One side effect from the explosive growth of the Internet is that there are insufficient routable addresses to service all of the systems that may want to connect to the Internet. To address this shortage, a technique known as Network Address Translation (NAT) was developed which allows multiple hosts to sit behind a device (a firewall/router) and share one or more Internet-routable addresses. The firewall is usually considered the edge of the network for an organization. The Internet side is considered the ‘outside’ and is reachable using external addresses. The hosts belonging to the organization (company, school, homeowner, etc.) are on the ‘inside’ and use internal or local addresses. The local addresses are not typically routable on the Internet, and hosts on the inside of the firewall are, for the most part, hidden from the Internet. For outbound connections to the Internet, NAT converts a local address to an external address which allows a connection to the Internet to be made from a local system. In the usual case, all of the outbound connections share a single address. The firewall maintains state information about open connections so that it can pass reply packets from Internet hosts back to the correct internal host.
One consequence from the use of NAT is that NAT has the effect of limiting the visibility of hosts from the Internet. This prevents external devices from setting up communications with most internal hosts in a network. While this effect is usually considered a good thing from a security standpoint, in that it prevents unwanted communications from unknown external devices, it also limits any desired communication initiated from external devices to internal hosts. To address this lack of visibility, in a simple case, a firewall may be configured to direct all inbound traffic to a single internal system. In a slightly more complicated case, the inbound traffic can also be selectively routed depending on the port number/protocol. For example, one internal host can receive all inbound FTP traffic, and another can receive all inbound TELNET requests. However, for a given external address, it is still the case that only one host can receive inbound traffic for any given protocol. In an environment where access from outside the network to several internal systems using the same protocol is required, NAT is overly restrictive. For example, each employee of a company may want to be able to occasionally use SSH to connect directly to the workstation on their desk. That's not possible if the workstations are behind a NAT box. Similarly, while some NAT devices provide the ability to support multiple external addresses, their behavior is similar to having multiple NAT boxes each with one external address. Each external address/protocol set may connect to a different internal system, but the number of connections is limited to the number of external addresses. Thus, for example, if a company has three external addresses and fifty internal systems then three of the internal systems are reachable and the remaining forty-seven internal systems are externally inaccessible.