NAT: Network Address Translation

The networking mechanism that allows multiple devices on a private network to share a single public IP address. NAT is built into every home and office router, and it plays a critical role in extending the life of IPv4 addressing.

Type

Network Layer

Defined In

RFC 3022 / RFC 2663

Common Implementation

Every home router

Related To

IPv4 address exhaustion

What is NAT?

NAT (Network Address Translation) is a technique that rewrites IP addresses in packet headers as they pass through a router or firewall. Its primary purpose is to allow multiple devices on a private network to access the internet using a single public IP address. NAT is not strictly a protocol in the traditional sense. It is a mechanism, a set of rules implemented in routers that manipulate packet headers to map private addresses to public ones and back again.

The need for NAT arose from a fundamental limitation of IPv4. The IPv4 address space is 32 bits wide, which provides roughly 4.3 billion unique addresses. That may sound like a lot, but with billions of internet-connected devices worldwide, the supply ran out long ago. The Internet Assigned Numbers Authority (IANA) exhausted its pool of unallocated IPv4 addresses in 2011. NAT is the primary reason the internet continues to function despite this shortage.

Every home and office router uses NAT. When your laptop, phone, and smart TV all connect to your Wi-Fi network, each device receives a private IP address (such as 192.168.1.x). Your router has a single public IP address assigned by your ISP. NAT translates between these private addresses and the single public address, allowing all your devices to communicate with the internet simultaneously.

NAT was originally described in RFC 1631 (1994) and later formalized in RFC 3022 (2001), with terminology defined in RFC 2663. Although it was conceived as a short-term workaround until IPv6 could be deployed, NAT has become a permanent fixture of internet infrastructure.

How NAT Works

NAT operates on the boundary between a private network and the public internet. To understand how it works, you first need to understand private IP addresses. RFC 1918 defines three ranges of IP addresses that are reserved for private use and are not routable on the public internet: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Any organization can use these addresses internally without coordination, because routers on the public internet will never forward packets with these source or destination addresses.

The NAT router sits between the private network and the internet. It maintains a translation table that maps internal IP:port pairs to external IP:port pairs. When a device on the private network sends a packet to the internet, the NAT router intercepts it and rewrites the source IP address (and often the source port) to its own public address and an assigned external port. It records this mapping in the translation table.

When the reply arrives from the internet, the NAT router looks up the destination port in its translation table, finds the corresponding internal IP:port pair, rewrites the destination address back to the private address, and forwards the packet to the correct internal device. This process is transparent to both the internal device and the remote server. Neither side is aware that address translation is happening.

Private Network(192.168.1.0/24)💻Laptop192.168.1.10:5000📱Phone192.168.1.11:6000🖥️Server192.168.1.12:7000NAT RouterPublic IP: 203.0.113.5NAT TableInternal IP:PortExternal IP:Port192.168.1.10:5000203.0.113.5:40001192.168.1.11:6000203.0.113.5:40002192.168.1.12:7000203.0.113.5:40003InternetWeb Server93.184.216.34:443🌐example.com:5000Rewriting Address...192.168.1.10:5000 → 203.0.113.5:40001:40001:40001 reply:5000Reverse Translation203.0.113.5:40001 → 192.168.1.10:5000
NAT translates private IP addresses to a public IP when packets leave the network, and reverses the translation for incoming replies. This allows many devices to share a single public IP address.

Types of NAT

There are three main types of NAT, each suited to different scenarios. The type you encounter depends on the size of the network, the number of available public IP addresses, and the specific requirements of the deployment.

Static NAT (1:1)Permanent mapping, used for serversPrivate IP192.168.1.101:1Public IP203.0.113.10192.168.1.10 ↔ 203.0.113.10Always the same public IPDynamic NAT (Pool)First-come, first-served from pool.10Private.11Private.12Private.10Public.15Public.20PublicPool: 203.0.113.10 - .20Assigned dynamically from poolMost CommonPAT / NAT Overload (Many:1)Most common, home routers use this.10:5000.11:6000.12:7000.13:8000Many:1203.0.113.5:40001 :40002 :40003 :40004Different ports per deviceAll → 203.0.113.5:random_portsPorts distinguish each device
Three types of NAT: Static NAT maps one-to-one (for servers), Dynamic NAT assigns from a pool, and PAT (the most common) maps many private addresses to a single public IP using different port numbers.

Static NAT (1:1 Mapping)

Static NAT creates a permanent, one-to-one mapping between a private IP address and a public IP address. This mapping is manually configured and does not change over time. When a packet arrives from the mapped private address, the router always translates it to the same public address, and vice versa.

Static NAT is primarily used for servers that need to be reachable from the internet at a consistent address. For example, if you host a web server on your internal network at 192.168.1.50, you can create a static NAT mapping to a dedicated public IP so that external clients always reach the same address. The downside is that each static mapping consumes one public IP address, making it impractical for large numbers of hosts.

