- What is NAT?
- Why Do We Need NAT? (The Problem)
- How NAT Works: The Translation Process
- The Main Types of NAT
- Related Concepts & Real-World Scenarios
- NAT: Advantages and Limitations
- The Future: NAT and IPv6
- Conclusion
- References
Network Address Translation (NAT) is a process used by a router (or firewall) to modify the IP address information in packet headers while they are in transit.
At its core, it allows multiple devices on a private network (using private IP addresses like 192.168.x.x or 10.x.x.x) to share a single public IP address to access the internet.
Private IP addresses are not routable on the public internet. NAT is the bridge that makes this communication possible.
- IPv4 Address Shortage: The primary reason NAT was invented. The IPv4 address space has approximately 4.3 billion unique addresses. With the explosion of devices (PCs, phones, smart TVs, etc.), we quickly ran out. NAT allows a whole home or office of 50+ devices to use just one public IP address, conserving the limited supply.
- Network Security (By Obscurity): NAT inherently hides the internal structure of your private network. An external attacker can only see your router's public IP; they cannot directly "see" or target your laptop, phone, or printer. Note: This is not a replacement for a firewall.
- Network Flexibility: It allows organizations to design their internal networks however they want, using standard private IP ranges, without needing to coordinate with an ISP or worry about conflicts with global IP addresses.
To truly understand NAT, you need to know the four terms it uses to classify addresses.
These terms define an address from two perspectives: its location (inside or outside the network) and its visibility (local or global).
- Inside Local: The private IP address of the device inside your network (e.g., your laptop's IP:
192.168.1.10). - Inside Global: The public IP address that represents your device to the outside world (e.g., your router's public IP:
80.1.1.100). - Outside Local: The IP address of the destination (e.g., a web server) as seen from inside your network. (This is almost always the same as the Outside Global).
- Outside Global: The true, public IP address of the destination outside your network (e.g., google.com's server IP:
142.250.180.78).
The router maintains a NAT Translation Table (the receptionist's notepad) to keep track of all active connections. This table is what allows the router to send return traffic to the correct device.
Let's trace a packet leaving your network.
-
Outbound Packet: Your laptop (
192.168.1.10) wants to visitgoogle.com(142.250.180.78). It creates a packet.- Source IP:
192.168.1.10(Inside Local) - Destination IP:
142.250.180.78(Outside Global)
- Source IP:
-
NAT Router (Translation): The packet hits your router. The router: a. Changes the Source IP to its public address:
80.1.1.100(Inside Global). b. Creates an entry in its NAT table. c. Sends the modified packet to the internet. -
Inbound Packet (The Reply):
google.comsends a reply.- Source IP:
142.250.180.78 - Destination IP:
80.1.1.100(Your router's public IP)
- Source IP:
-
NAT Router (Reverse Translation): Your router receives the reply. a. It looks up
80.1.1.100in its NAT table. b. It finds the entry mapping it back to192.168.1.10. c. It changes the Destination IP to192.168.1.10(Inside Local). d. It forwards the packet to your laptop.
- What it is: A simple, fixed, one-to-one mapping between a private IP and a public IP.
- How it works: The router is configured with a rule like: "Any traffic for public IP
80.1.1.101always goes to private IP192.168.1.50." - Use Case: Hosting a public-facing server. If you run a web server on your private network, you need a static NAT entry so that external users can reliably connect to it.
- What it is: Maps private IP addresses to a pool of available public IP addresses.
- How it works: The router has a group of public IPs (e.g.,
80.1.1.100to80.1.1.105). When an internal device wants to go online, the router "checks out" an available IP from the pool and assigns it for the duration of the session. - Limitation: You can still run out of public IPs if more devices try to connect than you have IPs in the pool.
- Use Case: Common in older business networks before PAT became dominant.
- What it is: This is the most common form of NAT, also called NAT Overload. It maps many private IPs to a single public IP.
- How it works: It uses port numbers to differentiate traffic. This is the "receptionist + extension number" concept.
- When your laptop and phone (two different private IPs) both connect to
google.comat the same time, the router assigns a unique source port to each connection.
