Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security Last updated: August 24, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Network Address Translation (NAT) is a powerful method that individuals and organizations can use to establish a secure, cost-effective, simple connection to the internet.

NAT provides not only security but also flexibility, scalability, and speed of communicating with the web.

Using NAT will also ensure you are contributing to conserving public IP addresses.

But what is NAT exactly, and why should you bother understanding or using it?

In this article, I’ll answer that.

So, let’s start by defining NAT.

What Is Network Address Translation (NAT)?

Network Address Translation (NAT) is mapping a range of IP addresses into another by changing the network address data when it’s in transit.

In other words, NAT enables a unique (Internet Protocol) IP address to represent one or a group of computers. This means multiple devices publicly share one IP address in a network, even when they have private IP addresses in the same network.

Initially, this method was used to eliminate the need for assigning a new IP address to each host separately in case the upstream ISP (Internet Service Provider) was changed, or a network was relocated. Still, the network’s IP address remains the same.

Interestingly, a NAT gateway can provide a single, routable IP address that can easily be used for a whole private network. Since NAT changes IP address data in transit, there are different NAT implementations of varying behaviors in different addressing cases with other effects over network traffic.

What Does NAT Do?

In NAT, a network device such as a NAT firewall or a router assigns a public IP address to one computer or a group of computers in a private network. This way, NAT allows one device to mediate between the public, private, and local networks.

What Does NAT Do?

NAT can conserve IP addresses by allowing private IPs to go online using unregistered addresses. Before forwarding data packets between the connected networks, NAT translates the local, private network addresses into unique, global, and legal addresses.

With NAT configurations, only a single IP address would be visible to the external world, although it will represent the entire network. As a result, it can hide the complete internal network and offer more security and privacy. NAT implementations are best for remote-access environments.

How Does NAT Work?

Network address translation allows a device like a NAT router or firewall to act as a mediator between the internal network (local network) and external networks (the internet). This permits the complete group of devices to reflect the same IP address when performing something outside the network.

NAT acts like a receptionist in an organization that decides which visitors or calls to send through, wait, or keep out based on specific instructions. NAT works similarly. All the requests come at the public port and IP address. Here, NAT instructions decide where the request should go while concealing the destination’s private IP address.

NAT chooses gateways between two different local networks – the external network and the internal network. All the systems on the inside will have IP addresses that can’t be routed to an external network. Furthermore, some of the externally valid IPs will be allocated to the gateway, which enables outbound traffic to appear to come from a valid external IP address. 

Next, it uses inbound traffic and transmits it to the right internal system. This way, security is established. Since incoming and outgoing requests need to cross a translation process, it offers a great way to validate incoming traffic and match them to outgoing streams.

Example of a NAT Process

Here is an example of how NAT works in the real world.

A user connects their devices to their home Wi-Fi network. The home router will assign a private IP address to the device that must be used only within this network.

So, when the user tries to load a given web page, the address will request the destination web page via their router. Now, the NAT router will change the request’s source address to their network’s public IP from their device’s private IP address. A NAT table will store this translation, where the gateway will look up to determine whether the data packet meets the translation condition.

Furthermore, the server the user tries to access will return the requested data packet to their network’s public address. Next, the router will modify the destination address to the device’s private IP while routing the data packets to the user’s device.

Types of NAT

NAT is of different types that you can use for various purposes.

#1. SNAT

Static NAT (SNAT) is a type of NAT that translates a private IP address to a public IP address. It uses the same public IP address consistently whenever it performs the translation.  

SNAT can map an unregistered IP address with the help of one-to-one NAT to match with a registered IP address. It implies that all the devices on this network will have the same public address. In this, only two things are changed in the network address – the header and IP address.

It’s useful for devices that users need to access from the external network. It’s also utilized when interconnecting two different IP networks with incompatible addresses. In addition, it’s used in web hosting. Typically, individuals and smaller organizations use SNAT with fewer devices to keep the cost minimal.

