Addressing and routingIP services and securityBeginner | Intermediate | Advanced41 min read

What Is NAT in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Network Address Translation (NAT) lets your home or office network use one public IP address for all devices, like a receptionist in an office building who receives all mail and delivers it to the right person. When you connect to the internet, NAT changes your private IP address to the public IP address of your router. This saves public IP addresses and adds a layer of privacy. It is a core part of how most networks connect to the internet.

Common Commands & Configuration

ip nat inside source static 10.0.0.10 203.0.113.10

Configures static NAT on a Cisco router: maps internal IP 10.0.0.10 to public IP 203.0.113.10 permanently.

CCNA tests this command for servers that need fixed public IPs. Know the 'ip nat inside' and 'ip nat outside' interface commands that accompany this.

ip nat pool POOL1 203.0.113.20 203.0.113.30 netmask 255.255.255.0 ip nat inside source list 1 pool POOL1

Creates a dynamic NAT pool and associates it with access-list 1. Internal hosts matched by ACL 1 get an address from the pool.

Network+ and CCNA both test dynamic NAT pools. Remember that the pool must have at least as many IPs as concurrent connections needed.

ip nat inside source list 1 interface GigabitEthernet0/0 overload

Enables PAT (overload) on the router's external interface using the interface's assigned public IP.

This is the most common NAT command. CCNA and Network+ always include a question about PAT configuration. The 'overload' keyword is the differentiator.

show ip nat translations

Displays active NAT translations including inside local, inside global, outside local, and outside global addresses.

Used for troubleshooting connectivity issues. CCNA exam simulators often ask you to verify translations after configuration.

clear ip nat translation *

Clears all dynamic NAT entries from the translation table.

Network+ troubleshooting scenarios: use this after changing NAT rules or when stale translations block new connections.

debug ip nat

Enables real-time logging of NAT translations showing packet details.

CCNA hands-on labs use this to verify NAT is working. Caution: performance impact on production routers.

aws ec2 create-nat-gateway --subnet-id subnet-123 --allocation-id eipalloc-456

Creates an AWS NAT Gateway in a public subnet with a specific Elastic IP allocation.

AWS SAA tests: NAT Gateways require a public subnet and an Elastic IP. Remember they are AZ-specific.

az network nat gateway create --resource-group RG --name MyNatGateway --public-ip-addresses PublicIP --idle-timeout 10

Creates an Azure NAT Gateway resource with a 10-minute idle timeout.

AZ-104 asks about idle timeout configuration to optimize port reuse. Default is 4 minutes.

NAT appears directly in 4,764exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

NAT appears across multiple certification exams because it is a fundamental networking concept that bridges addressing, routing, security, and cloud architecture. In the CompTIA Network+ exam (N10-008), NAT is covered under domain 1.0 Networking Fundamentals and domain 3.

0 Network Operations. You may be asked to describe the purpose of NAT, differentiate between static and dynamic NAT, identify PAT, and understand how NAT impacts network troubleshooting. Scenario-based questions might ask you to explain why a private network can connect to the internet with only one public IP.

In the CCNA exam (200-301), NAT is a core topic under “IP Services.” You need to know how to configure static NAT, dynamic NAT, and PAT on Cisco routers using the ip nat inside, ip nat outside, and ip nat pool commands. You may be asked to troubleshoot NAT configurations where a device cannot establish a connection due to missing ACLs or incorrect interface designations.

The exam also tests your understanding of NAT advantages and disadvantages, particularly concerning protocol compatibility and security. The CompTIA Security+ exam (SY0-601) covers NAT as part of secure network architecture. While it is not the main focus, you should understand how NAT provides a layer of obfuscation and security by hiding internal IP addresses.

You may see questions comparing NAT to proxy servers or firewalls. The AWS Solutions Architect Associate exam (SAA-C03) frequently tests NAT Gateway and NAT Instance configurations. You must know when to use a NAT Gateway versus a NAT Instance, how they differ in cost, availability, and maintenance.

You may be asked to design a VPC with public and private subnets, where instances in the private subnet need outbound internet access. Understanding that a NAT Gateway requires an Elastic IP and exists in a public subnet with a route to an Internet Gateway is crucial. The Microsoft Azure Administrator exam (AZ-104) covers Azure NAT Gateway as a resource that provides outbound connectivity for virtual networks.

You should understand how it relates to Azure Load Balancer and Azure Firewall. The Google Associate Cloud Engineer exam (Google ACE) includes Cloud NAT as a managed service for allowing private instances to access the internet. In the CompTIA A+ exam (220-1101), NAT appears in the context of home router configuration.

