masqueraded network can browse a website outside, but
a web browser outside could not browse a web site hosted
within the masqueraded network. However, most NAT
devices today allow the network administrator to congure translation table entries for permanent use. This feature is often referred to as static NAT or port forwarding and allows trac originating in the outside network
to reach designated hosts in the masqueraded network.

3 IMPLEMENTATION
ual NAT behaviors instead of using the Cone/Symmetric
terminology. Especially, most NAT translators combine
symmetric NAT for outgoing connections with static port
mapping, where incoming packets to the external address
and port are redirected to a specic internal address and
port. Some products can redirect packets to several internal hosts, e.g. to divide the load between a few servers.
However, this introduces problems with more sophisticated communications that have many interconnected
packets, and thus is rarely used.

2.2 Type of NAT and NAT traversal, role

of port preservation for TCP
The NAT traversal problem arises when two peers behind distinct NAT try to communicate. One way to solve
this problem is to use port forwarding, another way is to
use various NAT traversal techniques. The most popular
technique for TCP NAT traversal is TCP hole punching,
which requires the NAT to follow the port preservation
design for TCP, as explained below.

Protocols not based on TCP or UDP require other transMany NAT implementations follow the port preservation
lation techniques. ICMP packets typically relate to an exdesign for TCP: for a given outgoing tcp communicaisting connection and need to be mapped using the same
tion, they use the same values as internal and external
IP address and port mappings as that connection.
port numbers. NAT port preservation for outgoing TCP
connections is crucial for TCP NAT traversal, because as
TCP requires that one port can only be used for one com2.1 Methods of port translation
munication at a time, programs bind distinct TCP sockets
to ephemeral ports for each TCP communication, renderThere are several ways of implementing network address ing NAT port prediction impossible for TCP.[2]
and port translation. In some application protocols that
use IP address information, the application running on a On the other hand, for UDP, NATs do not need to have
node in the masqueraded network needs to determine the port preservation. Indeed multiple UDP communications
external address of the NAT, i.e., the address that its com- (each with a distinct endpoint) can occur on the same
munication peers detect, and, furthermore, often needs to source port, and applications usually reuse the same UDP
examine and categorize the type of mapping in use. Usu- socket to send packets to distinct hosts. This makes port
ally this is done because it is desired to set up a direct prediction straightforward, as it is the same source port
communications path (either to save the cost of taking for each packet.
the data via a server or to improve performance) between Furthermore, port preservation in NAT for TCP allows
two clients both of which are behind separate NATs.
P2P protocols to oer less complexity and less latency
For this purpose, the Simple traversal of UDP over NATs because there is no need to use a third party (like STUN)
the application itself al(STUN) protocol was developed (RFC 3489, March to discover the NAT port since
[2][3]
ready
knows
the
NAT
port.
2003). It classied NAT implementation as full-cone
NAT, (address) restricted-cone NAT, port-restricted cone
NAT or symmetric NAT and proposed a methodology
for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods have proven faulty and inadequate to
correctly assess many devices. New methods have been
standardized in RFC 5389 (October 2008) and the STUN
acronym now represents the new title of the specication:
Session Traversal Utilities for NAT.
This terminology has been the source of much confusion,
as it has proven inadequate at describing real-life NAT
behavior.[2] Many NAT implementations combine these
types, and it is therefore better to refer to specic individ-

However, if two internal hosts attempt to communicate

with the same external host using the same port number,
the external port number used by the second host is chosen at random. Such NAT is sometimes perceived as (address) restricted cone NAT and other times as symmetric
NAT.
Recent studies have shown that roughly 70% of clients in
P2P networks employ some form of NAT.[4]

3 Implementation

3.4

3.1

Visibility of operation

Establishing two-way communication

Every TCP and UDP packet contains a source IP address

and source port number as well as a destination IP address
and destination port number. The IP address/port number
pair forms a socket. In particular, the source IP address
and source port number form the source socket.
For publicly accessible services such as web servers and
mail servers the port number is important. For example,
port 80 connects to the web server software and port 25 to
a mail servers SMTP daemon. The IP address of a public
server is also important, similar in global uniqueness to a
postal address or telephone number. Both IP address and
port number must be correctly known by all hosts wishing
to successfully communicate.
Private IP addresses as described in RFC 1918 are significant only on private networks where they are used, which
is also true for host ports. Ports are unique endpoints of
communication on a host, so a connection through the
NAT device is maintained by the combined mapping of
port and IP address.

