In many private networks there are more devices inside the private network than there are public network address (e.g., Internet protocol (IP) addresses) assigned to the network owner/provider. For example, a business may have a single public network address on the Internet. The public address may be assigned to an edge network element (e.g. a gateway, a router, a switch, etc.) of the private network. The business may have many computers (e.g., 10, 100, 1000, etc.) on the private network. Each computer on the private network is typically assigned a private address. Processes such as network address translation (NAT), port translation, etc. enable computers on the public network (e.g., the Internet) to communicate with the computers on the private network. In such processes, communications from the public side of the network are routed to computers on the private side of the network.
NAT operations modify the source and/or destination network address of a packet to facilitate communication between computers on the public network and computers on the private network. For example, a gateway that supports NAT may receive a communication packet from a computer or other network element on the public side of the gateway (e.g., a network adapter connected to the Internet) that identifies a public address of the gateway as the destination network address. If the gateway determines that the packet is destined for a computer or other network element on the private side of the network (e.g., by comparing a destination port of the packet to a table, by comparing packet parameters to a state table, etc.), the gateway modifies the packet to replace the destination network address (originally identifying the network address of the gateway) with the private network address of the computer on the private network. Accordingly, the packet is routed to the destination computer. A similar process occurs when the computer on the private network transmits a packet destined for the computer on the public network. When the gateway receives the packet from the computer on the private network, the gateway replaces the source network address of the packet (originally identifying the private network address of the computer on the private network) with the public network address of the gateway on the public network. Accordingly, the packet is routed over the public network to the computer on the public network.
Port translation may be performed in addition to network address translation. Port translation modifies the port of a packet according to rules stored at the gateway to the private network. For example, two computers on a private network may host services on the same service port. Accordingly, if only one public network address is assigned to the network, both computers cannot provide their services to the public network on the same service port. The gateway may transmit requests destined for the service port to a first one of the computers without modification. The gateway may associate an alternate port with the second one of the computers (e.g., the port number incremented by one: 80+1=81, any suitable port number may be used such as a port in the range of 1 to 65535). When a packet is received that is destined for the alternate port, the gateway modifies the destination service port of the packet before transmitting the packet to the second one of the computers. When the second one of the ports transmits a packet from the service port, the gateway modifies the source port of the packet to identify the alternate port so that the packet will be recognized by the receiving system.