16 November 2021 | 7 min read

What Is Network Address Translation? A Beginner’s Guide To NAT

Discover why Network Address Translation is important, how it works and what different types of NAT are available.

What is network address translation.

Network address translation (NAT) is a process that allows multiple devices on a local network to share a single IP address publicly, even when all devices have unique private IP addresses within that network. 

Network address translation facilitates this by converting the assigned private addresses of network devices into the public IP addresses of their respective networks. This means packets of data can be sent and received by the correct devices. Without the need for multiple public IPs within a single local network. 

Most home routers employ network address translation, but this isn’t the sole use of NAT. Even large organizations with a relatively large private network may choose to have their entire internal network use a single IP address for economic or security reasons. 

So how does network address translation take multiple private IP addresses and use only one public IP address? Let’s dig into the process below. 

How does network address translation work? 

Before we get into how network address translation works, first we quickly need to make sure we’re on the same page about what an IP address is and why it’s important for the exchange of data on the internet. 

IP addresses function as the mailing addresses of the internet. When data is sent via the internet, it is sent in IP packets, each of which needs a destination address to know where it’s meant to go. 

However, there are different kinds of IP addresses. When discussing network address translation, we mainly talk about public and private IP addresses

A public address is a global IP address. It is accessible to other devices on the internet, outside of a given LAN network. A private address is an IP address assigned to a specific network device. It is accessible only to other devices within the same local network. 

Devices with private IP addresses can send requests for data. However, if the source IP address remains private, the receiving server can’t tell where to return the data back to. 

This is where network address translation comes in. When sending data requests to an external network, a NAT router or NAT firewall is able to convert the device’s private IP address into the network’s public IP address. This ensures that the data is sent to the right place. 

The process of network address translation

Here’s an example of how network address translation works in practice:

  1. You connect your device to your home Wi-Fi network
  2. Your home router assigns your device a private IP address. Like all private IP addresses, this address is only used within your network. 
  3. You attempt to load a web page. This sends a request through the internet via your router
  4. Your NAT router changes the source address of the request from your device’s private address to your network’s public IP address. The translation is saved in a NAT table.
  5. The server you’re attempting to access returns the requested packet to your network’s public IP address. 
  6. Your router changes the destination address back to your device’s private IP address and routes the packet to your device
Graphic that demonstrates the functionality of network address translation.
How network address translation (NAT) works

Why is network address translation important? 

NAT helps networks in two key ways. First, it acts as a security layer between the public internet and private devices on an internal network. Second, it helps reduce the demand for global IP addresses. This is particularly important for IPv4 addresses, as the adoption of IPv6 addresses is still years away. 

Security purposes

Many network engineers use network address translation to protect devices on their networks from cyberattacks. 

The NAT process acts as an additional layer of security between devices on a private network and the rest of the internet. It offers the NAT router or NAT firewall the opportunity to sort and check the data as it’s sent to a device. This can help prevent anyone from accessing a private device. 

Let us note that your private addresses cannot ensure full security. Without a doubt, you should also use encryption and other security tools. That said, keeping your devices on a local IP address is a good extra security measure. 

Private IP exhaustion prevention

Using a single public IP address for multiple devices on a network also helps ensure that the assignment of public IPs is as efficient as possible. 

The problem being solved here is that IPv4 is still the most commonly used format of IP addresses on the internet. However, there are only about 4.3 billion possible IPv4 addresses available, and we are already dealing with IPv4 exhaustion

If each device on all private IP networks was assigned a public IP address, we’d very quickly run out of assignable IPv4 addresses. This is why, instead of assigning a public IP address, it’s useful to be able to assign local IP addresses within a network and use only one global IP address for all traffic on that network. 

Effectively, you’re aggregating the traffic on an entire network to a single source IP address. You then use publicly unregistered IP address identifiers for devices within the network. 

Private IP address space IP ranges and number of addresses.
Private IPv4 address space

Types of network address translation

Since network address translation exists within the world of IP addresses, it’ll come as no surprise that there’s the added complication of there being multiple kinds of NAT. There are, in fact, three. 

If you know anything about IP addresses, you may also know that they fall into two other categories: static and dynamic addresses. These correspond to the first two kinds of NAT. 

Static IP addresses use the same address over time, whereas dynamic IP addresses change periodically. Learn more about both below. 

Static NAT (SNAT)

Static network address translation refers to NAT that uses a consistent public IP address each time it translates a private IP address to a public one. The static refers to the fact that the global IP address remains unchanged with each translation. 

In the case of static network address translation, all private, unregistered IP addresses on a network are mapped to specific public addresses. This means that each device on the network is associated with a specific public address. 

This is a NAT solution often used in web hosting. It is rarely used by large organizations, as it would require the organization to purchase a public IP address for every connected device. 

Dynamic NAT (DNAT)

As you may have guessed, dynamic network address translation differs from static NAT. That is because it uses different IP addresses rather than the same one each time. 

Under dynamic NAT, the router or firewall running the NAT (i.e., NAT device) has access to a pool of public IP addresses. When translating a private address to a public one, dynamic NAT allows routers to choose any free public IP address from the pool. 

As a result, the NAT device uses a different IP address for each translation. This means that you can’t predict which global address each private address is mapped onto. 

While this is a neat solution for using IP addresses efficiently, it’s also relatively costly for organizations to configure NAT. That is because they need to invest in a big enough pool of publicly registered IP addresses.  

Although this means that more devices can connect to the internet on a network, the number of packets sent and received at any given time is still limited by the number of public IP addresses available. If the pool has 15 public IPs, then only 15 local IPs can be translated at any given moment. 

Port address translation (PAT)

The final form of NAT is port address translation, which is sometimes referred to as NAT overload. This is a type of dynamic NAT, but it differs in a few key ways. 

Instead of each private IP address being mapped onto a single unique IP address (public), several private IP addresses are banded together to use one public IP address. 

So, instead of using the IP addresses to identify the source device, the router or NAT firewall uses port numbers to distinguish the traffic. These port numbers are assigned to devices on the network. They allow the router to return packets to multiple devices using a single public IP. 

NAT overload is the most cost-effective form of NAT. It requires the smallest number of public IP addresses to be registered by an organization. In theory, thousands of devices connected to a network can all access the internet using the same public IP address. 

Graphic demonstrating the difference between SNAT and DNAT.
DNAT vs. SNAT

What is the difference between DNAT and SNAT?

The key difference between dynamic and static NAT is how private IPs are mapped onto public ones. 

In the static version, IPs are mapped 1 to 1 from private or to public. This means that each private device always uses the same public address. 

In the case of dynamic NAT, the publicly mapped IPs are drawn from a pool when they’re needed. This means a private device has a different public IP each time it accesses the internet. 

Large organizations commonly use both, and both require investment in global IPs. 

Conclusion

To sum up, network address translation (NAT) is a way for a network to use the same IP address for multiple connected devices. 

Though every device has its own local IP address, these are unregistered IP addresses. Internal IP addresses need to be translated into global addresses so that the IP packet of data being requested can be returned to the correct device. 

A NAT gateway router or firewall is able to carry out this translation each way. It does this either statically, using the same public IP for a specific private IP, or dynamically, assigning public IPs to private ones from a pool. 

All this can help networks save money, boost security and ensure more public IPs available for use.