You may be asked to explain why a home network can share a single public IP or how port forwarding works. While the depth is lower, understanding basic NAT concepts is necessary. Overall, exam questions about NAT fall into three categories: definition and concept questions, configuration and troubleshooting scenarios, and architectural design decisions.

Being able to distinguish between SNAT and DNAT, explain PAT, and recognize when NAT breaks applications are high-yield skills across all these exams.

Simple Meaning

Imagine your home has one mailbox with a single address, but four people live there: you, your partner, and two kids. The postal carrier only knows the one house address. If three packages arrive at the same time, how does each person get the right one?

That is where NAT comes in. In the network world, every device that connects to the internet needs an IP address, which is like a mailing address. Public IP addresses are limited and expensive.

Most homes and businesses have only one public IP address given by their internet service provider. But inside the house, you may have a laptop, a phone, a smart TV, a tablet, and a gaming console, each needs its own address to send and receive data. NAT works like a smart receptionist sitting at your router.

When your laptop sends a request to a website, the router changes the laptop’s private IP address and port number to the router’s public IP address and a new port number. It writes this translation in a table, like a receptionist writing down “package from Amazon for John is in room 204.” When the response comes back from the internet, the router looks up the table and forwards the data to the correct device inside your home.

Without NAT, every device would need its own public IP address, which would quickly exhaust the available pool of IPv4 addresses. NAT also provides a basic level of security because devices inside the private network are not directly reachable from the internet. Outsiders only see the public IP of the router, not the individual private IPs of your laptop, phone, or printer.

This is why NAT is sometimes called a “firewall-light” feature. There are different types of NAT: Static NAT maps one private IP to one public IP permanently, often used for servers that must be reachable from outside. Dynamic NAT uses a pool of public IPs and assigns them on a first-come, first-served basis.

Port Address Translation (PAT), also called NAT overload, is the most common type used in home routers. It maps multiple private IPs to a single public IP by using different port numbers. For example, if your laptop uses port 5000 and your phone uses port 6000, the router remembers which port goes to which device.

NAT is essential for conserving IPv4 addresses, which are nearly exhausted. It is also required for IPv6 transition technologies, though IPv6 was designed with enough addresses that NAT may not be needed in the future. However, many networks still use NAT with IPv6 for security and policy reasons.

Understanding NAT is critical for IT professionals who configure routers, troubleshoot connectivity issues, or set up services like web servers or VPNs. In exams like the CompTIA Network+, CCNA, and AWS Solutions Architect, you will need to know how NAT works, how it differs from other addressing methods, and how it affects network performance and security.

Full Technical Definition

Network Address Translation (NAT) is a network function defined in RFC 3022 that modifies the source and/or destination IP address and port information in packet headers as they pass through a routing device. NAT operates at the network layer (Layer 3) of the OSI model, but because it rewrites port numbers in TCP/UDP headers, it also touches the transport layer (Layer 4). The primary purpose of NAT is to allow multiple devices on a private IPv4 network to share a single public IPv4 address, thereby conserving the limited pool of public IPv4 addresses.

The core mechanism of NAT is the translation table, also called the NAT table or stateful inspection table, maintained by the NAT-enabled router or firewall. Each outbound packet from a private host has its source IP address and source port number replaced with the router’s public IP address and a unique port number chosen by the NAT device. The router stores this mapping in the NAT table, associating the original private source IP and port with the translated public IP and port, along with the destination IP and port and a timeout value.

When the response packet arrives from the external server, the router uses the destination port number in the packet to look up the corresponding entry in the NAT table, reverses the translation, and forwards the packet to the original private host. There are several operational modes of NAT. Static NAT (or one-to-one NAT) maps a single private IP address to a single public IP address in a fixed way.

This is used when a device inside the private network must be directly reachable from the internet, such as a web server or email server. In static NAT, the translation is permanent and does not depend on connection state. Dynamic NAT maps a private IP address to a public IP address from a pool of available public addresses.

When the pool is exhausted, new connections cannot be made. Dynamic NAT is rarely used today due to the scarcity of public IPv4 addresses. Port Address Translation (PAT), also called NAT overload or Network Address Port Translation (NAPT), is the most common form.

It allows many private IP addresses to be multiplexed onto a single public IP address by using different port numbers to distinguish each session. PAT is what most home and small office routers use. In PAT, the router tracks the combination of source IP, source port, destination IP, destination port, and the translated port.

This five-tuple ensures that sessions remain unique even when thousands of devices share the same public IP. NAT also has implications for protocols that embed IP addresses within their payload, such as FTP, SIP, or H.323.