3
entry in a translation table containing the internal
IP address, original source port, and the translated
source port. Subsequent packets from the same connection are translated to the same port number.
The computer receiving a packet that has undergone
NAT establishes a connection to the port and IP address specied in the altered packet, oblivious to
the fact that the supplied address is being translated
(analogous to using a post oce box number).
A packet coming from the external network is
mapped to a corresponding internal IP address and
port number from the translation table, replacing the
external IP address and port number in the incoming
packet header (similar to the translation from post
oce box number to street address). The packet
is then forwarded over the inside network. Otherwise, if the destination port number of the incoming packet is not found in the translation table, the
packet is dropped or rejected because the PAT device doesn't know where to send it.

PAT (Port Address Translation) resolves conicts that

would arise through two dierent hosts using the same NAT only translates IP addresses and ports of its internal
source port number to establish unique connections at the hosts, hiding the true endpoint of an internal host on a
same time.
private network.

3.2

Telephone number extension analogy

A NAT device is similar to a phone system at an oce

that has one public telephone number and multiple extensions. Outbound phone calls made from the oce all
appear to come from the same telephone number. However, an incoming call that does not specify an extension
cannot be transferred to an individual inside the oce. In
this scenario, the oce is a private LAN, the main phone
number is the public IP address, and the individual extensions are unique port numbers.[5]

3.3

Translation of the endpoint

3.4 Visibility of operation

NAT operation is typically transparent to both the internal
and external hosts.
Typically the internal host is aware of the true IP address
and TCP or UDP port of the external host. Typically the
NAT device may function as the default gateway for the
internal host. However the external host is only aware of
the public IP address for the NAT device and the particular port being used to communicate on behalf of a specic
internal host.

4 NAT and TCP/UDP

With NAT, all communications sent to external hosts actually contain the external IP address and port informa- Pure NAT, operating on IP alone, may or may not cortion of the NAT device instead of internal host IP ad- rectly parse protocols that are totally concerned with IP
information, such as ICMP, depending on whether the
dresses or port numbers.
payload is interpreted by a host on the inside or out When a computer on the private (internal) network side of translation. As soon as the protocol stack is trasends an IPv4 packet to the external network, the versed, even with such basic protocols as TCP and UDP,
NAT device replaces the internal IP address in the the protocols will break unless NAT takes action beyond
source eld of the packet header (senders address) the network layer.
with the external IP address of the NAT device.
PAT may then assign the connection a port number from a pool of available ports, inserting this port
number in the source port eld (much like the post
oce box number), and forwards the packet to the
external network. The NAT device then makes an

IP packets have a checksum in each packet header, which

provides error detection only for the header. IP datagrams
may become fragmented and it is necessary for a NAT to
reassemble these fragments to allow correct recalculation
of higher-level checksums and correct tracking of which
packets belong to which connection.

4
The major transport layer protocols, TCP and UDP, have
a checksum that covers all the data they carry, as well as
the TCP/UDP header, plus a pseudo-header that contains the source and destination IP addresses of the packet
carrying the TCP/UDP header. For an originating NAT
to pass TCP or UDP successfully, it must recompute the
TCP/UDP header checksum based on the translated IP
addresses, not the original ones, and put that checksum
into the TCP/UDP header of the rst packet of the fragmented set of packets. The receiving NAT must recompute the IP checksum on every packet it passes to the
destination host, and also recognize and recompute the
TCP/UDP header using the retranslated addresses and
pseudo-header. This is not a completely solved problem.
One solution is for the receiving NAT to reassemble the
entire segment and then recompute a checksum calculated across all packets.

