Network Address Translation (NAT) can be used for a number of purposes:
- To make better use of the increasingly scarce IPv4 addresses
- To couple networks that use the same (private) address ranges
- To create unique addresses for network management
The first application uses N:1 NAT, also known as IP masquerading (IP masquerading). In this case, all addresses ("N") on the local network are mapped to a single ("1") public address. The unambiguous assignment of the data streams to the correct internal computers is generally handled by the ports used by the TCP and UDP protocols. This is why this technique is also known as NAT/PAT (Network Address Translation/Port Address Translation).
Since N:1 masquerading uses dynamic port translation, it can only be used for connections that originate inside the internal network. Exception: An internal IP address is statically exposed on a specific port, e.g. to make a server in the LAN accessible from the outside. This procedure is called "inverse masquerading” (Port forwarding (inverse masquerading)).
An N:N mapping is used to connect networks with the same address ranges. This translates several IP addresses ("N") from the local network explicitly into several ("N") IP addresses of any other network. This translation prevents address conflicts.
The rules for address translation are defined in a static table in the device. This involves specifying new IP addresses for individual LAN devices, for subnets or for the whole LAN, which are then used by the devices to communicate with other networks.
Some protocols (e.g. FTP) exchange parameters during the protocol negotiation, which influence the address translation undertaken by the N:N mapping. For these protocols, the relevant connection information is stored by the firewall in a dynamic table. These entries are used in combination with those in the static table to implement address translation correctly.