These application-layer protocols carry IP address information in the data portion of the packet, which NAT does not modify by default. To handle these, Application Layer Gateways (ALGs) are required. An ALG is a software component that intercepts packets of a specific protocol and rewrites the embedded IP addresses and ports to match the NAT translation.

For example, an FTP ALG will modify the PORT command in active FTP to reflect the public IP address instead of the private one. Without an ALG, these protocols may fail through NAT. Another important concept is the NAT traversal techniques used by VPNs and peer-to-peer applications.

Protocols like STUN (Session Traversal Utilities for NAT), TURN (Traversal Using Relays around NAT), and ICE (Interactive Connectivity Establishment) help applications discover the public IP and port assigned by NAT and establish direct connections. In enterprise environments, NAT is often implemented on dedicated firewall appliances, routers, or load balancers. Cisco IOS, for example, uses the ip nat inside and ip nat outside commands to designate interfaces and configure static NAT, dynamic NAT, or PAT.

In AWS, NAT is implemented via NAT Gateways and NAT Instances in public subnets to allow instances in private subnets to access the internet for updates or patches while preventing inbound connections from the internet. AWS’s NAT Gateway is a managed service that provides high availability and scales automatically up to 45 Gbps. In Azure, a NAT Gateway is a resource that provides outbound connectivity for virtual networks.

In Google Cloud, Cloud NAT provides similar functionality. Security implications of NAT include the fact that NAT acts as a rudimentary firewall by default. Since the NAT table only contains entries for outbound-initiated sessions, unsolicited inbound packets are dropped.

However, NAT is not a substitute for a proper firewall because it does not perform stateful packet inspection or application-layer filtering. Some security professionals argue that NAT provides a false sense of security because it does not protect against attacks that originate from within the network or against application-layer threats. IPv6 was designed to provide enough public addresses that NAT would not be necessary, and indeed native IPv6 networks do not require NAT for address conservation.

However, many organizations still use NAT with IPv6 (NAT66 or NPTv6) for reasons such as hiding internal network topology or enforcing multi-homing policies. In exam contexts, you should understand the difference between source NAT (SNAT) and destination NAT (DNAT). SNAT changes the source IP of outbound packets, which is what most people mean by NAT.

DNAT changes the destination IP of inbound packets, commonly used in port forwarding. You should also understand the concept of the NAT table, timeout values, and the limitations of NAT for protocols that use IP addresses in the payload. Knowing how to troubleshoot NAT issues, such as mismatched timeouts, ALG failures, or port exhaustion, is essential for CCNA and Network+ exams.

For AWS and Azure exams, focus on how NAT gateways provide outbound internet connectivity for private subnets and how they differ from internet gateways.

Real-Life Example

Think of a large apartment building with a single postal address: 123 Main Street. Inside the building, there are 50 apartments, each with a number like Apartment 1A, 2B, and so on. The postal carrier only knows the building address, 123 Main Street.

When a package arrives, the carrier delivers it to the lobby. The building’s front desk attendant takes the package, looks at the name on it, and knows which apartment that person lives in. The attendant then delivers the package to the correct apartment.

But what if three packages arrive at the same time for three different people? The attendant must keep track of which package goes to which apartment. The attendant writes down “Package from Amazon for Ms.

Jones in 3C” and then later, when the package is delivered, crosses it off the list. This is exactly how NAT works. Your home or office is like the apartment building. Each device, laptop, phone, smart TV, is like an apartment with its own unique private IP address (like Apartment 1A, 2B).

The router is the front desk attendant. It has a single public IP address (the building’s mailing address). When your laptop sends a request to a website, the router (attendant) writes down “session from laptop on port 5000 to website on port 80” and changes the source IP to the public IP with a new port number, say port 20000.

When the website responds, the router sees the destination port 20000, looks up its table, finds that this response is for the laptop, and forwards it to the correct private IP and port. If you think about receiving visitors instead of mail, imagine the apartment building has a single front door. Everyone goes through that door.

When a visitor comes, they ring the bell. The front desk asks “Who are you looking for?” and then calls the apartment to let the resident know. Without the front desk, visitors could walk right in and knock on any apartment door.

NAT provides that security layer, outsiders only see the front desk (public IP), not individual apartments. If the apartment building had 50 separate front doors (public IPs), it would be expensive and confusing. NAT allows one door for everyone, with the attendant directing traffic inside.

This analogy also helps you understand port forwarding. If you want to run a web server from your home, you need to tell the front desk: “If someone asks for a web page, send them to Apartment 3C.” That is static NAT or DNAT.