#2. DNAT

Dynamic NAT (DNAT) is a type of NAT that maps a private IP address to a pool of public IP addresses. Unlike SNAT, it doesn’t use the same IP address but a different one each time it performs translation, but it uses a one-to-one connection like SNT.

In this, the DNAT firewall or router has a pool of public, registered IPs available. So, when DNAT translates a network address from private to public, it allows the router to choose any available public IP address from this pool. Next, it starts mapping an unregistered one to the registered IP address.

Consequently, DNAT enables a device to have different IPs for every translation. It implies that you can’t know which global IP address a private address has been mapped. This is an efficient solution as you can connect more devices to the network.

However, it can be costly since you would require investing in a public IP pool. Plus, the number of data packets that can be transmitted is limited. You can only send and receive data packets equal to the total number of public IP addresses available in your pool.

It is suitable for large organizations with several internal networks. It’s also great if you have a fixed number of users wanting Internet access.

#3. PAT

Port Address Translation (PAT), also called NAT overload, is where each internal device uses a common public IP address. However, every private IP address will be assigned a different port.

In PAT, different ports are used for mapping different local, unregistered, and private IP addresses to only one registered IP address. It also differentiates which network traffic corresponds to which IP address.

PAT is a kind of NAT where data packets will have altered source addresses when they travel from the private to a public network. Also, they will have an altered destination address when they revert from the public to the private network.

Furthermore, data packets will have altered port numbers among themselves to ensure the translation is clear. This combination of altered IP address and port number is mapped using a registered private IP address.

Many consider PAT more cost-effective than NAT. The reason is many users can connect to the web using just a single public IP address. So, no matter whether you are a large, small, or medium-sized organization. You can use it.

Apart from SNAT, DNAT, and PAT, you could also witness RNAT and overlapping NAT.

  • RNAT lets you connect to your network using the public internet or the internet.
  • Overlapping NAT occurs when two organizations’ networks using RFC 1918 IPs merge. It can also happen when registered IPs are allocated to several devices or used in multiple internal networks. Here, overlapping NAT connects the networks without readdressing each device.

Why Is NAT Important?

A device or networking system needs an IP address, a unique set of numbers separated by periods to establish communication with the web. This number is used to identify and locate a network device and enable users to communicate with the web.

IPs are of two types – Ipv4 and IPv6. In the starting days of the internet, only around 4.3 billion IPv4 addresses were created. However, not each could be allocated to the device to establish communication. Some were left for testing, military, and broadcast, while the leftover 3B IPs were available for communication.

In 2019, RIPE NCC allocated the final IPv4 addresses remaining from the available pool, running out of IPv4. IPv6 addressing was introduced to counter this. IPv6 recreates IP addressing and provides more options to allocate g addresses. However, it took many years to change or implement the networking system. 

Enter NAT. Cisco introduced NAT in the meantime, which is now widely deployed.

NAT has become a valuable and popular way to conserve global address space, especially when IPv4 addresses are exhausted. NAT is also used to hide private network IP address ranges for cost-effectiveness and security.

Advantages of NAT

IP Address Conservation 

NAT helps conserve legally registered IP addresses and also prevents their depletion. Looking at the growing number of internet users worldwide, it’s a great initiative toward making the web an accessible space for everyone.


With NAT, you can access the web with enhanced security and privacy as it can hide your device’s IP from the public network, even while the data packets are in transmission. NAT rate-limiting also lets you restrict the maximum number of NAT operations taking place concurrently on your router. 

This way, you get better control over NAT address usage and can minimize the effects of viruses, worms, Denial of Service (DoS) attacks, etc. Implementing Dynamic NAT (DNAT) will automatically create a firewall between the internet and the internal network. In addition, some NAT routers can offer security features such as traffic filtering and logging.

Multiple Connections

Establishing multiple internet connections helps maintain network reliability and reduces the possibility of shutdowns during connection failures. It also contributes to load-balancing by decreasing the number of devices using a single connection. 

