Skip to content
My Docs

Network Address Translation Nat

Category: Routing and Switching
Type: Network Concepts
Generated on: 2025-07-10 09:04:00
For: Network Engineering, Administration & Technical Interviews

Network Address Translation (NAT) Cheatsheet

Section titled “Network Address Translation (NAT) Cheatsheet”

What is NAT? Network Address Translation (NAT) is a process that modifies IP address information in IP packet headers while in transit across a traffic routing device. It allows devices on a private network (using private IP addresses) to communicate with devices on a public network (like the Internet) using a public IP address.

Why is it important?

  • IPv4 Address Conservation: NAT allows multiple devices to share a single public IP address, mitigating IPv4 address exhaustion.

  • Security: Hides the internal network topology and IP addresses from the outside world, adding a layer of security.

  • Flexibility: Allows for easier network renumbering and IP address changes without affecting external connectivity.

  • Private IP Address: An IP address from the ranges defined in RFC 1918 for use within private networks. These addresses are not routable on the public Internet.

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

  • Public IP Address: An IP address assigned to a network device that is routable on the public Internet.

  • Inside Local Address: The IP address assigned to a host on the inside network. Often a private IP address.

  • Inside Global Address: The IP address presented to the outside world by the NAT device for the inside host. Often a public IP address.

  • Outside Local Address: The IP address of an outside host as it appears from the inside network.

  • Outside Global Address: The IP address of an outside host as it appears on the public Internet.

  • NAT Device: Typically a router or firewall performing the NAT function.

  • NAT Table: A table maintained by the NAT device that maps inside local addresses and ports to inside global addresses and ports.

  • SNAT (Source NAT): Modifies the source IP address of the packet. Also called Masquerading.

  • DNAT (Destination NAT): Modifies the destination IP address of the packet. Also called Port Forwarding.

  • PAT (Port Address Translation): A type of NAT that translates both the IP address and the port number. Allows multiple internal devices to share a single public IP address. Also called NAT Overload.

  • Static NAT: A one-to-one mapping between a private IP address and a public IP address.

  • Dynamic NAT: Uses a pool of public IP addresses and assigns them dynamically to internal hosts as needed.

3.1 Basic NAT (SNAT/Masquerading)

Section titled “3.1 Basic NAT (SNAT/Masquerading)”
+-----------------+      +-------------+      +-----------------+
| Internal Host   |----->| NAT Router  |----->| External Server |
| (192.168.1.10)  |      | (Public IP) |      | (8.8.8.8)       |
+-----------------+      +-------------+      +-----------------+
  (Private Network)        (Public Network)


1. Internal Host (192.168.1.10) sends a packet to External Server (8.8.8.8).


2. NAT Router receives the packet.  It replaces the source IP address (192.168.1.10) with its public IP address.  It also assigns a unique source port.


3. NAT Router updates its NAT table with the mapping:  (192.168.1.10:OriginalPort <-> PublicIP:NewPort)


4. The packet is forwarded to the External Server (8.8.8.8).


5. External Server responds to the PublicIP:NewPort.


6. NAT Router receives the response.  It looks up the PublicIP:NewPort in its NAT table.


7. NAT Router replaces the destination IP address and port with the original Internal Host's IP address and port (192.168.1.10:OriginalPort).


8. The packet is forwarded to the Internal Host (192.168.1.10).

3.2 DNAT (Port Forwarding)

Section titled “3.2 DNAT (Port Forwarding)”
+-----------------+      +-------------+      +-----------------+
| External Client |----->| NAT Router  |----->| Internal Server |
| (4.4.4.4)       |      | (Public IP) |      | (192.168.1.20)  |
+-----------------+      +-------------+      +-----------------+
  (Public Network)         (Private Network)


1. External Client (4.4.4.4) sends a packet to the NAT Router's Public IP address on a specific port (e.g., 80 for HTTP).


