One of the key themes that runs through our small labs and examples is that we often use private IP addresses. The problem with private IP addresses is that they cannot be routed out onto the internet. In order to do that, we have to perform something called Network Address Translation (NAT) .
Here is an example.
This is a small business that owns one IP number – the WAN IP, as supplied by the ISP. If the business only has one computer that needs to access the internet, this will work just fine, but in this case we have three.
The three hosts are put on a private Class C network, and can access the WAN via the router (as an aside here, this is most likely the same as your home network). So when host 192.168.2.30 attempts to access a website – cisco.com for instance, the router takes its private IP address and translates it to the public IP address. If all three computers access the WAN at different times this still works, however if they all try to access the WAN at the same same time, what happens?
We can do one of two things: we can buy more public IP addresses or we can use Port Address Translation (PAT).
What the router does in this case is translate the private IP to its public one again, but it also assigns a different source port to the outgoing request. As you can see in the image above, we have three requests from the same public IP number but with differing source ports. The router maintains a table of translations, and when responses come back from our target web site (in this case cisco.com) the response is translated and routed to the appropriate computer.
But now our small business decides it needs a web site and FTP site for customers. What now?
Port Address Translation, or PAT also works for this scenario. Lets say that 192.168,2.30 is going to host the web site with an Apache install. Great, but how do customers find this web site? We can assign a port map in the router so that all requests to 18.104.22.168:80 are routed to 192.168.2.31:80.
Please note that only one translation can be live at any one time, there can only be one … per port.
So if we wanted to implement the FTP server for customers, and that needed to be on 192.168.2.32:21, we can put a redirect from 22.214.171.124:21, thus routing the FTP traffic to the correct machine.
Just to show you how this works on a simple home router, here is my current set up:
You can see that port 80 is redirected to my web server on 192.168.2.4 and there is a telnet connection redirected to 192.168.2.11.