NAT: Network Address Translation
NAT maps private IP addresses to a single public IP address, allowing multiple devices on a local network to share one internet connection.
Network Address Translation (NAT)
NAT allows your entire home or office network to share a single public IP address. Without NAT, every device on the planet would need its own unique public IP address, which IPv4's 4 billion address limit makes practically impossible at the scale of today's internet.
What Is NAT
Network Address Translation (NAT) is a technique used by routers to map many private IP addresses to one or a small number of public IP addresses. When a device on your local network sends traffic to the internet, the router replaces the private source IP address with its own public IP address before the packet leaves your network. When the response arrives from the internet, the router translates it back and delivers the packet to the correct device on your local network.
This translation happens automatically and invisibly. The devices on your network have no awareness that their addresses are being swapped at the boundary. From the perspective of any server on the internet, all traffic from your home appears to come from a single IP address, which is the public IP assigned to your router by your internet service provider.
NAT operates at the network layer of the internet model and is implemented in virtually every home router, office gateway, and many cloud networking environments. It is one of the most widely deployed networking techniques in existence, even if most people have never heard the term.
Why NAT Exists
IPv4, the addressing system that underpins most of today's internet traffic, supports roughly 4.3 billion unique addresses. That number sounds large, but the rapid growth of the internet and the explosion of connected devices quickly made it clear that 4.3 billion addresses would not be enough. By the early 1990s, it was apparent that IPv4 address exhaustion was coming.
NAT was introduced as a practical short-term solution to this problem. Instead of requiring every device to have its own globally unique public IP address, NAT allows many devices to share a single public IP by using private address ranges internally. The private address ranges most commonly used are 192.168.0.0 to 192.168.255.255, 10.0.0.0 to 10.255.255.255, and 172.16.0.0 to 172.31.255.255. These ranges are reserved and are never routed on the public internet, which is what makes it safe to reuse them across millions of separate private networks simultaneously.
IPv6 takes the long-term approach to the same problem by providing an address space large enough to assign a unique public address to every device in existence many times over. However, the transition to IPv6 has been slow, and NAT remains essential infrastructure for the vast majority of networks still running on IPv4.
How NAT Works Step by Step
When a device on your network makes a request to a server on the internet, several translation steps happen in quick succession. The router maintains a NAT table to keep track of which internal device each outbound connection belongs to, so it can correctly route the responses back.
- Your laptop at private IP 192.168.1.10 sends a request to a web server at 93.184.216.34 on port 80
- The packet reaches your router, which holds the public IP 203.0.113.5 assigned by your ISP
- The router replaces the source address with 203.0.113.5 and assigns a tracking port, such as 45123, then records this mapping in its NAT table
- The web server receives the request and sees it coming from 203.0.113.5:45123, which is your router's public address
- The web server sends its response back to 203.0.113.5:45123
- Your router receives the response and looks up port 45123 in its NAT table, finding that it belongs to 192.168.1.10
- The router forwards the response to your laptop at 192.168.1.10, completing the exchange
The port number is the key detail that makes this work. Because multiple devices on your network might be making connections simultaneously, the router cannot use the IP address alone to tell responses apart. By assigning a unique port number to each outbound connection and recording it in the NAT table, the router can correctly sort incoming responses to the right internal device even when dozens of connections are active at the same time.
Types of NAT
NAT is not a single technique but a family of related approaches. Different types of NAT are used depending on whether traffic is outbound or inbound, and whether multiple devices need to share one public IP or individual devices need their own stable public mapping.
| Type | How It Works | Use Case |
|---|---|---|
| SNAT (Source NAT) | Replaces the source IP on outbound packets as they leave the network | Home routers, office networks connecting to the internet |
| DNAT (Destination NAT) | Replaces the destination IP on inbound packets before they reach internal servers | Port forwarding to internal servers or services |
| PAT / Masquerade | Many-to-one translation that uses unique port numbers to track each individual session | Most home and small office NAT setups |
| Static NAT | A fixed one-to-one mapping between a specific private IP and a specific public IP | Hosting a publicly accessible server behind a NAT router |
PAT, which stands for Port Address Translation, is the form of NAT most people experience in their homes. It is sometimes called masquerade, particularly in Linux firewall configurations. It is what allows an entire household of phones, laptops, smart TVs, and tablets to share a single public IP address simultaneously. Each outbound connection gets a unique port number, and the router uses that port to route responses back to the correct device.
NAT and Port Forwarding
By default, NAT only tracks connections that were initiated from inside the network. When your laptop starts a connection to a web server, the router knows to expect a response and routes it correctly. But if an external device tries to initiate a connection directly to a device inside your network, the router has no NAT table entry for it and discards the packet.
This is where port forwarding comes in. Port forwarding is a manual rule you add to the router telling it to always send traffic arriving on a specific public port to a specific internal device and port. It is commonly used for hosting game servers, running a home web server, enabling remote desktop access, or setting up a security camera system that needs to be reachable from outside the home network.
Public: 203.0.113.5:80 -> Internal: 192.168.1.20:80
Public: 203.0.113.5:25565 -> Internal: 192.168.1.30:25565 (Minecraft)In this example, any request arriving at the router's public IP on port 80 is forwarded to the web server running at 192.168.1.20. Minecraft connection attempts on port 25565 are sent to the game server running at 192.168.1.30. Both services appear publicly accessible on the same IP address even though they are running on separate internal machines.
NAT and Security
NAT provides a degree of incidental security by hiding internal IP addresses from the public internet and blocking unsolicited inbound connections by default. An attacker on the internet cannot directly initiate a connection to a device inside your network unless a port forwarding rule explicitly allows it. This means that devices behind NAT have a reduced attack surface compared to devices with public IPs exposed directly to the internet.
However, NAT is not a firewall and should not be treated as a substitute for one. It does not inspect packet contents, block malicious traffic by pattern, or enforce rules about what internal devices are allowed to communicate with. A dedicated firewall adds these capabilities on top of what NAT provides. Most home routers combine both NAT and basic firewall rules, but enterprise networks treat them as separate layers of defence.
NAT in Cloud and Enterprise Environments
NAT is not limited to home networking. Cloud providers use NAT extensively to manage IP addressing within their infrastructure. In environments like AWS, virtual machines in private subnets use a NAT gateway to access the internet for software updates and external API calls without being directly reachable from the public internet. This mirrors the same principle as home NAT but at a much larger scale and with more granular control.
Enterprise networks often use NAT between different internal segments as well, not just at the internet boundary. This helps manage address space across large organisations where multiple departments or sites may use overlapping private address ranges.
Frequently Asked Questions
- Does NAT provide security?
Partially. NAT blocks unsolicited inbound connections by default because the router has no NAT table entry to match against, which provides a basic layer of incidental protection. However, NAT was not designed as a security mechanism and should not replace a proper firewall. It does not inspect traffic, block known malicious patterns, or enforce access control policies. - Will NAT be replaced by IPv6?
In theory, yes. IPv6 provides enough unique addresses for every device on the planet without any address sharing, which removes the original reason NAT was created. In practice, NAT remains widely used even in environments that have adopted IPv6, partly for organisational reasons and partly because the habit of keeping internal networks private has proven difficult to move away from. - Why do gaming consoles report NAT type issues?
Some games and online services require direct peer-to-peer connections between players. Strict NAT configurations block these inbound connection attempts because no port forwarding rule exists for them. Changing to a more open NAT configuration, or enabling UPnP on the router so devices can automatically register port forwarding rules, usually resolves this. - What is the difference between NAT and a proxy?
NAT operates at the network layer and translates IP addresses and port numbers in packet headers transparently without any involvement from the application making the connection. A proxy operates at the application layer and acts as an intermediary that the application must explicitly connect to. Both involve one party making requests on behalf of another, but they work at different levels of the networking stack and serve different purposes. - Can two devices on different home networks have the same private IP?
Yes, and this is completely normal. Private address ranges like 192.168.1.x are reused across millions of separate home networks simultaneously. Because private addresses are never routed on the public internet, there is no conflict. Your 192.168.1.10 and a neighbour's 192.168.1.10 are on completely separate private networks, each hidden behind their own public IP address.
Conclusion
NAT is one of the most important techniques that has allowed the internet to scale far beyond the address limits of IPv4. By allowing many devices to share a single public IP address through clever use of port tracking and address translation, NAT has kept the internet functional through decades of explosive device growth. Every home router performs NAT automatically, invisibly managing the translation between your devices' private addresses and the single public IP your ISP provides. Understanding how it works helps explain everything from port forwarding for game servers to why cloud networks are structured the way they are. To learn more, explore private vs public IP, default gateway, and IPv4 vs IPv6.