2. NAT Router receives the packet. It checks its configured DNAT rules.


3. NAT Router finds a rule that maps traffic to PublicIP:80 to 192.168.1.20:80.


4. NAT Router replaces the destination IP address with the Internal Server's IP address (192.168.1.20) and forwards the packet.


5. Internal Server (192.168.1.20) receives the packet and responds.


6. The response from the Internal Server goes back to the NAT Router.


7. NAT Router performs SNAT (Masquerading) to change the source IP address to its Public IP address.


8. The packet is forwarded to the External Client (4.4.4.4).

  • IP Header: NAT modifies the Source IP Address and Destination IP Address fields.

  • TCP/UDP Header: NAT modifies the Source Port and Destination Port fields (in PAT).

  • ICMP: ICMP messages can be affected by NAT, especially error messages containing IP addresses. NAT devices need to be aware of ICMP to translate addresses correctly.

  • Application Layer Protocols: Some application layer protocols (e.g., FTP, SIP) embed IP addresses within their payload. NAT traversal techniques (e.g., Application Layer Gateways - ALGs) are needed to handle these protocols correctly.

  • Home Router: A home router uses NAT to allow multiple devices (laptops, smartphones, etc.) to share a single public IP address provided by the ISP. It typically uses PAT/Masquerading.

  • Corporate Network: A company uses NAT to hide its internal network structure and IP addresses from the outside world, improving security. They might use a combination of static NAT for specific servers and dynamic NAT/PAT for user workstations.

  • Web Server Hosting: A hosting provider uses DNAT (Port Forwarding) to direct traffic to specific web servers behind a load balancer. The load balancer then distributes the traffic to the actual servers.

  • Gaming: Port forwarding is often required to host online game servers or improve the performance of peer-to-peer gaming applications.

  • Symmetric NAT: A type of NAT where the mapping between internal and external IP addresses/ports changes depending on the destination. This can cause problems with peer-to-peer applications and VoIP.

  • Double NAT: When multiple NAT devices are chained together, it can cause connectivity issues and make troubleshooting difficult.

  • Application Compatibility: Some applications are not NAT-friendly and require special handling or configuration (e.g., using STUN, TURN, ICE protocols for VoIP).

  • MTU Issues: NAT can sometimes cause MTU (Maximum Transmission Unit) problems if the packet size is not properly adjusted after translation.

  • Security Risks: While NAT provides a degree of security, it’s not a substitute for a firewall. Misconfigured NAT rules can expose internal services to the Internet.

  • Troubleshooting: NAT can make network troubleshooting more complex, as the IP addresses seen on the outside network are different from the internal IP addresses.

Troubleshooting Tips:

  • Check NAT Table: Examine the NAT table on the router to see if the translations are being created correctly.
  • Packet Capture: Use tools like Wireshark or tcpdump to capture packets on both the inside and outside of the NAT device to see how the IP addresses and ports are being translated.
  • Ping and Traceroute: Use ping and traceroute to test connectivity and identify where the NAT is occurring.
  • Check Firewall Rules: Ensure that firewall rules are not blocking traffic related to NAT.
  • Verify DNS Resolution: Ensure that internal and external DNS resolution is working correctly.

Cisco IOS Router:

! Enable NAT on the outside interface
interface GigabitEthernet0/0
 ip address 203.0.113.5 255.255.255.0
 ip nat outside
! Enable NAT on the inside interface
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside


! Configure NAT overload (PAT)
ip nat inside source list ACL1 interface GigabitEthernet0/0 overload


! Access list defining internal network for NAT
access-list 1 permit 192.168.1.0 0.0.0.255


! Configure static NAT (Port Forwarding)
ip nat inside source static tcp 192.168.1.10 80 interface GigabitEthernet0/0 80

Linux (iptables):

Terminal window
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


# NAT for outgoing traffic (SNAT/Masquerading)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


# DNAT (Port Forwarding)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80


# Allow forwarded traffic
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

pfSense (GUI):

