What is Network Address Translation (NAT)?
Network Address Translation (NAT) is a technique whereby an IP address in one network is translated to another IP address, typically when communicating between internal and external networks. NAT is widely used to shield internal networks, conserve IP addresses and enable routing.
In OT networks, NAT helps connect isolated networks to management networks, remote access or cloud services — without changing the internal IP scheme.
🧠 How does NAT work?
- Hiding internal IPs
- Devices on the local network use private IP addresses (such as 192.168.x.x)
- These are translated by a NAT router to one or more public IP addresses
- Translation table (mapping)
- The NAT device tracks which internal address corresponds to which external address
- For return traffic, the correct internal device is reached
- Types of NAT
- SNAT (Source NAT): rewrites the source address → typically for outbound traffic
- DNAT (Destination NAT): rewrites the destination address → used for port forwarding
- PAT (Port Address Translation): multiple internal hosts via a single IP using different ports
🏭 Application in industrial networks
- Connecting an OT Network to IT without IP address overlap
- Remote access to specific PLCs or HMIs via Firewall or VPN with DNAT
- DMZ architectures and IDMZ with port forwarding
- Reuse of standard IP schemes by OEMs with on-site local NAT
- Connecting multiple OEM machines with identical subnets via NAT on a Router or Firewall
NAT provides flexibility without major changes to existing configurations.
🔍 Benefits and limitations
| Benefit | Limitation |
|---|---|
| IP conservation (e.g. one public IP) | Harder for peer-to-peer communication |
| Isolation of internal networks | Monitoring can become more complex |
| Flexible network architecture | NAT makes traffic less transparent |
| Easy to implement | Not always suitable for protocols such as OPC Classic |
OPC UA and MQTT are more NAT-friendly than older industrial protocols.
🔐 Security considerations
- NAT masks internal addresses → reduces the attack surface
- Combine with Firewall and Access Control for optimal protection
- Use Logging and Audit to trace NAT traffic
- Take care with bidirectional communication: NAT can block traffic if it is not correctly configured
- NAT must not be regarded as a substitute for security
📌 In summary
Network Address Translation (NAT) translates IP addresses and enables secure, flexible communication between OT and IT networks. It is useful for remote access, network separation and IP management in industrial environments.