The front desk (router) remembers this permanent rule, so visitors can reach your server. Without it, the front desk would ignore all visitors because it only lets out responses to requests made from inside. NAT is the building attendant that manages all incoming and outgoing traffic for a single address, making it possible for hundreds of devices to share a single public identity while keeping things organized and secure.

Why This Term Matters

NAT is a foundational technology in modern networking that directly impacts how organizations connect to the internet, manage IP address resources, and secure their internal networks. Without NAT, the IPv4 address space would have been exhausted many years earlier than it was, and many businesses would not be able to operate with the limited number of public IPs available. For IT professionals, understanding NAT is critical for configuring routers and firewalls, especially when setting up remote access VPNs, site-to-site VPNs, or allowing external users to access internal servers via port forwarding.

In cloud environments, NAT gateways are essential for allowing resources in private subnets to download updates, send emails, or access external APIs without exposing those resources to inbound internet traffic. This is a common scenario in AWS, Azure, and Google Cloud architectures that follow security best practices of placing application servers in private subnets. NAT introduces several practical challenges.

Protocols that embed IP addresses in the application layer, such as SIP for VoIP or FTP for file transfers, often break when passing through NAT unless ALG support is enabled. Network engineers must be able to identify and resolve these issues. NAT also affects logging and forensics because source IP addresses in logs will show the public IP of the NAT device, not the actual client machine.

This complicates audit trails and incident response. NAT also increases latency by a small amount because each packet must be inspected and rewritten. In high-performance environments, such as real-time streaming or gaming, this additional processing can be noticeable.

For all these reasons, NAT is not just a theoretical concept but a daily operational reality. IT professionals who manage networks, design cloud architectures, or troubleshoot connectivity issues must have a solid grasp of NAT types, configuration, and limitations. Certification exams like CCNA, Network+, and the security-focused exams (Security+, AWS SAA) all include significant coverage of NAT because it is a core networking skill.

How It Appears in Exam Questions

NAT questions appear in several distinct patterns across certification exams. The first and most common pattern is the concept definition question where you are asked to identify the purpose of NAT, typically as a way to conserve public IPv4 addresses or to allow multiple devices to share a single public IP. For example, a CompTIA Network+ question might ask: “A small office has 10 computers but only one public IP address from their ISP.

Which technology allows all computers to access the internet simultaneously?” The answer is PAT (Port Address Translation), a type of NAT. The second pattern is the scenario-based troubleshooting question.

Here you are given a network topology with a router configured for NAT and a client that cannot access a specific website or service. You must identify the cause, such as missing ACL, wrong NAT interface configuration, port exhaustion, or ALG failure. For instance, a CCNA question might describe a user who can browse the web but cannot connect to an FTP server.

You need to realize that FTP embeds IP addresses in the control channel and requires an FTP ALG to work with NAT. The third pattern is the configuration question. In CCNA, you may be asked to complete a configuration snippet to enable static NAT for a web server or to configure PAT on an interface.

You must know the correct Cisco IOS commands: ip nat inside source list 1 interface GigabitEthernet0/0 overload or ip nat inside source static tcp 192.168.1.10 80 203.0.113.5 80. The fourth pattern is the design comparison question, prevalent in cloud exams.

For example, an AWS SAA question might ask: “A company has a VPC with public and private subnets. EC2 instances in the private subnet need to download patches from the internet. What should you do?

” The correct answer is to create a NAT Gateway in a public subnet and update the private subnet’s route table to point 0.0.0.0/0 to the NAT Gateway. Distractors might include an Internet Gateway in the private subnet or a NAT Gateway in the private subnet.

The fifth pattern is the security implication question. A Security+ question might ask: “Which of the following provides the best security benefit of NAT?” The correct answer is that it hides internal IP addresses from external networks.

The sixth pattern is the performance or limitation question. You might be asked to identify that NAT increases latency because of packet rewriting or that some applications fail due to embedded IP addresses. The seventh pattern is the IPv6 comparison question, where you must understand that NAT is not required in IPv6 networks because of the abundance of public addresses, but some organizations still use NAT66 for security policy.

Recognizing these patterns helps you approach exam questions strategically. Always read the scenario carefully and identify whether the question is about concept, configuration, troubleshooting, or design.

Practise NAT Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small business called “GreenLeaf Flowers” has 15 employees who all need to access the internet for email, orders, and research. The company’s ISP has assigned them a single public IP address: 203.0.

