Basic - a private address is translated to public address from a pool of available public addresses - no change in ports - One to one public to private addresses
Network address port translation - a private address/port is translated to a public address/port - One public to many private addresses
Router changes IP addresses based on UDP or TCP port (or icmp ident, or some other identifying factor)
Packet comes from host 10.0.1.1/24 tcp source port 30000 and destined for 131.94.1.1 tcp destination port 25. The NAT gateway has private address of 10.0.1.254 and a public address of 131.94.2.1. As it passes through the NAT router it will have its TCP source address changed to the public address of the NAT router (131.94.2.1) and the TCP source port changed to some available TCP source port on the NAT router (port X). Lets make X=20000 for this example. The NAT router keeps track that TCP traffic destined to port 20000 from the public Internet needs to be translated to port 30000 and destined to 10.0.1.1 on the private network. It arrives at the destination host, which will respond to the NAT routers public address and the port 20000. In the case of ICMP it uses the ICMP ident instead of the tcp or udp port to identify which packets go there. NAT Router must maintain state, keep track of which connections to go where. Must time out state occasionally as well.
Example of state tables:
Interface 10.0.1.254/24 Interface 131.94.2.1/24 SA=10.0.1.1 SP=30000 DA=131.94.1.1 DP=22 SA=131.94.2.1 SP=20000 DA=131.94.1.1 DP=22More detailed example:
The players: Host1 = 10.0.1.1 is behind a NAT box Host2 = 10.0.1.2 is behind a NAT box NAT Router has two interfaces. eth0 = 10.0.1.254 Private eth1 = 131.94.2.1 Public Server1 = 131.94.1.1 (on public Internet) Host1 wants to make a TCP connection to port 22 on Server1. It sends a TCP SYN packet source address = 10.0.1.1 source port = 30000, destination address = 131.94.1.1 destination port = 22 The packet arrives at the NAT box on eth0 The NAT box builds and notes this state in eth0 SA=10.0.1.1 SP=30000 DA=131.94.1.1 DP=22 -> out eth1 SA=131.94.2.1 SP=20000 DA=131.94.1.1 DP=22 in eth1 SA=131.94.1.1 SP=22 DA=131.94.2.1 DP=20000 -> out eth0 SA=131.94.1.1 SP=22 DA=10.0.1.1 DP=30000 and sends the packet along out eth1 to Server1 source address = 131.94.2.1 source port = 20000, destination address = 131.94.1.1 destination port = 22 Server1 receives it and sends back a SYN/ACK source address = 131.94.1.1 source port = 22, destination address = 131.94.2.1 destination port = 20000 This arrives at the NAT box and gets translated according to the state table to source address = 131.94.1.1 source port = 22, destination address = 10.0.1.1 destination port = 30000 Host1 completes the opening of the TCP connection by sending back a ACK source address = 10.0.1.1 source port = 30000, destination address = 131.94.1.1 destination port = 22 The packet arrives at the NAT box on eth0 and gets translated and goes out eth1 to Server1 source address = 131.94.2.1 source port = 20000, destination address = 131.94.1.1 destination port = 22 The connection is open and now any further traffic between host1 and server1 will be translated in eth0 SA=10.0.1.1 SP=30000 DA=131.94.1.1 DP=22 -> out eth1 SA=131.94.2.1 SP=20000 DA=131.94.1.1 DP=22 in eth1 SA=131.94.1.1 SP=22 DA=131.94.2.1 DP=20000 -> out eth0 SA=131.94.1.1 SP=22 DA=10.0.1.1 DP=30000 A second host Host2 could also initiate a connection to Server1 port 22 in the same fashion. The state would be: in eth0 SA=10.0.1.2 SP=30000 DA=131.94.1.1 DP=22 -> out eth1 SA=131.94.2.1 SP=20001 DA=131.94.1.1 DP=22 in eth1 SA=131.94.1.1 SP=22 DA=131.94.2.1 DP=20001 -> out eth0 SA=131.94.1.1 SP=22 DA=10.0.1.2 DP=30000Some links that may help you understand NAT: