Definition of the Day: NAT and Public vs. Private IP addresses ~ Ask The Admin

Tuesday, September 11, 2007

Definition of the Day: NAT and Public vs. Private IP addresses

So a lot of my end users don't know what N.A.T. is . And if you haven't guessed it - it's not what is pictured on the left! Most end users have no idea what the difference is between their external and internal IP addresses or Public vs. Private. Chances are they will never know unless they try to connect to their desktop remotely and even than FAT CHANCE. They will come and ask you to set it up for them! Isn't that what an Admin is for? (...Mutters RTFM under breath...)

I get calls rather frequently since we started letting key users use MSTSC to connect to a RDP session. In fancy terms they open a Remote Desktop Connection and work as if they were in front of their machine. Your external IP comes in handy when you are using MSTSC, PCANYWHERE, VNC or other similar products.

I have seen it all from the user going to and trying that to a user trying to change their local ip to "Something They Can Remember" LOL! It was set to Do Not Do This. I Repeat DO NOT DO THIS! It's funny as fuck but not functional @ all.

So here I go trying to break it down real simple like:

Your machine has an ip address on it that allows you to connect to your internal network. These addresses usually look something like 192.168.x.x or 10.0.0.x these addresses can not be addressed from outside your network they are INTERNAL addresses or PRIVATE addresses. If you want to connect to this INTERNAL address you need a NAT or a 1 to 1 this is a Network Translated Address or a 1 to 1 NAT.

You set this up in your firewall, router or default gateway. If you have a cable modem or dsl chances are you have a single dynamic Ip that changes every so often. But if you have a bigger line like a T1 or 10mb you should have been given a net block. Probably 4 public addresses.

If you are not sure contact your ISP.

Here is some more information I have gathered for a more detailed explanation (not real simple like):


Our current IP number system is referred to as "IPv4". To give the most simple explanation, IP numbers, like can be described as phone numbers, and "fully qualified names" like can be described as the name of the device at that number. The DNS service or "Domain Name Server" is a software system of keeping track of what name is equivalent to what number, and vice versa. Much like the phone book.

Let's think about the telephone system. Joe Smith has a telephone number of 323-555-1234, and Mary Jones has a telephone number of 323-555-1987. If Joe needs to call Mary but doesn't know her number, he could dial 411 and ask for the number for Mary Jones. The operator may reply that there is more than one listing for a Mary Jones so he needs to be more specific, and provide an address. He then tells her he needs the number for the Mary Jones at 123 Main St., of which there is only one listing, and he gets the number. Conversely, Mary Jones might be looking at her telephone bill, and see a call to 323-555-1234 and wonder who she was talking to. Mary could look thru her rolodex until she found the number, and she would see that she had called Joe Smith.

The internet uses a very similar system, the combination of IP numbers and "fully qualified domain names", and the DNS server is the "411 service" keeping track of the matching records between the two. When a person using a computer needs to connect in some way to someone else's computer, they need to either know the IP number (like a phone number) of their computer, or they need to know the fully qualified domain name (like a person's name along with their street address) of their computer so the DNS system can look up the IP number of thier computer and return it to the requestor (just like the 411 operator does). IP numbers are structured as 4 numbers, from 0 to 255, each separated by a dot. is just as valid a number as or

"Fully Qualified Domain Names" are much like a name along with an address, and can vary widely in their structure, but the most common are in the form "host.domain.extension". "host" being the "name" you or your system administrator has assigned to your computer, like "receptionist", and "domain.extension" is like a virtual "area" in which your computer can be found, like A domain name like "" is very similar to the "areacode-prefix" combination used by phone companies to identify which region of the city your number is in, and which switching center your number is handled out of. "323-465" tells Pacific Bell that a number is in the "North and West of Downtown LA" area (323) , and served from the Hollywood #1 switch center (465) along with many other prefixes. "" tells the network world that your computer is in the "area code" handled by BigCompany Inc. and "receptionist" tells the network world which computer inside that "area" to look up when looking for (or "resolving") an IP number from a fully qualified name. Therefore, when a computer program looks to the DNS server for the IP number assigned to "", the correct IP number is returned. If the computer program in question were to simply query the DNS for a computer called "receptionist", there might be thousands and thousands out there, and no way to resolve which one is which without the "street address" of the one you're looking for, in this case "".

The name structure within a company can be varied to show more breakdown or to organize computers into department specific groups, like "". The setup and system for the prefix to a company's domain name is up to the administrator at the company and/or their internet service provider to decide on and implement.


Private IP numbers are the source of much confusion for many new networking users. Many home "powerusers" with more than one computer, small offices, and just about any user of a broadband IP connection to the internet like DSL or Cable Modem has probably come face to face with this issue. The whole use of IP numbers is generally hidden from your typical Internet user who uses a modem and PPP software to connect to the internet - they are transparently and dynamically assigned an IP number while they are dialed in by their ISP, and don't really have to think about it. That is until the user starts to get curious about running a webserver on a machine in their house, or moving up to faster "always on" connections like ISDN, DSL, Cable Modem, or other methods.