113.50. Inside the office, the network uses private IP addresses in the range 192.168.1.0/24. The employees’ computers have IPs like 192.168.1.10, 192.168.1.11, and so on. The router at the office is configured with NAT overload (PAT).

When an employee, Maria, types a website address into her browser, her computer sends a packet with source IP 192.168.1.10 and source port 3000 to the destination web server at 93.184.

216.34 on port 80. The router receives this packet and checks its NAT configuration. Since NAT overload is enabled, the router changes the source IP to its public IP 203.0.113.50 and changes the source port to, say, 4001.

It records this mapping in its NAT table: (192.168.1.10:3000) maps to (203.0.113.50:4001) with destination (93.184.216.34:80). Meanwhile, another employee, Tom, also makes a request to the same web server from his computer at 192.

168.1.11 with source port 2500. The router changes Tom’s source IP to 203.0.113.50 and assigns a different source port, say 4002. Now both packets leave the office with the same source IP but different ports.

The web server responds to each request by sending a packet to 203.0.113.50:4001 for Maria and 203.0.113.50:4002 for Tom. When the router receives the response for Maria, it sees destination port 4001, looks up its NAT table, finds the mapping to 192.

168.1.10:3000, rewrites the destination IP and port, and sends the packet to Maria’s computer. The same happens for Tom’s response. All 15 employees can browse simultaneously without conflict because the router keeps track of every session.

If the company later adds a web server at 192.168.1.100 that must be accessible from the internet, the administrator configures a static NAT rule (port forwarding) to map the public IP 203.

0.113.50 port 80 to the internal server 192.168.1.100 port 80. Now customers can reach the web server by browsing to http://203.0.113.50. This scenario illustrates both PAT for outbound connections and static NAT for inbound connections, which are the two most common uses of NAT in a real business environment.

Common Mistakes

Thinking NAT is the same as a firewall

NAT does modify packets and provides some basic obfuscation by hiding internal IPs, but it does not perform stateful packet inspection, application-layer filtering, or threat prevention. A firewall is a dedicated security device that enforces policies based on ports, protocols, and application content. NAT alone cannot block specific attacks like SQL injection or malware.

Understand that NAT is an address translation function, not a security function. Always place a firewall behind or alongside NAT for real security.

Confusing the purpose of NAT with that of DHCP

DHCP assigns IP addresses to devices on a network automatically, but it does not translate between private and public addresses. NAT changes the IP addresses in packets as they cross network boundaries. DHCP operates before NAT: a device gets a private IP from DHCP, and then NAT translates that private IP when the device connects to the internet.

Remember: DHCP gives out addresses, NAT changes addresses. They work together but serve different functions.

Assuming NAT works the same way for IPv6

IPv6 was designed with a huge address space, so each device can have a unique public IPv6 address. NAT is not required for address conservation in IPv6. However, some networks still use NAT66 or NPTv6 for reasons like hiding internal topology or multi-homing, but it is not a default necessity like with IPv4.

For IPv6, expect no NAT in most designs. If a question involves IPv6 address conservation, the answer is usually not NAT.

Placing a NAT Gateway in a private subnet in cloud exams

A NAT Gateway must reside in a public subnet because it needs a route to an Internet Gateway (0.0.0.0/0 -> IGW) and an Elastic IP for its public address. If placed in a private subnet, the NAT Gateway cannot reach the internet, so instances in private subnets cannot use it for outbound access.

Always place the NAT Gateway in a public subnet. The private subnet’s route table should point 0.0.0.0/0 to the NAT Gateway.

Forgetting to configure route tables after creating a NAT instance

Even if a NAT instance is properly configured with IP forwarding and iptables, the private subnet’s route table must have a default route pointing to the NAT instance’s private IP. Without that route, traffic from private instances will not be sent to the NAT instance, and they will have no outbound connectivity.

After creating any NAT device (instance or gateway), always update the route table of the private subnet to include a 0.0.0.0/0 route pointing to the NAT device.

Exam Trap — Don't Get Fooled

{"trap":"The question describes a scenario where a user can access the internet but cannot connect to an internal server using its public IP address from inside the network. Many learners will think the problem is with the NAT configuration or the server.","why_learners_choose_it":"Learners often assume that if a public IP is used, it must go through the NAT device.

They forget about hairpin NAT (NAT reflection), the ability of a NAT device to handle traffic from an internal host to another internal host using the public IP. Without hairpin NAT configured, traffic from inside the network to the public IP loops and fails.","how_to_avoid_it":"When you see internal hosts trying to reach another internal host via the public IP address, think of hairpin NAT.