  1. Navigate to Firewall -> NAT -> Outbound. Configure the outbound NAT mode (Automatic, Manual, or Hybrid). Typically, Automatic is sufficient for basic masquerading.
  2. For Port Forwarding (DNAT), navigate to Firewall -> NAT -> Port Forward. Specify the interface, protocol, external port range, internal IP address, and internal port.
  • What is NAT and why is it used? (Explain IPv4 address exhaustion, security, and flexibility)
  • Explain the difference between SNAT and DNAT. (Source vs. Destination NAT)
  • What is PAT (Port Address Translation)? How does it work? (Explain how multiple internal devices can share a single public IP address using port numbers)
  • What are the advantages and disadvantages of NAT? (Address conservation, security vs. complexity, application compatibility issues)
  • Explain the difference between static NAT and dynamic NAT. (One-to-one mapping vs. using a pool of addresses)
  • What is double NAT and what problems can it cause? (Multiple NAT devices in a chain, connectivity issues, troubleshooting complexity)
  • How does NAT affect application layer protocols like FTP or SIP? (Embedded IP addresses, need for ALGs or other NAT traversal techniques)
  • How would you troubleshoot a NAT-related connectivity issue? (Check NAT table, packet capture, ping, traceroute, firewall rules)
  • Can you give an example of a real-world scenario where NAT is used? (Home router, corporate network, web server hosting)
  • What are some security considerations related to NAT? (Not a substitute for a firewall, misconfigured rules can expose internal services)
  • What is an ALG and why is it needed? (Application Layer Gateway, needed for protocols that embed IP addresses in their payload)

Example Detailed Answer:

Question: What is PAT (Port Address Translation)? How does it work?

Answer: PAT, or Port Address Translation, is a type of NAT that translates both the IP address and the port number. It’s also commonly referred to as NAT Overload. It allows multiple devices on a private network to share a single public IP address when communicating with the outside world. Here’s how it works:

  1. An internal device, let’s say a computer with the private IP address 192.168.1.10 and port 5000, wants to access a web server on the Internet.
  2. The packet from the internal device reaches the NAT router.
  3. The NAT router replaces the source IP address (192.168.1.10) with its own public IP address (e.g., 203.0.113.5).
  4. Crucially, the NAT router also changes the source port (5000) to a different, unused port on the router, let’s say 60000.
  5. The NAT router creates an entry in its NAT table, mapping the original internal IP address and port (192.168.1.10:5000) to the new public IP address and port (203.0.113.5:60000).
  6. The packet is then sent to the web server with the source IP address and port of the NAT router (203.0.113.5:60000).
  7. When the web server responds, it sends the packet back to the NAT router’s public IP address and port (203.0.113.5:60000).
  8. The NAT router looks up the destination IP address and port (203.0.113.5:60000) in its NAT table.
  9. It finds the entry and replaces the destination IP address and port with the original internal IP address and port (192.168.1.10:5000).
  10. The packet is then forwarded to the internal device (192.168.1.10).

By using different port numbers for each internal device, the NAT router can distinguish between the different connections and correctly forward the traffic. This allows many internal devices to share a single public IP address, which is essential for conserving IPv4 addresses.

  • Firewalls: NAT is often implemented as part of a firewall.
  • VPNs (Virtual Private Networks): VPNs provide secure, encrypted connections over public networks and often use NAT.
  • STUN/TURN/ICE: Protocols used for NAT traversal in VoIP and other real-time communication applications.
  • Application Layer Gateways (ALGs): Software components that modify application data to handle NAT.
  • IPv6: The successor to IPv4, designed to address the IPv4 address exhaustion problem, reducing the need for NAT in many scenarios.
  • SDN (Software-Defined Networking): SDN allows for centralized control and management of network devices, including NAT functions.
  • CGNAT (Carrier-Grade NAT): Large-scale NAT deployments used by ISPs to extend the life of IPv4.

This cheatsheet provides a comprehensive overview of NAT, covering its key concepts, operation, configuration, troubleshooting, and related topics. It should be a valuable resource for students, network administrators, and anyone preparing for technical interviews. Remember to practice configuring and troubleshooting NAT in a lab environment to gain hands-on experience.