8 NAT LOOPBACK
Microsoft Windows Server. It provides connection tracking and ltering for the additional network connections
needed for the FTP, ICMP, H.323, and PPTP protocols
as well as the ability to congure a transparent HTTP
proxy server.

7 Dynamic network address translation

Dynamic NAT, just like static NAT, is not common in

smaller networks but is found within larger corporations
with complex networks. The way dynamic NAT diers
from static NAT is that where static NAT provides a oneto-one internal to public static IP address mapping, dynamic NAT doesn't make the mapping to the public IP
The originating host may perform Maximum transmis- address static and usually uses a group of available public
sion unit (MTU) path discovery to determine the packet IP addresses.
size that can be transmitted without fragmentation, and
then set the don't fragment (DF) bit in the appropriate
8 NAT loopback
packet header eld.
NAT loopback, also known as NAT hairpinning or NAT reection,[6] is a feature in many consumer routers[7] which
5 DNAT
allows a user to connect to his/her own public IP address
Destination network address translation (DNAT) is a from inside the LAN. This is especially useful when, for
technique for transparently changing the destination IP example, a website is hosted at that IP address. The foladdress of an end route packet and performing the inverse lowing describes an example network:
function for any replies. Any router situated between two
Public address: 203.0.113.1 (this is the address of
endpoints can perform this transformation of the packet.
the WAN interface on the router)
DNAT is commonly used to publish a service located in a
private network on a publicly accessible IP address. This
Internal address of router: 192.168.1.1
use of DNAT is also called port forwarding, or DMZ
Address of the server: 192.168.1.2
when used on an entire server, which becomes exposed
to the WAN, becoming analogous to an undefended mil Address of a computer: 192.168.100.1
itary demilitarised zone (DMZ).
If a packet is sent to the public address (203.0.113.1)
by a computer at 192.168.100.1, the packet would nor6 SNAT
mally be routed to the default gateway (the router), unless an explicit route is set in the computers routing taThe meaning of the term SNAT varies by vendor. Many bles. A router with the NAT loopback feature detects
vendors have proprietary denitions for SNAT:
that 203.0.113.1 is the address of its WAN interface, and
treats the packet as if coming from that interface. It de source NAT is the common expansion, as the coun- cides based on DNAT (port forwarding) rules on the destination for the packet. For example, if the data were sent
terpart of destination NAT (DNAT)
to port 80 and there is a DNAT rule for port 80 directed
stateful NAT is used by Cisco Systems
to 192.168.1.2, then the host at that address will receive
the packet.
static NAT is used by WatchGuard
If no applicable DNAT rules are available, the routers
secure NAT is used by F5 Networks and by Mi- rewall drops the packet. An ICMP Destination Uncrosoft (in regard to the ISA Server)
reachable reply may be sent. If any DNAT rules were
present, address translation is still in eect; the router still
Microsofts Secure network address translation (SNAT) rewrites the source IP address in the packet. The comis part of Microsofts Internet Security and Acceleration puter (192.168.100.1) sends the packet as coming from
Server and is an extension to the NAT driver built into 192.168.100.1, but the server (192.168.1.2) receives it

5
as coming from 203.0.113.1. When the server replies the
process is identical as for an external sender. Thus, twoway communication is possible between hosts inside the
LAN network via their public IP address.

pler, more widely understood, and more compatible with

legacy NATs. In either case, the high level protocol must
be designed with NAT traversal in mind, and it does not
work reliably across symmetric NATs or other poorly beNAT loopback is especially useful when the server hosts a haved legacy NATs.
domain name that resolves to a public address. When the Other possibilities are UPnP Internet Gateway Device
router does not perform NAT loopback, any connection Protocol, NAT-PMP (NAT Port Mapping Protocol), or
attempts to that IP address fail.
Port Control Protocol (PCP),[9] but these require the
NAT device to implement that protocol.