Check if the question mentions any configuration for NAT reflection. If not, the correct answer may be to use the internal private IP instead or to enable hairpin NAT on the router."

Commonly Confused With

A proxy server acts as an intermediary for client requests, often caching content and filtering traffic at the application layer. NAT operates at the network layer and transparently rewrites IP addresses without the client being aware. A proxy requires client configuration or explicit routing, while NAT is invisible to end devices.

Using a proxy is like asking a personal assistant to make a phone call for you; NAT is like having a receptionist who automatically redirects your calls without you knowing.

NATvsPAT

PAT is a type of NAT that uses port numbers to map multiple private IPs to a single public IP. All PAT is NAT, but not all NAT is PAT. Static NAT and dynamic NAT do not use port multiplexing; each private IP gets a dedicated public IP or a one-to-one mapping.

If you have one public IP for your whole family, PAT is like the front desk using different room keys (port numbers) for each person. Static NAT is like giving each family member their own front door key.

Port forwarding is a specific application of destination NAT (DNAT). It allows inbound traffic destined for a specific public IP and port to be forwarded to a specific internal IP and port. While NAT broadly refers to any address translation, port forwarding is a rule that allows external hosts to initiate connections to internal services.

NAT is the general concept of the building front desk; port forwarding is a special instruction: “If someone asks for the manager, send them to room 101.”

An Internet Gateway (IGW) in AWS is a horizontally scaled, redundant component that allows communication between a VPC and the internet. It does not perform NAT; it simply routes traffic. A NAT Gateway is a different resource that specifically translates private IPs to public IPs for outbound traffic only. In cloud exams, IGW is for public subnets, NAT Gateway is for private subnets.

An IGW is like a door that lets anyone in and out; a NAT Gateway is like a one-way door that lets people leave but not enter from outside.

Step-by-Step Breakdown

1

Device sends a packet

A device on a private network (e.g., 192.168.1.10) wants to access a web server at 203.0.113.100 on port 80. It generates an IP packet with source IP 192.168.1.10, source port 5000, destination IP 203.0.113.100, destination port 80. This packet is sent to the default gateway (the router).

2

Router receives the packet on the inside interface

The router has an interface designated as “inside” (usually the LAN interface). It checks whether the packet matches an access control list (ACL) that permits translation. If no ACL is configured for NAT, the router may still process it based on the NAT rule. The router then looks up the NAT configuration to determine what kind of translation is needed.

3

Router selects a public IP and port

If using PAT, the router takes its own public IP address (e.g., 198.51.100.1) and selects an available port number that is not currently in the NAT table (e.g., 4001). If static NAT is configured, it uses the pre-mapped public IP and port. The router creates an entry in the NAT table mapping the original private source (192.168.1.10:5000) to the translated source (198.51.100.1:4001).

4

Router rewrites the packet header

The router modifies the source IP address in the IP header from 192.168.1.10 to 198.51.100.1. It also modifies the source port in the TCP/UDP header from 5000 to 4001. The IP checksum is recalculated because the header changed. The packet now appears to originate from the router’s public IP.

5

Router forwards the packet to the destination

The router checks its routing table. Since the destination is a public IP (203.0.113.100), the packet is sent out the “outside” interface (the WAN interface) toward the internet. The packet travels through the ISP network and eventually reaches the destination web server.

6

Destination server sends a response

The web server processes the request and sends a response packet with source IP 203.0.113.100, source port 80, destination IP 198.51.100.1, destination port 4001. This response is routed back to the router’s public IP address.

7

Router receives the response on the outside interface

The router checks the destination IP (198.51.100.1) and destination port (4001). It looks up this combination in the NAT table. It finds an entry mapping (198.51.100.1:4001) to (192.168.1.10:5000). If the entry exists and is not expired, the router prepares to reverse the translation.

8

Router rewrites the response packet header

The router changes the destination IP in the IP header from 198.51.100.1 to 192.168.1.10. It changes the destination port in the TCP header from 4001 to 5000. The source IP and source port remain unchanged (203.0.113.100:80). The IP checksum is recalculated.

9

Router forwards the response to the original device

The router sends the modified packet out the inside interface. The packet travels through the LAN and reaches the original device at 192.168.1.10. The device sees the response as coming from the web server directly, unaware that its own source IP was translated in the request.

10

NAT table entry is maintained or removed

The NAT table entry remains active as long as there is traffic for that session. A timer (typically 60 seconds for TCP, shorter for UDP) resets with each packet. When the session ends (FIN flag) or the timer expires, the entry is removed, freeing the mapped port for future connections.

