NAT Configurations
You can configure NAT in several different ways. Each configuration method provides a solution for different configuration requirements. These methods include:
Traditional NAT
Traditional NAT is the most common method of using address translation. Its primary use is translating private addresses to legal addresses for use in an external network. When configured for dynamic operation, hosts within a private network can initiate access to the external (public) network, but external nodes on the outside network cannot initiate access to the private network.
Addresses on the private network and public network must not overlap. Also, route destination advertisements on the public network (for example, the Internet) can appear within the inside network, but the NAT router does not propagate advertisements of local routes that reference private addresses out to the public network.
Two types of traditional NAT exist — basic NAT and NAPT.
Basic NAT
Basic NAT provides translation for IP addresses only (called a "simple" translation) and places the mapping into a NAT table. In other words, for packets outbound from the private network, the NAT router translates the source IP address and related fields (for example, IP, TCP, UDP, and ICMP header checksums). For inbound packets, the NAT router translates the destination IP address (and related checksums) for entries that it finds in its translation table.
NAPT
Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an "extended" translation). This method can translate the addresses and transport identifiers of many private hosts into a few external addresses and transport identifiers to make efficient use of globally registered IP addresses.
Similar to basic NAT, for outbound packets, NAPT translates the source IP address, source transport identifier, and related checksum fields. For inbound packets, NAPT translates the destination IP address, destination transport identifier, and checksum fields.
Bidirectional NAT
Bidirectional (or two-way) NAT adds support for the Domain Name System (DNS) to basic NAT to allow public hosts to initiate sessions into the private network, usually to reach servers intended for public access.
When an outside host attempts to resolve the name of an inside host on a private network, the NAT router intercepts the DNS reply and installs an address translation to allow the outside host to reach the inside host using a public address. When the outside host initiates a connection with the inside host on the private network, the NAT router translates that public destination address to the private address of the inside host and, on the return path, replaces the source address with the advertised public address.
Some additional configuration may be required to allow public access from the Internet to a DNS server that resides in the private domain (see Bidirectional NAT Example).
The same address space requirements and routing restrictions apply to bidirectional NAT as were described for traditional NAT. The difference between these two methods is that the DNS exchange may create entries within the translation table.
Twice NAT
In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router in either direction. For example, you would use twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public).