Think about what happens when a small city runs out of phone numbers, but can't split up an area code. Things could get difficult and providing additional phone service as the city expands would be a nightmare. One method of preventing an area from going totally overboard on providing separate phone numbers is to have one or a handfull of numbers used in a shared manner amongst many phone users, like any large office would do. A large company with 250 workers in an office building each with a phone at their desk wouldn't want to pay the phone company for 250 discreet and separate lines for each desk, nor would the phone company want to give all those numbers to them if they were trying to conserve numbers. Therefore, offices use internal equipment to "share" a smaller number of lines amongst their users, like mabye 20 or so used in rotary. By doing so, each desk can have an inter-office extension number, which is bridged to an outside phone company line when the user picks one up to dial out and one is free at that moment. In this case, any number of offices in the city might have an "extension 123" within their office, but each "extension 123" in these offices would never conflict with each other because they are "behind" the company's phone equipment which serves up the company's outside lines to those extensions when needed. The internal office extensions can communicate with each other perfectly fine, but must be connected to an outside line to connect to an extension at the company across the street. 213-555-1200 thru 1210 would be BigCompany, Inc.'s "public" phone lines, and extensions 1 thru 250 would be BigCompany, Inc.'s, "private" phone lines.

IP protocol networks use a system very similar to the above to prevent the world from running out of IP addresses. Even though 0-255.0-255.0-255.0-255 is technically 4,228,250,625 numbers, the useable amount of numbers is much lower due certain types of numbers set aside for special signalling and identification uses and not for typical "device" identification and traffic. Also consider that just about EVERY device that will handle IP traffic must have a unique number, and there are probably just as many routing and switching and serving devices on "the net" as there are actual computers. Add all that up and one can see how the current IP number structure really doesn't go all that far, and there is a need for computers and devices in certain groups to be able to use "private extensions" that work behind a group's "public numbers", just like the large company offices example above.

The organizations that agree on the technical standards behind the IP protocol have issued a standard for "Private IP number blocks", or numbers that can be used within an enterprise as long as the enterprise has the technical capability to separate those private IP numbers from the rest of the Internet at large, and properly gateway the traffic between the internal stations at the enterprise in question and the public Internet. For Example, when a large company with 200 computers in the office needs to implement IP networking and connectivity both between the computers in the office *AND* supply inbound and outbound connectivity to the Internet from within their office network, that company would avail themselves of a block of IP numbers within the "private" numbers set aside for just that purpose. There is most certainly many other computers somewhere in the world using your IP number if your IP number is one of these private numbers, but both yours and the other private IP numbers in the world are safely operated behind other IP routing equipment which handles all the internal network's traffic out to and in from the public Internet, just like all the "extension 105" numbers in offices thruought the world are safely operated behind telephone equipment that bridges those extensions in and outbound thru a given office's public telephone system number.

The private IP addresses that you assign for a private network (inter-office LAN, Internet Service Provider customer bases, campus networks, etc) should fall within the following three blocks of the IP address space: to, which provides a single Class A network of addresses, which would use subnet mask up to 16,777,215 addresses, good for VERY large enterprises like internet service providers or other global deployment) to, which provides 16 contiguous Class B network addresses, which would use subnet mask up to 1,048,576 addresses, good for large enterprises like colleges and governmental organizations) to, which provides up to 2^16 Class C network addresses, which would use subnet mask up to 65,536 addresses, widely used by default in consumer/retail networking equipment)
Explanation of Subnet masks, Network classes, and other technical info is readily available on the internet.

Click here (updated - .pdf file) for an example page showing how the University of Michigan uses private IP numbers in their networking strategy.

Click here to read the Internet standards document RFC 1918, "Address Allocation for Private Internets".

From Wikipedia - IPv6. IPv6 is the future improvement and extension of IPv4 (our current IP number system). The change is already happening although slowly. With IP numbers under IPv4 growing ever more scarce, IPv6 is bound to creep into your computing life...

Google Search - Link-Local IP numbers. Ever wonder why your Macintosh seems to have a strange IP number starting with 169.254, and you can't connect to the internet? There really is a good reason. Quoting from Wikipedia: "A second type of private network is the link-local address range codified in RFCs 3330 and 3927. The intention behind these RFCs is to provide an IP address (and by implication, network connectivity) without a DHCP server being available and without having to configure a network address manually. The subnet 169.254/16 has been set aside for this. If a network address cannot be obtained via DHCP, an address from to is assigned randomly. The standard prescribes that address collisions must be handled gracefully. The subnets 169.254.0/24 and 169.254.255/24 have been set aside for future use. As with the private network addresses defined in RFC 1918, packets from this subnet must not be routed to the internet at large."

Hope that cleared it up for ya? If all else fails send us your question and we will get you all fixed up - real quick like. Ya Heard?