Network address translation

What Is Network Address Translation?

Network address translation (NAT) is a method by which IP addresses are mapped from one address realm to another, enabling devices that use private IP addresses to communicate with hosts on public networks such as the internet. A NAT device, typically a router or firewall, intercepts outbound packets, rewrites their source addresses to a single public IP, and maintains a state table so that return traffic can be correctly forwarded back to the originating internal host. The technique was first specified in RFC 1631 by the IETF in 1994, though the most widely adopted variant is described in RFC 3022.

NAT emerged as a pragmatic response to the exhaustion of IPv4's 32-bit address space, which provides roughly 4.3 billion unique addresses. By allowing many devices behind a single gateway to share one public address, NAT extended the viable lifetime of the IPv4 internet by years, buying time for the gradual adoption of IPv6.

NAT Types and Address Mapping

The IETF distinguishes two primary forms of NAT. Basic NAT performs a one-to-one translation, mapping each internal private address to a distinct public address from a pool. Network Address Port Translation (NAPT), sometimes called PAT or IP masquerading, extends this idea by also translating transport-layer port numbers, allowing many internal hosts to share a single public IP address simultaneously. NAPT is the dominant form deployed in residential and enterprise gateway equipment today. A third variant, static NAT, creates a fixed, permanent mapping between a private address and a public one, which is used when an internal server must be reachable from the outside with a consistent public address.

Traversal and Protocol Compatibility

Because NAT breaks the end-to-end connectivity model that the original internet architecture assumed, it introduces compatibility challenges for protocols that embed IP addresses in their payload rather than just in the IP header. Applications such as FTP, SIP for VoIP, and IPsec require application-layer gateways (ALGs) or NAT traversal techniques to function correctly. The IETF has standardized several traversal mechanisms, including RFC 4787, which defines behavioral requirements for NAT devices handling UDP, and the STUN and TURN protocols used by WebRTC and other real-time communication frameworks. Symmetric NAT, which assigns a different port mapping for each destination, presents the greatest difficulty for peer-to-peer traversal.

Carrier-Grade and IPv6 Transition

As ISPs face continued pressure on public IPv4 inventory, carrier-grade NAT (CGN or CGNAT) extends the translation function to a shared device serving entire neighborhoods or enterprise blocks, effectively adding a second NAT layer between the subscriber's router and the public internet. This double translation increases the complexity of logging and lawful intercept requirements. In parallel, transition mechanisms such as NAT64 and DNS64 allow IPv6-only clients to reach IPv4 servers by performing a protocol-level address translation at the network edge, bridging the two protocol generations during the ongoing IPv4-to-IPv6 migration.

Applications

Network address translation has applications in a wide range of disciplines, including:

  • Home and enterprise routing, where a single ISP-assigned public address serves many devices
  • Firewall and perimeter security, where NAT provides implicit address hiding for internal hosts
  • Data center load balancing, where destination NAT directs inbound traffic to server pools
  • VoIP and unified communications, where ALGs and traversal protocols handle SIP and RTP
  • IPv4-to-IPv6 migration, using NAT64 gateways to bridge address families
Loading…