Network Address Translation (NAT), defined in RFC 1631, operates in Layer 3 forwarding

devices to provide address simplification and conservation. The most common use of NAT is to
connect networks using private RFC 1918 network addresses to the public Internet. NAT
translates the private addresses that are used in the internal network into public addresses that
can be routed across the Internet. As part of this functionality, you can configure NAT to use
only one address for the entire network to the outside world. Using only one address effectively
hides the internal network, thus providing additional security. Understanding NAT operations
helps the security analyst better understand adversary operations against the network devices and
analyze output logs generated by these devices.

Multiple device types can be configured to perform NAT services. Although firewalls are most
common, routers and some Layer 3 switches are also capable of deploying this service.

Cisco defines the following list of NAT terms:

 Inside local address: The IPv4 address that is assigned to a host on the inside network.
The inside local address is likely to be one that falls within the RFC 1918 reserved
private IPv4 address spaces.
 Inside global address: A globally routable IPv4 address that represents one or more
inside local IPv4 addresses to the outside world.
 Outside local address: The IPv4 address of an outside host as it appears to the inside
network. Not necessarily a public address, the outside local address is allocated from a
routable address space.
 Outside global address: The IPv4 address that is assigned to a host on the outside
network by the host owner. The outside global address is allocated from a globally
routable address or network space.

NAT offers the following benefits:

 Eliminates the need to readdress all hosts that require external access, saving time and
money.
  Conserves addresses through application port-level multiplexing. With NAT, internal
hosts can share a single registered IPv4 address for all external communications. In this
type of configuration, relatively few external addresses are required to support many
internal hosts, thus conserving IPv4 addresses.

The figure above illustrates a firewall that is translating the source address as the packet is
forwarded from inside to outside, and reversing the translation on the reply that returns. The
steps that are taken are as follows:

1. Host 10.10.10.11 sends a packet to Host B.

2. The router receives the packet and checks its NAT table. It finds an entry to translate
10.10.10.11 to 203.0.113.2. If there was no entry in the table, the router would check the
NAT rules to see if there is a rule specifying a dynamic translation. If there was such a
rule, a new entry would be created.
3. The router replaces the inside local address 10.10.10.11 with the inside global address
203.0.113.2 and forwards the packet.
4. Host B receives the packet with 203.0.113.2 as the source address. When Host B replies,
it specifies 203.0.113.2 as the destination address.
5. When the router receives the reply packet and checks its NAT table, it finds the entry that
is associated with the inside global IPv4 address 203.0.113.2.
6. The router replaces the inside global address 203.0.113.2 with the inside local address
10.10.10.11 and forwards the packet.