8.1

NAT in IPv6

Most traditional client-server protocols (FTP being the

main exception), however, do not send layer 3 contact information and therefore do not require any special treatment by NATs. In fact, avoiding NAT complications
is practically a requirement when designing new higherlayer protocols today (e.g. the use of SFTP instead of
FTP).

Network address translation is not commonly used in

IPv6 as one of its aims is to restore true host-to-host
connectivity,[8] NAT loopback is not commonly needed.
Although still possible, the large addressing space of IPv6
obviates the need to conserve addresses and every device
can be given a unique globally routable address. NAT NATs can also cause problems where IPsec encryption is
loopback, when implemented, works as in IPv4.
applied and in cases where multiple devices such as SIP
phones are located behind a NAT. Phones which encrypt
their signaling with IPsec encapsulate the port information within an encrypted packet, meaning that NA(P)T
9 Applications aected by NAT
devices cannot access and translate the port. In these
cases the NA(P)T devices revert to simple NAT operaSome Application Layer protocols (such as FTP and SIP)
tion. This means that all trac returning to the NAT is
send explicit network addresses within their application
mapped onto one client causing service to more than one
data. FTP in active mode, for example, uses separate
client behind the NAT to fail. There are a couple of soconnections for control trac (commands) and for data
lutions to this problem: one is to use TLS, which operates
trac (le contents). When requesting a le transfer, the
at level 4 in the OSI Reference Model and therefore does
host making the request identies the corresponding data
not mask the port number; another is to encapsulate the
connection by its network layer and transport layer adIPsec within UDP - the latter being the solution chosen
dresses. If the host making the request lies behind a simby TISPAN to achieve secure NAT traversal, or a NAT
ple NAT rewall, the translation of the IP address and/or
with IPsec Passthru support.
TCP port number makes the information received by the
server invalid. The Session Initiation Protocol (SIP) con- Interactive Connectivity Establishment is a NAT traversal
trols many Voice over IP (VoIP) calls, and suers the technique which does not rely on ALG support.
same problem. SIP and SDP may use multiple ports to The DNS protocol vulnerability announced by Dan
set up a connection and transmit voice stream via RTP. IP Kaminsky on July 8, 2008 is indirectly aected by NAT
addresses and port numbers are encoded in the payload port mapping. To avoid DNS server cache poisoning,
data and must be known prior to the traversal of NATs. it is highly desirable not to translate UDP source port
Without special techniques, such as STUN, NAT behav- numbers of outgoing DNS requests from a DNS server
ior is unpredictable and communications may fail.
which is behind a rewall that implements NAT. The
Application Layer Gateway (ALG) software or hardware
may correct these problems. An ALG software module
running on a NAT rewall device updates any payload
data made invalid by address translation. ALGs obviously need to understand the higher-layer protocol that
they need to x, and so each protocol with this problem
requires a separate ALG. For example, on many Linux
systems, there are kernel modules called connection trackers which serve to implement ALGs. However, ALG
does not work if the control channel is encrypted (e.g.
FTPS).

recommended work-around for the DNS vulnerability is

to make all caching DNS servers use randomized UDP
source ports. If the NAT function de-randomizes the
UDP source ports, the DNS server becomes vulnerable.

10 Port address translation

Port address translation (PAT) allows many internal hosts

to share a single external IP address. Users who do not
Another possible solution to this problem is to use NAT require support for inbound connections do not consume
traversal techniques using protocols such as STUN or public IP addresses.
ICE, or proprietary approaches in a session border con- The primary purpose of IP-masquerading NAT is that it
troller. NAT traversal is possible in both TCP- and UDP- has been a practical solution to the impending exhaustion
based applications, but the UDP-based technique is sim- of the IPv4 address space. Even large networks can be

10 PORT ADDRESS TRANSLATION

connected to the Internet with a single IP address. The to-end connectivity, in violation of the core principles of
more common arrangement is having computers that re- the Internet as laid out by the Internet Architecture Board.
quire end-to-end connectivity supplied with a routable IP
address, while having others that do not provide services
Scalability - An implementation that only tracks
to outside users behind NAT with only a few IP addresses
ports can be quickly depleted by internal appliused to enable Internet access.
cations that use multiple simultaneous connections
(such as an HTTP request for a web page with many
[10]
Some have also called this exact feature a major drawembedded objects). This problem can be mitigated
back, since it delays the need for the implementation of
by tracking the destination IP address in addition
IPv6:
to the port (thus sharing a single local port with
many remote hosts), at the expense of implementa"[...]
it is possible that its [NATs]
tion complexity and CPU/memory resources of the
widespread use will signicantly delay the need
translation device.
to deploy IPv6. [...] It is probably safe to say
Firewall complexity - Because the internal addresses
that networks would be better o without NAT
are all disguised behind one publicly accessible ad[...]"
dress, it is impossible for external hosts to initiate a connection to a particular internal host withHosts behind NAT-enabled routers do not have end-toout special conguration on the rewall to forward
end connectivity and cannot participate in some Internet
connections to a particular port. Applications such
protocols. Services that require the initiation of TCP conas VOIP, videoconferencing, and other peer-to-peer
nections from the outside network, or stateless protocols
applications must use NAT traversal techniques to
such as those using UDP, can be disrupted. Unless the
function.
NAT router makes a specic eort to support such protocols, incoming packets cannot reach their destination. IEEE[13] Reverse Address and Port Translation (RAPT,
Some protocols can accommodate one instance of NAT or RAT) allows a host whose real IP address is changbetween participating hosts (passive mode FTP, for ex- ing from time to time to remain reachable as a server via
ample), sometimes with the assistance of an application- a xed home IP address. In principle, this should allow
level gateway (see below), but fail when both systems are setting up servers on DHCP-run networks. While not a
separated from the Internet by NAT. Use of NAT also perfect mobility solution, RAPT together with upcoming
complicates tunneling protocols such as IPsec because protocols like DHCP-DDNS, it may end up becoming anNAT modies values in the headers which interfere with other useful tool in the network admins arsenal.
the integrity checks done by IPsec and other tunneling
Cisco RAPT implementation is port address translation
protocols.
(PAT) or NAT overloading, and maps multiple private
End-to-end connectivity has been a core principle of the IP addresses to a single public IP address. Multiple adInternet, supported for example by the Internet Archi- dresses can be mapped to a single address because each
tecture Board. Current Internet architectural documents private address is tracked by a port number. PAT uses
observe that NAT is a violation of the End-to-End Prinunique source port numbers on the inside global IP adciple, but that NAT does have a valid role in careful dress to distinguish between translations. The port numdesign.[11] There is considerably more concern with the
ber are 16-bit integers. The total number of internal
use of IPv6 NAT, and many IPv6 architects believe IPv6 addresses that can be translated to one external address
was intended to remove the need for NAT.[12]
could theoretically be as high as 65,536 per IP address.
Because of the short-lived nature of the stateful trans- Realistically, the number of ports that can be assigned a
lation tables in NAT routers, devices on the inter- single IP address is around 4000. PAT attempts to prenal network lose IP connectivity typically within a serve the original source port. If this source port is alvery short period of time unless they implement NAT ready used, PAT assigns the rst available port number
keep-alive mechanisms by frequently accessing outside starting from the beginning of the appropriate port group
hosts. This dramatically shortens the power reserves 0-511, 512-1023, or 1024-65535. When there are no
on battery-operated hand-held devices and has thwarted more ports available and there is more than one extermore widespread deployment of such IP-native Internet- nal IP address congured, PAT moves to the next IP adenabled devices.
dress to try to allocate the original source port again. This
Some Internet service providers (ISPs), especially in process continues until it runs out of available ports and
India, Russia, parts of Asia and other developing re- external IP addresses.
gions provide their customers only with local IP addresses, due to a limited number of external IP addresses
allocated to those entities. Thus, these customers must
access services external to the ISPs network through
NAT. As a result, the customers cannot achieve true end-

