What is Carrier Grade NAT (CGN/CGNAT)?

Carrier Grade Network Address Translation (CGN or CGNAT), also known as Large Scale NAT (LSN), is an extension of traditional Network Address Translation (NAT) technologies for large scale networks and Internet Service Providers (ISPs).  CGN provides a solution to relieve IPv4 exhaustion and is an integral part of IPv6 migration.  The adoption of Carrier Grade NAT is mainly due to the ability to share a global (public) IP address among multiple remote sites.

Standard NAT

Network Address Translation technology appeared soon after Internet usage exploded in the early 1990’s. The Internet Protocol (IP) version 4 addressing scheme was not designed to scale and IP address depletion became a serious issue. About this time, both IP version 6 (IPv6) and NAT appeared as solutions for this dilemma.

NAT provides a translation technology which allows multiple end customers to use common and overlapping private address ranges internally. Any number of end customers can use the same Private address ranges. To route to external Internet IP addresses, NAT translates private IP address to public IP addresses. Each customer could be provided a single or a small range of public IP addresses to support hundreds to thousands of internal machines.

This technology is commonly referred to as NAT44 for Network Address Translation from IPv4 to IPv4 addresses. The diagram below depicts a simplified diagram of a NAT Customer Premises Equipment (CPE) gateway translating private addresses to public addresses.

Standard NAT – Translating Private IP to Public IP Addresses
Standard NAT – Translating Private IP to Public IP Addresses

NAT deployments reduced the problem of IPv4 address depletion, though the expansion of the Internet continued to accelerate.

NAT deployments soon expanded beyond business networks to other network customers including home and mobile networks. Each customer CPE required a public IP address, and Internet address completion became dire. Internet Service Providers required a technology to stretch the limited pool of Public IP addresses.

Carrier Grade NAT

CGN was developed to allow Internet Service Providers to use public IP addresses to support ever more end customers.

Standard NAT or NAT44 translates Private to Public IP addresses. One major function of CGN is NAT444. NAT444 translates Private to Private IP addresses, then to Public IP addresses.  ISPs using CGN were able to replace Public IP addresses with Private IP addresses on customer’s CPE devices. This allows multiple customer networks to share a common Public IP address.

The diagram below shows three customer networks using private IP addresses on the Internet facing network ports. The NAT444 (Private, Private, Public) feature of CGN allows multiple end customers to share a single Public IP Address.

CGN implementation of NAT444, Private to Private to Public NAT
CGN implementation of NAT444, Private to Private to Public NAT

With CGN, Internet Service Providers, Carriers and Mobile Network Providers can provide services to large groups of customers. This is why CGN is often called Large-Scale NAT (LSN).


NAT64 is a technology where IPv6-only clients can still access legacy IPv4-only content. The NAT64 device mediates between the client’s DNS requests (using DNS64), and synthesizes an IPv6 DNS response, if one does not exist. Then, the NAT64 will mediate between the IPv4-only webserver and the IPv6-only client.

For more information about the IPv6 transition for carriers, refer to the Internet Engineering Task Force (IETF) specification An Incremental Carrier-Grade NAT (CGN) for IPv6 Transition.

NAT Challenges

IP was originally designed with an “End-to-End Principle for Networking”. Application protocols often expect to communicate directly without intermediate systems modifying the packet headers or payload. NAT clearly modifies packet headers, the IP addresses at the very least. Other protocols attempt to make reverse connections on alternate ports.

NAT breaks these protocols. Some of the more common protocols are:

Application Level Gateway (ALG) is a technology developed to solve these problems. ALG has application level intelligence of these protocols and modify the packet headers and payload to conform to the protocol.

Other network issues not managed by standard NAT are:

CGN provides transparent NAT connectivity for a device with features such as Endpoint Independent Mapping (EIM), Endpoint Independent Filtering (EIF), and Hairpinning. Traditional NAT implementations do not allow any traffic that is initiated from the outside (EIM, EIF), or for inside protocols to loop their traffic back to the inside (Hairpinning).

Application Level Gateway and CGN

CGN performs the same NAT functions as standard NAT, so will also cause the same network protocol problems, therefore ALG is a critical function for any CGN solution.

Carrier Requirements for Carrier Grade NAT

Carrier networks, business enterprises and ISPs require capabilities which are not as critical in end-customer and home networks. Carrier infrastructures have high-end requirements for performance, reliability and manageability.

Additional Service Provider Requirements

Internet Service Providers and Mobile Network Providers have additional requirements to support vast numbers of subscribers and an incredibly complex network infrastructure.

Related Terms

How A10 Networks Can Help

A10 has many customers worldwide that have successfully deployed CGN as part of their IPv6 migration strategy. For example, a deployment at one of the nation’s largest mobile carriers uses A10’s CGN solution to maintain IPv4 connectivity for the ever growing mobile and smartphone market. The A10 devices provide a feature-rich CGN solution, and superior high availability because of active session synchronization.

The A10 devices leave the competition behind with large number of features supported, superior processing power, while being extremely cost-efficient (typically 10x to 100x less per subscriber cost versus traditional network vendors). One single A10 device provides more power than multiple hyper-expensive, chassis-based processing cards that are part of large networking vendor’s NAT solutions.

More features and more power out of the box means A10’s CGN solution can fit in and adapt to any growing network. The A10 devices can be easily clustered together, combining the processing power in a way that is easy to administer. Learn more about A10’s IPv4 Preservation & IPv6 Migration product, Thunder CGN.



July 10, 2018

About Robert Keith

Robert has 30 years of experience in IT technology development and infrastructure management. He was the founder of several infrastructure ventures including Intellivence, MaxSP, Sentrik and most recently was the CTO of Iron Networks. As CTO of Iron Networks in San Jose, CA, he worked directly with many companies in the Silicon Valley to design and architect network, security, and cloud solutions. He worked directly with Microsoft engineering in the design of their cloud architectures including storage, Hyper-V, Systems Center and Virtual Networking. He also worked directly with Hortonworks to design a Hadoop deployment and management system using CentOS and many layered software packages. READ MORE