Practical Mini-Lesson

In real-world networking, NAT configuration and troubleshooting are daily tasks for network and cloud engineers. Let’s walk through the practical aspects that professionals need to know. First, the most common NAT configuration in enterprise environments is PAT (overload).

On a Cisco router, you would configure an access list to identify which private IPs are allowed to be translated, then define the NAT pool or use the interface IP, and finally apply it under the inside and outside interfaces. For example: access-list 1 permit 192.168.

1.0 0.0.0.255, then ip nat inside source list 1 interface GigabitEthernet0/0 overload. The “overload” keyword enables PAT. You must also issue ip nat inside on the LAN interface and ip nat outside on the WAN interface.

A common mistake is forgetting the ACL or placing it on the wrong interface. In a home or small office, the router’s web interface typically has a checkbox for “NAT” or “Internet Connection Sharing,” which is PAT by default. For static NAT (port forwarding), you map a specific external port to an internal IP and port.

For example, to make a web server at 192.168.1.10 reachable via the public IP on port 80, the command is: ip nat inside source static tcp 192.168.1.10 80 interface GigabitEthernet0/0 80.

On a home router, you create a “Port Forwarding” rule entering the internal IP, external port, and internal port. In cloud environments, NAT is implemented differently. In AWS, you create a NAT Gateway in a public subnet, assign an Elastic IP, and then add a route in the private subnet’s route table pointing 0.

0.0.0/0 to the NAT Gateway ID. The NAT Gateway automatically scales and handles failover. AWS also offers NAT Instances (older, self-managed EC2 instances) where you must disable source/destination check and configure iptables for masquerade.

In Azure, the NAT Gateway resource is attached to a subnet, and you define the public IP prefix. In Google Cloud, Cloud NAT is configured per region and attached to Cloud Router. What can go wrong with NAT?

The most common issues are port exhaustion, when a high number of simultaneous connections exhausts the available port range (65535 ports minus reserved ports). Symptoms include failed outbound connections, especially with many users or applications that create many short-lived connections like web browsers or DNS. The solution is to increase the available port range, use multiple public IPs (in a NAT pool), or implement session aggregation.

Another issue is ALG failures. For example, FTP active mode expects the server to connect back to the client on a port the client sends in the PORT command. NAT changes the source IP but not the embedded IP in the PORT command, causing the FTP server to try to connect to a private IP.

The fix is to enable FTP ALG on the router or use passive FTP mode. A third issue is asymmetric routing, if inbound traffic goes through one NAT device and outbound traffic through another, session state is lost. This is why NAT appliances must be stateful and often require the return traffic to traverse the same device.

In enterprise designs, NAT is often performed on the firewall, such as Cisco ASA, Palo Alto, or Fortinet, where security policies and NAT rules are integrated. Professionals must also consider the impact of NAT on logging and forensic analysis. Since source IPs are translated, identifying the original device from external logs requires correlation with NAT table logs.

Some organizations implement syslog from the NAT device or use NetFlow to capture translation events. Finally, NAT is not a performance-free technology. Each packet undergoes header modification and checksum recalculation, which consumes CPU cycles.

On high-traffic links (10 Gbps or more), dedicated hardware or carrier-grade NAT (CGNAT) may be required to avoid bottlenecks. Understanding these practical aspects helps you not only pass exams but also build and troubleshoot real networks effectively.

NAT Translation Types: Static, Dynamic, and PAT

Network Address Translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. In the context of certification exams such as the CCNA, Network+, Security+, and cloud-specific certifications like AWS SAA and Azure AZ-104, understanding the different translation types is fundamental.

Static NAT (one-to-one mapping) assigns a fixed public IP address to a specific private host. This is used when a device inside a private network must be accessible from the internet, such as a web server or an email server. Administrators configure static NAT entries to ensure that inbound traffic to the public address is always forwarded to the same internal host. A key disadvantage is that it consumes a public IP address for every internal host that needs inbound access, which does not conserve IP addresses.

Dynamic NAT (many-to-many mapping) uses a pool of public IP addresses. When an internal host initiates an outbound connection, the NAT device dynamically assigns an available public address from the pool. Once the session ends, the public address is returned to the pool for reuse. This allows multiple internal users to share a limited set of public addresses, but only as many concurrent translations as addresses in the pool can exist. Dynamic NAT still requires at least as many public addresses as the number of simultaneous sessions needed.