Mapping of Address and Port is a Cisco proposal which

combines A+P port address translation with tunneling of
the IPv4 packets over an ISP providers internal IPv6 network. In eect, it is an (almost) stateless alternative to
Carrier Grade NAT and DS-Lite that pushes the IPv4 IP

7
address/port translation function (and therefore the maintenance of NAT state) entirely into the existing customer
premises equipment NAT implementation. thus avoiding
the NAT444 and statefulness problems of Carrier Grade
NAT, and also provides a transition mechanism for the
deployment of native IPv6 at the same time with very little added complexity.

11

Examples of NAT software

Internet Connection Sharing (ICS): NAT & DHCP

implementation included with Windows desktop operating systems
IPFilter: included with (Open)Solaris, FreeBSD
and NetBSD, available for many other Unix-like operating systems

13 References
[1] Network Protocols Handbook (2 ed.). Javvin Technologies
Inc. 2005. p. 27. ISBN 9780974094526. Retrieved
2014-09-16. Network Address Translation (Basic NAT)
is a method by which IP addresses are mapped from one
group to another, transparent to end users.
[2] Franois Audet; and Cullen Jennings (January 2007).
RFC 4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP (text). IETF. Retrieved 2007-08-29.
[3] Characterization and Measurement of TCP Traversal
through NATs and Firewalls. December 2006.
[4] Illuminating the shadows: Opportunistic network and
web measurement. December 2006.
[5] The Audio over IP Instant Expert Guide. Tieline. January 2010. Retrieved 2011-08-19.
[6] superuser.com

iprewall (ipfw): FreeBSD-native packet lter

Netlter with iptables/nftables: the Linux packet lter
NPF: NetBSD-native Packet Filter
PF: OpenBSD-native Packet Filter
Routing and Remote Access Service: routing implementation included with Windows Server operating
systems
WinGate: third-party routing implementation for
Windows

12

See also

AYIYA (IPv6 over IPv4 UDP thus working IPv6

tunneling over most NATs)
Gateway (telecommunications)
Internet Gateway Device Protocol (IGD) Protocol:
UPnP NAT-traversal method
Middlebox

[7] NAT Loopback Routers - OpenSim. Opensimulator.org. 2013-10-21. Retrieved 2014-02-21.

[8] Iljitsch van Beijnum (2008-07-23). After staunch resistance, NAT may come to IPv6 after all. Ars Technica.
Retrieved 2014-04-24.
[9] RFC 6887, Port Control Protocol (PCP), Wing, Cheshire,
Boucadair, Penno & Selkirk (April 2013)
[10] Larry L. Peterson; and Bruce S. Davie; Computer Networks: A Systems Approach, Morgan Kaufmann, 2003,
pp. 328-330, ISBN 1-55860-832-X
[11] R. Bush; and D. Meyer; RFC 3439, Some Internet Architectural Guidelines and Philosophy, December 2002
[12] G. Van de Velde et al.; RFC 4864, Local Network Protection for IPv6, May 2007
[13] ieeexplore.ieee.org

14 External links
NAT-Traversal Test and results
Characterization of dierent TCP NATs Paper
discussing the dierent types of NAT
Anatomy: A Look Inside Network Address Translators Volume 7, Issue 3, September 2004

Port triggering

Je Tyson, HowStuWorks: How Network Address

Translation Works

Subnetwork

Routing with NAT (Part of the documentation for

the IBM iSeries)

TCP and UDP port

How NAT Works Cisco Systems

Teredo tunneling: NAT traversal using IPv6

15

15
15.1

TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

Text and image sources, contributors, and licenses

Text

Network address translation Source: http://en.wikipedia.org/wiki/Network%20address%20translation?oldid=639630822 Contributors:

