All types of NAT fall into two categories; Static NAT and Dynamic NAT. Static NAT is where administrators manually create and maintain the NAT mappings and is usually associated with inbound types of NAT. Dynamic NAT is where the router creates and maintains mappings automatically on demand and is usually associated with outbound types of NAT.
Common Traits To All Types of NAT
Every TCP/IP packet contains a source IP address, source port, destination IP address and destination port. All types of NAT create NAT mappings using these values. For example a connection from an internal client with IP 192.168.0.1 using port 56876 may go to a website IP 220.127.116.11 (destination IP address) on port 80 (destination port) using IP of 18.104.22.168 (translated source IP) and port 56876 (source port). NAT creates a mapping using these 4 values to the 192.168.0.1 internal client for that specific connection. When packets come back from the website to the router using the same values associated with that mapping NAT forwards the packets to the internal client.
Dont confuse NAT restriction with NAT translation – For example a Ful Cone NAT only looks at the destination port when choosing whether to accept the connection or not (the restriction). When it does the actual the NAT translation however, it always uses the 4 values mentioned above.
There are four types of NAT as follows:
Full Cone NAT (Static NAT)
A full cone NAT (also known as a one to one NAT) is the only type of NAT where the port is permanently open and allows inbound connections from any external host. A full cone NAT maps a public IP address and port to a LAN IP and port. Any external host can send data to the LAN IP through the mapped NAT IP and port. If it tries to send data through a different port it will fail. This type of NAT is also known as port forwarding. This is the least restrictive type of NAT; the only requirement is that the connection comes in on a specific port (the one you opened).
Example - My PC has a website running on port 80. I create a one-to-one rule that maps the router WAN IP of 22.214.171.124 to 192.168.0.1 with port 80 to port 80. Any external host that sends data to 126.96.36.199 on port 80 is NATed (and sent) to 192.168.0.1 port 80.
Note: the port numbers do not have to be the same; I could run my website on port 56456 but create the NAT mapping to forward port 80 to port 56456. This gives the appearance to the public Internet that my website is on port 80. A connection attempt on any other port is dropped.
Restricted Cone NAT (Dynamic NAT)
A restricted cone NAT works in the same way as a full cone NAT but applies additional restrictions based on an IP address. The internal client must first have sent packets to IP address (X) before it can receive packets from X. In terms of restrictions the only requirement is that packets come in on the mapped port and from an IP address that the internal client has sent packets to.
Example - My PC makes an outbound connection to a website (188.8.131.52) with my source IP 192.168.0.1 and source port 56723. The NAT creates a (dynamic) mapping to my PC using source port 56723. Packets that arrive with a source IP of 184.108.40.206 (the website IP) using a destination port of 56723 (which was the outbound NATed source port) will be accepted and sent to my PC. Connection attempts from any other IP using the correct port of 56723 will be dropped. Connection attempts from the correct IP with a destination port other than 56723 will also be dropped.
Port Restricted Cone NAT (Dynamic NAT)
A port restricted cone NAT acts in exactly the same way as a restricted cone NAT but applies restrictions to ports also. Where a restricted cone NAT will accept connections from any source port a port restricted cone NAT restricts this further by only accepting connections from the IP address and port it sent the outbound request to.
Example - My PC makes an outbound connection to website IP 220.127.116.11 on port 80 (destination port). The NAT maps my source IP 192.168.0.1 to the WAN IP of 18.104.22.168 and source port 56723. When the website sends packets back it must have it’s source IP as 22.214.171.124, destination port as 56723 (like a restricted cone NAT) but in addition the source port must be 80. If any of these three are different a port restricted cone NAT drops the connection.
Symmetric NAT (Dynamic NAT)
A symmetric NAT applies restrictions exactly the same way as a port restricted cone NAT but handles the NAT translation differently. Symmetric NAT is more complicated and has it’s own unique problem so I have wrote a separate article dedicated to Symmetric NAT and It’s Problems.