An Explanation of Network Address Translation (NAT)

Think about this…

There are 4.2 billion IPv4 public IP addresses available.

There are 8.7 billion Internet-connected devices in the world.

If there are more Internet-connected devices than there are publicly available IP addresses, how have we not run out of IP addresses already?!

Because of NAT.

NAT can hide multiple devices within the same network behind just 1 IP address.


Private IP addresses cannot be sent over the Internet, only public IP addresses can.

There are more people with private IP addresses in the world than there are public IP addresses.

Then how are computers assigned with private IP addresses able to go out to the Internet?

Because of NAT.

NAT allows private IPs to traverse the Internet by translating them into a public IP.

Click here to learn more about private IP ranges: Excuse Me, Is This IP Address Free or For Sale?


Advantages of NAT

  • Many-to-One NAT hides all the computers in a local area network behind 1 public IP address.  Jack, Ken, Paul, and Steve all have private IP addresses assigned to them in their local network.  When they all reach out to the Internet,  all their machines will use 1 public IP address.


  • One-to-One NAT correlates 1 machine with a private IP address to 1 public IP address.  This type of NAT is not so much for internal users, it is for web servers.  This way, users can initiate connections from the Internet to reach the Web Server on it’s public IP.


  • Public IPs are running out.  The fact of the matter is that the world is running out of public IP addresses.  NAT helps to consolidate multiple machines with private IP addresses by making all of them use 1 public IP.  Using NAT to consolidate entire local networks behind one IP addresses is a great way to save IP spaces.


  • NAT saves money because it costs money to buy public IP addresses.  A company can have 500 users, and the CFO does NOT want to purchase 500 different public IP addresses.  The company can buy 1 public IP, and use that for all 500 users.  


Study Notes!
Not everyone needs their own IP!
However, with the use of IPv6, everyone CAN have their own IP.
Number of available IPv4 public IP addresses: 4,500,000,000
Number of available IPv6 public IP addresses: 340,282,366,920,938,463,463,374,607,431,768,211,456


Click here to learn more about: The Different Types of NAT


The Concept of NAT


Jack has an IP address of – a private IP address

Jack uses his computer to go to



Jack’s request ingresses his company router’s local interface port from his computer as

router edit

And egresses the router’s firewall facing interface port as


From the router to the firewall the packet still has a source IP of

The packet then enters the firewall

The firewall will be the one to perform Network Address Translation


The packet ingresses the firewall as, and then egresses towards the Internet as – a public IP



This is the concept of how NAT functions.

The company bought the IP to represent Jack’s machine, as well as other machines in the same network. 

In our scenario, a firewall did the translating of the private IP address to the public IP address.

But a router  can perform NAT too.

It all depends on how your company infrastructure is setup.  

Some companies have a firewall at the edge of their network with a router behind it.  While others have a router at the edge of their network with a firewall behind it.

You can check the PROS and CONS of each scenario in this post: Should I Put the Firewall Before or after a Router?

What if NAT isn’t configured on a firewall or a router? 

What happens when a machine with an IP of tries to go out to the Internet? 

The router will drop it.

Study Notes!
A router sitting between the Internet (which uses public IPs) and the local network (which uses private IPs), will drop any packets with a private IP address unless NAT is configured.

Also, private IP addresses can  be routed through the Internet  through the use of technologies like a VPN or an MPLS.  But these technologies have ways to “hide” the fact that they are carrying private IP addresses.

Lastly, private IP addresses can be routed through the Internet, but most edge devices such as Internet backbone routers are designed to drop them automatically.


Study Notes

Looking at the OSI Model, where do you think NAT occurs?

It's easy, just think, what does NAT deal with? IP Addresses? MAC Addresses? Or Website URLs?

NAT occurs at Layer 3 of the OSI Model. What devices are located at Layer 3?

NAT deals with IP Addresses

Routers. Firewalls. Load Balancers

What layer of the OSI Model deals only with IP addresses? Layer 3 - the Networking Layer

All these devices have the ability to perform NAT, and are located at Layer 3 of the OSI Model



Jack's computer, is NAT'd to

What if it needs to go over a VPN tunnel?

You would actually have to configure the firewall to NOT NAT

This is known as a NO-NAT or Manual NAT.