The NAT table now tracks ports, allowing a single public IP to handle thousands of connections.
| Inside Local IP | Inside Local Port | Inside Global (Public) IP | Inside Global (Public) Port |
|---|---|---|---|
192.168.1.10 |
5000 |
80.1.1.100 |
62000 |
192.168.1.11 |
5001 |
80.1.1.100 |
62001 |
When a reply comes back to 80.1.1.100 on port 62000, the router knows to send it to 192.168.1.10.
When a reply comes back to 80.1.1.100 on port 62001, the router knows to send it to 192.168.1.11.
- Use Case: This is what your home router uses right now.
- What it is: This is how you allow external devices to initiate a connection to a specific device inside your PAT network.
- How it works: You create a rule on your router that says, "Any incoming traffic on public port
3389(Remote Desktop) should be forwarded to internal device192.168.1.50on port3389." - Use Case: Hosting a game server, accessing a security camera, or using Remote Desktop to access your PC from outside.
- What it is: This is when an Internet Service Provider (ISP) places its customers behind a NAT.
- How it works: You don't get a unique public IP. Instead, your router's "public" IP is actually a private IP from the ISP's network (e.g.,
100.64.x.x). You and your neighbors all share a real public IP. This is called Double NAT. - Why it matters: It makes Port Forwarding impossible and breaks many online games and P2P applications.
- The Problem: NAT breaks applications that rely on end-to-end connectivity, like VoIP (Voice over IP) and P2P file sharing or online gaming. The application needs to know its own public IP and port, but it only knows its private one.
- The Solution: NAT Traversal is a collection of techniques to get around this.
- STUN: A simple tool that lets a device ask an external server, "What's my public IP and port?"
- TURN: A relay server used as a last resort. If a direct P2P connection fails, both devices send their traffic to the TURN server, which relays it.
- ICE: The "manager" protocol that uses STUN and TURN to find the most efficient path for communication.
- Conserves IPv4 addresses: The primary and most important benefit.
- Network Flexibility: Simplifies internal IP address management.
- Basic Protection: Hides internal IPs from casual external scanning.
Many people believe NAT is a firewall. It is not.
- A NAT's job is to translate addresses. It blocks unsolicited incoming traffic as a byproduct because it has no entry in its table for that traffic (it doesn't know which internal device to send it to).
- A Stateful Firewall's job is to inspect traffic. It actively tracks the state of connections (e.g.,
NEW,ESTABLISHED,RELATED) and applies rules. It can block specific types of traffic, even if it's part of an established connection.
All modern home routers combine NAT with a stateful firewall, but they are two separate functions.
- Breaks the End-to-End Principle: The core idea of the internet was that any device could talk directly to any other device. NAT breaks this, acting as a middleman.
- Application Complexity: As seen with NAT Traversal, it adds a huge layer of complexity for applications like VoIP and P2P.
- Troubleshooting: Makes troubleshooting more difficult because the IP address is being changed in transit.
- Hides the Source: Can make it harder to trace malicious activity, as many users are hidden behind a single IP.
IPv6 was created specifically to solve the IPv4 address shortage. It has a massive address space (3.4 x 10^38 addresses), which is enough for every device on earth to have its own unique public IP.
- In a pure IPv6 world, NAT is not needed for address conservation.
- Every device can have a public IP, restoring the end-to-end principle.
- Security is handled by dedicated firewalls, which is the correct way to do it.
While NAT is technically not required, a similar process called NPTv6 (Network Prefix Translation) sometimes exists for a different reason: to easily "renumber" a whole network if an organization changes its ISP, but it is not for address conservation.
NAT (and especially PAT) was a clever and necessary "patch" that saved the IPv4 internet from collapsing under its own success. It allowed the internet to continue growing for decades while we ran out of addresses.
While it adds complexity and breaks the original end-to-end model, it's a fundamental piece of any modern network. Understanding NAT is crucial for anyone in IT, networking, or cybersecurity. As the world slowly transitions to IPv6, NAT's role will diminish, but it will remain a critical legacy technology for years to come.