What is NAT?
Is a mechanism that has being in use for a while due to lack of IPv4 addresses. Basically it translates IP and port from a network to another port (and possibly another IP) of the outter network.
Here is an example:
This has being used by ISPs (Internet Service Providers) so they only need to give a public IP to their customers, so they have a private network at home (usually 192.168.x.0/24) that gets translated through NAT to the router’s public IP.
This has a small inconvenience for end users, if you want to expose any service to internet you need to configure port forwarding so when a request on a specific port gets forwarded to an IP from the private network. Here is an example with a web server on port 80:
How CGNAT differs from NAT?
Also known as NAT444 consists on a Private-Private-Public architecture, summarizing it’s NAT but at a larger scale by using a single public IP for multiple customers. Additionally RFC-6598 specifies a reserved IPv4 range for such purpose (100.64.0.0/10).
Here is a diagram to illustrate CGNAT:
There is a clear disadvantage of being inside CGNAT, contrary to NAT now we cannot expose our own services to internet. Even if we forward ports to our outter router interface that is still a private network, hence not publicly available, and in most cases it isn’t accesible through other clients inside the same CGNAT network (due to internal ISP policies).
Created a sample Packet Tracer scenario with two web servers, one inside CGNAT and other under regular NAT. Both servers have port forwarding configured but only the one under NAT is accesible from internet.
Here is an overview of the scenario:
As explained before we can access
CLIENT as expected:
However we can’t access
SRV-2 as expected:
You can also download the packet tracer environment, if you want to try