Network Address Translation

Network Address Translation (NAT) converts private IP addresses in a private network to globally unique, public IP addresses for use on the Internet. The main purpose of NAT is to hide internal hosts. As outgoing packets are routed through the firewall, NAT hides internal hosts by converting their IP addresses to the address of the firewall. Once the translation is complete, the firewall sends the data payload on to its original destination; thus, NAT makes it appear that all traffic from your site comes from one (or more) IP addresses.

The firewall maintains a translation table to keep track of the address conversions that it has performed. When an incoming response arrives at the firewall, the firewall uses this translation table to determine which internal host should receive the response. Because this type of firewall essentially sends and receives data on behalf of internal hosts, NAT can also be described as a simple proxy.

There are two basic types of NAT:

• Static translation (port forwarding) grants a specific internal host a fixed translation that never changes. For example, if you run an email server inside a firewall, you can establish a static route through the firewall for that service.
• Dynamic translation (automatic, hide mode, or IP masquerade) shares a small group of external IP addresses amongst a large group of internal clients for the purpose of expanding the internal network address space. Because a translation entry does not exist until an internal client establishes a connection out through the firewall, external computers have no way to address an internal host that is protected using a dynamically translated IP address.

  Note:    Some protocols do not function correctly when the port is changed. These protocols will not work through a dynamically translated connection.

Crystal Enterprise and static translation NAT can be configured so that they work together.

For configuration steps, see Configuring for Network Address Translation.