Dynamic NAT

Dynamic NAT maps private IP addresses to public IP addresses drawn from a pool, on a first-come-first-served basis. Unlike static NAT, the mapping is not permanent. When a device initiates a connection, the router assigns it an available public IP from the pool. When the connection ends and the mapping expires, the public IP returns to the pool for reuse.

The limitation of dynamic NAT is that the pool is finite. If all public IPs in the pool are in use and another internal device tries to connect, the connection is rejected until an address is freed. Dynamic NAT is less common today because it still requires a relatively large number of public IPs.

PAT / NAT Overload (Many:1 Mapping)

Port Address Translation (PAT), also called NAT Overload, is by far the most common type. It allows all devices on the private network to share a single public IP address. Differentiation is achieved through port numbers. When an internal device opens a connection, the router assigns a unique external source port and records the mapping in the translation table.

Because port numbers are 16-bit values (ranging from 1 to 65535), a single public IP can theoretically support tens of thousands of simultaneous connections. In practice, the limit depends on router memory and processing power. PAT is what every home router uses, and it is the reason an entire household of devices can browse the web, stream video, and play games all through one public IP address.

The NAT Translation Table

The translation table is the core data structure that makes NAT work. Every active connection through the NAT router has an entry in this table. Each entry records the information needed to translate packets in both directions.

A typical translation table entry contains the following fields: the internal IP address and internal port of the originating device, the external IP address and external port assigned by the router, the protocol (TCP or UDP), and a timeout value that determines how long the entry remains active after the last packet.

Internal IP:PortExternal IP:PortProtocolTimeout
192.168.1.10:5000203.0.113.5:40001TCP300s
192.168.1.11:6000203.0.113.5:40002TCP300s
192.168.1.12:7000203.0.113.5:40003UDP60s

Entries are created when an internal device sends an outbound packet. The router inspects the packet, creates a new table entry with the original source IP:port and an assigned external port, then rewrites the packet headers. When a reply arrives, the router matches the destination port to an entry in the table and rewrites the destination address to forward the packet to the correct internal device.

Entries expire after a period of inactivity. TCP entries typically have longer timeouts (300 seconds or more) because TCP connections are stateful and may have idle periods. UDP entries usually have shorter timeouts (30 to 60 seconds) because UDP is connectionless and idle mappings are less likely to be needed. When a TCP connection closes with a FIN exchange, the router may remove the entry immediately rather than waiting for the timeout.

Port Forwarding

By default, NAT blocks all unsolicited inbound connections. When a packet arrives from the internet with a destination port that does not match any entry in the translation table, the router has no way to know which internal device should receive it, so the packet is dropped. This behavior provides a degree of protection, but it also means that hosting services behind NAT requires extra configuration.

Port forwarding solves this problem by creating a static mapping in the translation table. You configure the router to forward all traffic arriving on a specific external port to a designated internal IP address and port. For example, you might forward external port 8080 to internal address 192.168.1.100 on port 80. Any traffic arriving at your public IP on port 8080 will be automatically redirected to your internal web server.

Common use cases for port forwarding include hosting game servers so that other players can connect to your machine, running web servers or other services from a home network, enabling remote desktop access to a computer behind NAT, and making security cameras or IoT devices accessible from outside the local network. Each port forwarding rule maps one external port to one internal destination, so you need separate rules for each service you want to expose.

NAT Traversal Challenges

NAT breaks the end-to-end connectivity model that the internet was originally designed around. In a world without NAT, any device could communicate directly with any other device using its public IP address. With NAT, devices behind different NAT routers cannot directly reach each other because their private addresses are not routable on the public internet.

This creates significant problems for applications that require peer-to-peer communication or inbound connections. VoIP applications like SIP need both parties to send and receive media streams directly. Online gaming often relies on peer-to-peer connections between players. Video conferencing requires direct media paths for acceptable latency. IPsec VPNs embed IP addresses inside encrypted payloads, which NAT cannot rewrite without breaking the encryption.

Several solutions have been developed to work around NAT traversal issues. STUN (Session Traversal Utilities for NAT) allows a device to discover its external IP address and port by querying a STUN server on the public internet. TURN (Traversal Using Relays around NAT) provides a relay server that forwards traffic between peers when direct connections are impossible. ICE (Interactive Connectivity Establishment) combines STUN and TURN to find the best possible connection path. UPnP and NAT-PMP allow applications to automatically configure port forwarding rules on the router. Finally, Application Level Gateways (ALGs) are built into some routers to inspect and modify application-layer protocols like SIP and FTP that embed IP addresses in their payloads.

NAT and IPv4 Exhaustion

The IPv4 address space consists of approximately 4.3 billion unique addresses. In the early days of the internet, this seemed more than sufficient. However, the explosive growth of connected devices quickly consumed the available addresses. IANA distributed the last blocks of unallocated IPv4 addresses to the five Regional Internet Registries (RIRs) in February 2011, and most RIRs have since exhausted their own allocations.

