Limitations of Network Address Translation
If you use NAT for Internet access for your internal computers, you will not be able to control what content the users on the internal network
can access, nor will you be able to control which Internet services users can access based on security group membership.
If you require these capabilities, you need to use a proxy server.
You will learn more about the proxy server solution later in this course.
NAT describes the process whereby a device on a given network is presented as having an address on a different network.
While this is often used on a stateful firewall device to translate private network addresses inside an organization to publicly routable IP addresses over the Internet, it is also used as a inadequate solution for multi-homing organizations on the Internet.
- Basic Disconnectivity: NAT provides a basic IPv4 connection but does not address more advanced features which are possible with IPv6 such as large address space, built-in security, scalability, and improved support for quality of service (QoS). NAT also places limitations on serving those with mobile smartphones and other devices which only use IPv6.
- NAT Adds Complexities: Network Address Translation makes managing a network complex and creates more problems with troubleshooting. The reason is that NAT devices add state to a specific location in the network. It is the managing of that state and the requirement of symmetric flows that causes these challenges.
- Problems with Applications: NAT makes application compatibility more difficult since NAT tampers with IP header fields which causes issues with File Transfer Protocol (FTP), IP Telephony (SIP) and Simple Network Management Protocol (SNMP). This means the IP addresses and port numbers must have special consideration and some NAT applications may not work properly. Additionally, some applications need to be rewritten in order for them to support NAT.
- Security Protocol Issues: Internet Protocol Security or IPsec is optional for the protocol to support in IPv4 since IPv4 was established before IPsec. IPsec is mandatory but not a requirement for support in IPv6 and is designed to identify header modifications. This means it is not uncommon for IPsec to reject the header changes which are made by NAT.
- Address Limitations: The lack of access to IP addresses with NAT means that specific functions may fail to work properly which would require applications to be rewritten. IPv6 provides a bigger address space which eliminates the time investment which is necessary when trying to make applications work with NAT.
The bottom line is NAT was the short term solution to address the lack of IPv4 address space. IPv6 represents the answer while NAT simply provides a piecemeal solution. When IPv6 is fully deployed, chances are NAT will no longer be necessary.