Magnus Manske, WojPob, Brion VIBBER, Mav, Zundark, The Anome, Ap, Gareth Owen, Aldie, PierreAbbat, Deb, Mintguy, Twilsonb,
Edward, Nealmcb, Oystein, Nixdorf, TakuyaMurata, Karada, CruciedChrist, (, Pde, Goatasaur, CesarB, Copsewood, Angela, Glenn,
Phenry, Tristanb, JidGom, Vanished user 5zariu3jisj0j4irj, Dcoetzee, Dysprosia, Wernher, Bevo, Joy, Robbot, Kristof vt, RedWolf, Nurg,
Kwi, Nilmerg, Ashwin, Jondel, Wikibot, Tobias Bergemann, Giftlite, Wolfkeeper, Alex.atkins, Everyking, Gracefool, Rchandra, AlistairMcMillan, Just Another Dan, Tagishsimon, Edcolins, Golbez, Chowbok, SoWhy, LiDaobing, Beland, Robert Brockway, The Inedible
Bulk, Quarl, Icairns, Urhixidur, Bbpen, Zondor, SimonEast, JTN, Discospinster, Pmsyyz, Indrian, Plugwash, Brynosaurus, Tverbeek, Simon South, Alex.zeertt, Smalljim, Guiltyspark, Giraedata, Cheung1303, Daf, MARQUIS111, Wrs1864, Helix84, Shirimasen, Nazli,
Alansohn, Gary, Cbarbry, DiGiT, CyberSkull, Droob, Andrewpmk, Lightdarkness, Rabarberski, Rick Sidwell, Cburnett, Stephan Leeds,
Evil Monkey, Kenyon, Simetrical, Woohookitty, Mindmatrix, Eolsson, Eddy264, Kzollman, Pol098, MarcoTolo, Mandarax, Graham87,
Taestell, Kbdank71, Josh Parris, Pdelong, Zbxgscqf, Syndicate, DeadlyAssassin, SMC, Aapo Laitinen, FlaBot, Crazycomputers, Garyvdm,
DevastatorIIC, Fresheneesz, YurikBot, Wavelength, Hairy Dude, SLATE, RussBot, Sideswipe091976, Jengelh, Hydrargyrum, Stephenb,
Manop, Cate, Lavenderbunny, Wiki alf, Joshf, ArsniureDeGallium, Jpbowen, Misza13, Zwobot, Mditto, BOT-Superzerocool, Bota47,
Pash, Robot Monk, MarkBrooks, Dspradau, Maltest, Aelantha, Cotoco, Leuk he, SaulPerdomo, Jsnx, SmackBot, Eskimbot, Gilliam, Winterheart, KD5TVI, Bluebot, Wolf0403, Para, Gracenotes, Benoit rigaut, Daveg1k, Jonshea, JonHarder, Rrburke, Gabi S., Valenciano, PPBlais, Ryan Roos, Sbmehta, Ksn, Drumzandspace2000, SpyMagician, JHunterJ, Hovden, Peyre, Kvng, Keycard, Karstbj, Andrew Hampe,
Ergy, CmdrObot, Ivan Pozdeev, Imcdnzl, Pmussler, Altrn8r, Equendil, Phatom87, Cydebot, Mblumber, UncleBubba, Philbert2.71828,
Slackerhobo, Christian75, Jan Kunder, Thijs!bot, Drpixie, Hcberkowitz, Ajo Mama, Dawnseeker2000, Jtmoon, AntiVandalBot, Widefox,
Rohitthakral, Tylerbot, D235, Mercury543210, JAnDbot, Mallow40, Barek, MER-C, LittleOldMe, VoABot II, Nyttend, Balajisarathi,
Kgeischmann, Jez9999, CommonsDelinker, Oalbacha, Felipe1982, J.delanoy, Fenix*NBK*, Svetovid, EH74DK, DanielEng, Naniwako,
Sollosonic, WithGLEE, Ross Fraser, Xpanzion, Alan U. Kennington, Psychocim, Asymmetric, TXiKiBoT, A4bot, Rei-bot, VanishingUser, Rushtoshankar, Alex Smotrov, M gol, Mannafredo, Ramsey585, Wolfrock, SQL, Truthanado, Daveofthenewcity, YordanGeorgiev,
