• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Lesson 4. Setting Up Gateway Services > Network Address Translation

Network Address Translation

Network Address Translation (NAT), which is sometimes referred to as IP masquerading or IP aliasing, is a technique that lets an entire group of network devices in a private network use a single IP address to communicate with devices on other networks. NAT both circumvents the shortage of IP addresses and provides some security to private networks since hosts inside the private network are not directly addressable from the Internet.

NAT has several forms, including the following:

  • Static NAT maps a private IP address to a public one (one-to-one mapping).

  • Dynamic NAT maps a private IP address to the first available address from a list of public addresses.

  • Port Address Translation (PAT) maps multiple private IP addresses to a single public one using different ports. This is also known as port overloading, single address NAT, and port-level multiplexed NAT.

With Mac OS X Server, you can take advantage of NAT to protect private networks. For example, you can connect an Xserve computer to your private network using one of its Ethernet interfaces, and connect it to the Internet (over a T1 line or other fast connection) using the second Ethernet interface. With this setup, you can use the NAT service to shield the private network at pretendco.com behind the Xserve computer's IP address. This allows the other pretendco.com computers to access the Internet by sharing the Xserve computer's T1 line and IP address while still remaining private—that is, they are not directly accessible from other computers on the Internet.

How NAT Works

A Mac OS X Server system running NAT takes all the traffic from your private network and remembers which internal address made the request. When the NAT router receives the response to the request, it forwards the response to the originating computer. Traffic that originates from the Internet does not reach any of the computers behind the NAT system unless port forwarding is enabled. Port forwarding lets you reroute packets sent to specific ports on the NAT system to other hosts in the private network.

In the illustration below, the PowerBook user requests a page on the Internet—in this case, the Apple home page. The request goes to the default router address (, which is the address of the en0 Ethernet interface of an Xserve computer running NAT.

The NAT router running on the Xserve computer notes the IP address of the PowerBook that sent this request ( and an internal port number (6509) to associate with this specific request. The NAT router then forwards this request to the appropriate host on the Internet using the address of the Xserve computer's en1 Ethernet interface (, which is connected to the Internet, as the new source (the “from” address). The Xserve computer also supplies its own port number (8668) for this request.

The web server receives a request for a page and returns the page requested. In this case, the server returns the page to the requesting address at port 8668.

The Xserve computer receives the response page from www.apple.com and forwards the response to the appropriate host on the private network by changing the destination address to match the host that requested the page. In this case, the port number 8668 informs the Xserve computer that this request is to be sent to address at port 6509. The PowerBook then displays the resulting webpage from www.apple.com.

Basic NAT Configuration

You use Server Admin to start NAT service. In the Computers & Services list, click NAT, and then click Settings. In the “Network connection to share” pop-up menu, choose the network interface that connects to the Internet or the external network. Save your settings, and then click Start Service.

NAT automatically adds a divert firewall rule to transfer incoming packets to the NAT process. In order for the divert rule to function, the firewall service must be turned on. Because the default “deny everything” rule is also activated, all incoming and outgoing connections are blocked. Thus, you need additional firewall rules to allow traffic through the server.


The only form of NAT that you can start in Server Admin is PAT.

NAT-Service Monitoring

The NAT Overview pane in Server Admin enables you to monitor your NAT service for troubleshooting and security purposes. You can see if the service is running and how many TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) links are active.

In addition to monitoring active protocol links in the Overview pane, you might want to view NAT packet divert events, which the firewall service logs.

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint