Don’t use NAT if you don’t have to!

Someone brought you here, because you use NAT where it’s not needed.

What is NAT?

Well, there are many types of NAT, but RFC3022 says:

Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another, transparent to end users. Network Address Port Translation, or NAPT is a method by which many network addresses and their TCP/UDP (Transmission Control Protocol/User Datagram Protocol) ports are translated into a single network address and its TCP/UDP ports. Together, these two operations, referred to as traditional NAT, provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses.

Why does NAT exist?

The first NAT RFC1631 from 1994 mentions the increasing exhaustion of IP addresses.

That’s the main reason for NAT. There aren’t enough IPv4 addresses available to uniquely address every single network device connected to the internet. This problem is addressed with IPv6, but until everyone is using IPv6 (I think I’ll be retired by then), NAT is used to map many addresses used in a LAN to a single (or much fewer) public addresses.

Does NAT come with disadvantages?

YES! That’s why you are here!

• Some Network protocols like FTP, SIP and IKE weren’t build to support NAT. As they use IP addresses in their payloads, you run into problems, if you translate the IP addresses of the packets afterwards. When using NAT, you’ll have to change the configuration of the sending devices accordingly or use helpers, that translate the addresses in payloads. These helpers aren’t reliable and won’t work with encrypted payloads. Keep in mind: You must know that NAT is being used. Otherwise you cannot take it into account in the service configuration. And if the translation is changed, you’ll have to change your service configuration too.
• You do not know which system is the actual sender of a package. If you use a lot of NAT - just because it’s easy - sooner or later you’ll run into trouble. Imagine you are examining a network connection and you don’t know exactly which system a packet is coming from. And maybe you don’t even know that the address was translated before?

But I need NAT!

Why? There are only a few reasons for NAT!

1. To address the above-mentioned exhaustion of public IPv4 addresses.
2. If you need to connect networks with overlapping addresses - for example when connecting two networks with a VPN-Tunnel. Do a double 1:1 NAT to encounter the mentioned disadvantages!
3. If you want to map a provider assigned IP scope to internal systems.

You don’t need NAT in these cases:

• To keep internal devices safe: You use a firewall for this. Even if a peer knows your devices address, the firewall will protect you from unintended connections. If you don’t have a firewall: buy one. NAT won’t protect you.
• To keep internal addresses secret: Really? Why? Don’t you have a firewall? That’s security through obscurity. Does a thief only break into your house because he knows where you live? Or do you just use a door lock against thieves?
• To ensure, the response packages get back: Do real routing. If that’s not easily possible, your network sucks (except for rare justified exceptions). Think about dynamic routing, when you’re in over your head with all the static routes.