Pjoef, Michael Frind, Demize, Kbrose, SieBot, Nubiatech, Tresiden, Tiddly Tom, ToePeu.bot, Althena, Quest for Truth, Philadams,
Steven Zhang, Ivan.Lt, Mygerardromance, Pinkadelica, Church, ClueBot, SalineBrain, GorillaWarfare, Jan1nad, Siipikarja, Niceguyedc,
Sujirou, Nat32support, Gandaliter, Yk4ever, Steelmans1980, Excirial, Sun Creator, Shiro jdn, LobStoR, Aitias, Zhlmmc, Johnuniq, SF007,
XLinkBot, SilvonenBot, Dgtsyb, HarlandQPitt, Shahid789, Alexhixon, Dsimic, Iranway, Addbot, Tsunanet, Grimmfarmer, Moosehadley,
CarsracBot, Jasper Deng, Tide rolls, Lightbot, Teles, Legobot, Luckas-bot, DisillusionedBitterAndKnackered, Crispmuncher, AnomieBOT,
AmritasyaPutra, Rubinbot, Gtz, Jim1138, Piano non troppo, Ulric1313, Aneah, Harrymcfogs, ArthurBot, Xqbot, Renaissancee, Jhbdel,
Damienivan, Cybjit, TonyHagale, Andersenman, Marchash, JonDePlume, Mmmeg, Guitargod2323, FrescoBot, Murjek, Jonathansuh,
Andrewriddell2, Aawc, Jokerspuppet, Laserbrian, MastiBot, Jandalhandler, FoxBot, DixonDBot, DARTH SIDIOUS 2, EmausBot, John
of Reading, Racerx11, Xmm0, Tommy2010, Alexisabarca, Wikipelli, Venkata.nikhil.muppaneni, Seikku Kaita, HiW-Bot, ZroBot, Zap
Rowsdower, Cf. Hay, Bos-Herz edit acct, Danwing, ClueBot NG, Nimiew, MelbourneStar, Wimblykit, Widr, Lspo99, Profchakraborty
iitkanpur, BG19bot, SimonSellick, Nkansahrexford, Twasono, Cpartsenidis, Lucb1e, Rob.bosch, WorldTechIT, Ferdusy, NewbiePedant,
Hrbm14, Mpb2, Amortias, Dai Pritchard, EvilLair and Anonymous: 513

15.2

Images

File:Bus_icon.svg Source: http://upload.wikimedia.org/wikipedia/commons/c/ca/Bus_icon.svg License: Public domain Contributors: ?

Original artist: ?
File:Edit-clear.svg Source: http://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The
Tango! Desktop Project. Original artist:
The people from the Tango! project. And according to the meta-data in the le, specically: Andreas Nilsson, and Jakub Steiner (although
minimally).
File:Full_Cone_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/4/44/Full_Cone_NAT.svg License: CC-BY-SA-3.0
Contributors: Own work Original artist: Christoph Sommer
File:Port_Restricted_Cone_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/c/c2/Port_Restricted_Cone_NAT.svg
License: CC-BY-SA-3.0 Contributors: Own work Original artist: Christoph Sommer
File:Restricted_Cone_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/3/3c/Restricted_Cone_NAT.svg License:
CC-BY-SA-3.0 Contributors: Own work Original artist: Christoph Sommer
File:Symmetric_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/7/73/Symmetric_NAT.svg License: CC-BY-SA3.0 Contributors: Own work Original artist: Christoph Sommer

15.3

Content license

Creative Commons Attribution-Share Alike 3.0