NAT is the primary technology that has allowed the internet to continue growing despite this exhaustion. By allowing thousands of devices to share a single public IP address, NAT dramatically reduces the demand for unique public addresses. A large enterprise might have 10,000 employees all sharing a handful of public IPs through PAT. An ISP might use carrier-grade NAT (CGNAT) to serve thousands of subscribers with a limited address pool.

However, NAT is a workaround, not a solution. It adds complexity, breaks end-to-end connectivity, and creates performance bottlenecks at scale. The real solution is IPv6, which uses 128-bit addresses and provides a virtually unlimited address space (approximately 3.4 x 10^38 addresses). With IPv6, every device can have its own globally unique address, eliminating the need for NAT entirely. IPv6 adoption has been gradual, though. As of the mid-2020s, IPv6 carries a significant and growing share of internet traffic, but IPv4 with NAT remains the dominant configuration for most networks.

Common Use Cases

  • Home networks: every consumer router uses PAT to allow all household devices (laptops, phones, tablets, smart TVs, game consoles) to share the single public IP assigned by the ISP
  • Enterprise networks: organizations with thousands of employees use NAT to share a small pool of public IP addresses, often combined with firewalls and proxy servers for security and policy enforcement
  • Carrier-grade NAT (CGNAT): ISPs deploy NAT at the provider level, placing multiple customers behind a shared pool of public addresses. This is common for mobile networks and broadband providers facing IPv4 scarcity
  • Cloud computing: cloud platforms like AWS, Azure, and GCP provide NAT gateways for virtual private clouds (VPCs), allowing instances in private subnets to reach the internet without each requiring a public IP
  • Containerized environments: container runtimes like Docker use NAT to map container ports to host ports, enabling multiple containers to coexist on a single host while each listening on the same internal port

Frequently Asked Questions About NAT

What is the difference between NAT and PAT?

NAT is the general term for translating IP addresses between private and public networks. PAT (Port Address Translation) is a specific type of NAT that uses port numbers to allow multiple private addresses to share a single public IP. In everyday usage, when people say "NAT," they usually mean PAT, because it is by far the most common implementation. Static NAT and dynamic NAT are the other two types, but they see much less use in practice.

Does NAT provide security?

NAT provides a limited form of security by hiding internal IP addresses and blocking unsolicited inbound connections. Because external hosts cannot directly address devices behind NAT, it acts as a basic barrier against incoming attacks. However, NAT should not be considered a substitute for a proper firewall. NAT does not inspect packet contents, does not filter based on rules, and does not protect against outbound threats, phishing, or malware. It is a side effect of address translation, not a deliberate security mechanism.

What is double NAT and why is it a problem?

Double NAT occurs when two NAT devices are placed in series. This commonly happens when an ISP provides a router with NAT enabled and the customer connects their own NAT router behind it. Traffic passes through two layers of address translation, which can cause problems with port forwarding (rules must be configured on both devices), UPnP (automatic port mapping may fail), and applications that rely on consistent external addressing. It also adds latency and complicates troubleshooting. The typical fix is to put one of the devices into bridge mode so that only one layer of NAT is active.

Why does NAT cause issues with VoIP and gaming?

VoIP and gaming applications often require direct peer-to-peer connections or inbound connections from external servers. NAT blocks unsolicited inbound traffic by default, which prevents other users or game servers from initiating connections to your device. VoIP protocols like SIP also embed IP addresses in their signaling messages. If those embedded addresses are private, the remote party cannot route media packets back to you. Solutions like STUN, TURN, and ICE were developed specifically to address these issues.

Will IPv6 eliminate the need for NAT?

In principle, yes. IPv6 provides enough addresses for every device on earth to have multiple globally unique addresses, removing the fundamental reason NAT exists. In an IPv6-only world, NAT would be unnecessary because there is no address shortage to work around. However, some organizations may still use IPv6 NAT (NAT66) for network policy reasons, such as hiding internal topology. Full IPv6 adoption will take time, and NAT will remain essential as long as IPv4 is in use.

What is carrier-grade NAT (CGNAT)?

Carrier-grade NAT, also called large-scale NAT, is NAT deployed by an ISP rather than by the end user. The ISP assigns private addresses (typically from the 100.64.0.0/10 range defined in RFC 6598) to customer routers, which then perform their own NAT internally. This creates a double NAT situation by design, allowing the ISP to serve many more customers than it has public IPv4 addresses. CGNAT is common among mobile carriers and some broadband providers, but it can cause the same issues as any double NAT configuration, including difficulties with port forwarding, gaming, and VoIP.

Related Protocols

  • DHCP: assigns private IP addresses to devices on the local network, which are then translated by NAT when communicating with the internet
  • TCP: the transport protocol whose source and destination ports are rewritten by PAT to multiplex connections through a single public IP
  • UDP: connectionless transport protocol also subject to NAT port translation, with shorter mapping timeouts than TCP
  • ICMP: used for network diagnostics and error reporting; ICMP messages may need special handling by NAT since they do not use port numbers