In addition, multi-homed networks usually connect to several ISPs that assign single or multiple IP addresses to an organization. Plus, routers can use NAT to route networks with different NAT protocols. 

Furthermore, a multi-homed network communicates by enabling the router to leverage a part of the TCP or IP protocol, Border Gateway Protocol (BGP). Similarly, the subdomain sites share with the help of internal BGP (IBGPs) while routers use external BGP (EBGP) to interact. In case a connection fails, multi-homing will reroute data via another router.


NAT is more transparent to source and destination computers both than proxy servers. This allows direct dealing at speed. Proxy servers also typically work at layer four or the transport layer of the OSI Model or even higher than that. This makes them slower than NAT, which sits at layer three or network layer.


Your needs will require more IPs for your users and devices when your needs grow. So, you can leverage NAT instead of asking the IANA for more IPs. And when you use NAT with Dynamic Host Configuration Protocol (DHCP), scaling will get easier. 

The reason is that NAT and DHCP work together well to allocate unregistered IPs for the subdomain from the available list per your requirements. This way, you can expand the available IP address range, and the DHCP can quickly configure and make space for more network computers.

Flexibility and Simplicity

NAT offers flexibility in deployment and establishing connections. You can deploy it in a wireless, public LAN. Sometimes, with static NAT (SNAT) and inbound mapping, you can enable external devices to establish device connections on the subdomain. 

In addition, NAT reduces complexity and enables simple internet connections as it doesn’t require you to renumber IP addresses after changing or merging a network. NAT also lets you build a virtual host in your internal network that coordinates TCP load-balancing.

Limitations of NAT

Limitations of NAT

Some limitations of NAT are:

  • Consumes resources: NAT can consume significant processor space and memory resources. This is because it translates all IPv4 addresses for your incoming and outgoing IPv4 datagrams plus saves all the translation details in the memory.
  • Functionality: Enabling NAT can result in reduced functionality of some technologies and applications. 
  • Tunneling complications: NAT can complicate tunneling protocols. For this, you can use IPsec for secure network address translation.
  • Layer issues: When a router works as a NAT device, it can meddle with layer-4 or transport layer as port numbers since it is meant for the layer-3 or network layer. 
  • Delays: Path delays can happen during translation. 

Some Common Terms in NAT

  • Source address: It’s the initiating host’s IP address.
  • Source port: It’s the TCP/UDP port number that the initiating host assigns.
  • Destination address: It’s the receiver’s IP address.
  • Destination port: It’s the TCP or UDP port that an initiating host requests to the receiver to open.
  • Inside local address: It’s a private IP address allocated to a host on a local (Inside) network. A service provider does not assign it. It’s the inside host for an inside network. 
  • Inside global address: It’s an IP address representing one or more local IPs. It’s the inside host for the outside/external network. 
  • Outside local address: The destination host’s real IP address sits in a local network once the translation is over. 
  • Outside global address: The outside destination host’s IP address before translation. It’s the outside host for the outside/external network. 
  • Subdomain: It’s an unregistered private IP address consisting of: 
  1. Outside local addresses that NAT routers deploy, and 
  2. Inside local addresses, the local area network uses
  • NAT Table: NAT re-assigns port numbers and IP addresses and tracks them with a NAT translation table.

Suppose a router has received a data packet from a local device assigned a public IP address. The router will now change the source device’s IP address, enabling it to utilize its IP address. Next, it changes the source’s port number to ensure it has the information about where the received packets must be delivered. This re-assignment of IP addresses is logged into the NAT translation table.


With the growing users on the internet and security issues spreading worldwide, there is a need to have a safer and more efficient connection method. NAT aims to do that. It will help conserve public IP addresses while providing you with the benefits of security, speed, flexibility, and scalability while connecting to the internet. 

  • Amrita Pathak
    Amrita is a freelance copywriter and content writer. She helps brands enhance their online presence by creating awesome content that connects and converts. She has completed her Bachelor of Technology (B.Tech) in Aeronautical Engineering…. read more
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder