NAT: Network Address Translation

Network address translation involves mapping one IP address to another. It is widely used, from home users through to large ISPs (Internet Service Providers). It became widespread when we started running out of public IP addresses.

NAT is usually applied by a router or a firewall. It allows a large network to use a single public IP address – assigned to a gateway router. Traffic from devices on the network is then translated to that single address. The router must keep track of the mappings used for the different devices.

NAT Advantages

  • Conserving address space. There are no public IPv4 addresses left, and NAT means that we don’t have to give a dedicated public IP address every device on a network.

  • Security. NAT adds a layer of defence because hosts behind NAT will not be directly reachable from outside the network.

NAT Disadvantages

  • Keeping track of translations is CPU and memory intensive. It may require more powerful hardware.

  • Some things break or get more complicated when NAT is used. For example, ‘peer to peer’ communications become less straight forward.

  • Troubleshooting problems can become more challenging because you may no longer have full end to end traceability.

Basic NAT

Basic NAT, or one-to-one NAT, maps each IP address to a different IP address. For example, mapping addresses from to may result in being mapped to Basic NAT doesn’t help save address space, but it can help interconnect networks with different addressing schemes.

One-to-many NAT

One-to-many NAT is the most useful, and most common implementation of NAT. Because multiple addresses all get mapped to a single one, the router must have a way of distinguishing the traffic which comes back. A common way of doing this is to use port numbers to differentiate between the streams of traffic and translate back to the original IP addresses. This type of NAT is sometimes called Port Address Translation (PAT) or Network Address and Port Translation (NAPT).

How it Works

There are several different ways of implementing one-to-many NAT, but typically it is something like this:

Outbound traffic will have its source IP address (IP_A) and source port (PORT_A) translated to the external, public, IP address (IP_B) and a particular source port (PORT_B).

These translations are recorded in a translation table, the IP header is changed, and the packet is routed onwards.

Inbound traffic is looked up against the translation table. If the destination address matches IP_B (the external address) and the destination port matches PORT_B, then the traffic will be mapped to IP_A:PORT_B.

The IP header is updated, and the packet is routed to the original host.

IP Masquerading

IP masquerading is the implementation of one-to-many NAT commonly used to ‘hide’ a network of private addresses behind a single public IP address. An example of this is home routers – all devices on a home network will typically be assigned a private address. When traffic transits the router to the ISP, the private addresses will be mapped to a single public IP address.

Prerequisite Skills


The Complete Guide to IPv4 Subnetting

IP networks are made up of groups of IP addresses which get allocated to devices. The division of addresses is called subnetting. A single…


TCP: The Transmission Control Protocol

Most Internet applications use TCP for the transport layer (layer 4 in the OSI model). It is a connection-oriented protocol which provides…


UDP: User Datagram Protocol

UDP (User Datagram Protocol) is a simple transport layer protocol defined in RFC 768. It is designed to run on top of IP and is assigned IP…

Follow On Cyber Learning


Firewalls in Computer Networking

Firewalls play an important part in protecting modern computer networks.

Related Training Courses


Computer Networking Foundations

Understand how modern computer networks work.