Port Address Translation (PAT), also known as NAT overload, is the most common form found in home routers and enterprise environments. PAT extends dynamic NAT by mapping multiple private IP addresses to a single public IP address, using different source ports to distinguish sessions. Each internal host's traffic gets a unique combination of the public IP and a port number (e.g., 203.0.113.1:1025). PAT is highly efficient and is the reason why hundreds of devices can share a single public IP. All three types are tested heavily in the CCNA and Network+ exams, with PAT questions often focusing on port exhaustion and session limits.

In cloud environments, AWS uses Internet Gateways (IGW) with automatic PAT for instances in public subnets, while NAT Gateways provide PAT for private subnets. Azure uses Azure NAT Gateway or Azure Firewall for similar functionality. Understanding the trade-offs between static, dynamic, and PAT is critical for cost optimization and security architecture design on the AWS SAA and AZ-104 exams.

NAT Cost Optimization in Cloud Environments

In cloud computing, NAT does not come for free. On AWS, a NAT Gateway incurs charges per hour of operation and per gigabyte of data processed. Similarly, Azure NAT Gateway has an hourly cost plus a data processing fee. For certification exams like AWS SAA (AWS Solutions Architect Associate) and Google ACE (Google Associate Cloud Engineer), understanding how to minimize these costs while maintaining connectivity is a frequent topic.

The most common cost-reduction strategy is to use a shared NAT Gateway across multiple private subnets and Availability Zones (AZs). However, a single NAT Gateway in one AZ creates a single point of failure; traffic from instances in other AZs will still work but will cross AZ boundaries, incurring additional inter-AZ data transfer charges. Therefore, the recommended architecture on AWS is to deploy one NAT Gateway per AZ and route traffic within the same AZ to avoid cross-AZ data costs. This increases the number of gateways but reduces data processing costs, leading to a cost trade-off that exam questions often explore.

Another cost-saving technique is to minimize the amount of data that traverses the NAT Gateway. For example, using VPC endpoints (AWS PrivateLink) for services like S3 and DynamoDB allows traffic to stay within the AWS network without needing NAT. Similarly, Azure Service Endpoints or Private Endpoints eliminate the need for NAT for specific services. The Google ACE exam emphasizes similar patterns with Private Google Access.

consider using an EC2 instance configured as a NAT instance instead of a managed NAT Gateway in AWS. NAT instances are cheaper but require manual patching, high availability setup, and have bandwidth limitations. They are often tested as a cost-effective alternative for development or non-production workloads. On the exam, you might be asked to compare the total cost of ownership between a NAT Gateway and a NAT instance, factoring in data volume, uptime requirements, and administrative overhead.

Finally, deleting idle NAT Gateways is low-hanging fruit. Many organizations forget to remove NAT Gateways from unused VPCs or development environments. Cloud cost management tools can help identify underutilized NAT resources. The exam scenarios often present a situation where a company is spending too much on NAT and asks you to propose a solution involving traffic segmentation, endpoint usage, or gateway consolidation.

NAT States and Session Management

NAT is a stateful process, meaning it must maintain a translation table that tracks every active connection. This table, often called the NAT table or translation state table, records the internal IP and port, the translated IP and port, and the destination IP and port. Understanding how states work is essential for the Security+ and Network+ exams, as well as for troubleshooting connectivity issues in any network.

Each outbound packet from an internal host creates an entry in the NAT table. The router or firewall notes the protocol (TCP, UDP, ICMP), source IP, source port, destination IP, and destination port. For TCP, the router watches the FIN or RST flags to remove the entry when the session ends. For UDP, there is no explicit end, so an idle timeout is used (typically 60-120 seconds). Many exam questions test your knowledge of how long a NAT entry remains active and what happens when the timeout expires mid-session.

In cloud environments, NAT Gateways handle statefulness differently. AWS NAT Gateways use a connection tracking mechanism that supports up to 55,000 simultaneous connections per gateway IP address. If your application needs more, you can associate additional Elastic IPs or deploy more gateways. The AZ-104 exam may ask about scaling Azure NAT Gateway, which can support up to 64,000 ports per frontend IP.

State table exhaustion is a common issue in high-traffic environments. If the NAT device runs out of state table entries, new connections are dropped. This appears as intermittent connectivity failures. Symptoms include users unable to browse the internet or applications timing out. The solution often involves increasing the number of available ports by adding additional public IPs, or reducing the amount of traffic using connection pooling or caching.

Another state-related issue is asymmetric routing, where packets going out take a different path than packets coming in. NAT devices expect both directions to pass through the same device. If asymmetric routing occurs (common in multi-homed networks or with multiple firewalls), the state table may not see the return traffic and will drop the connection. This is a classic Network+ troubleshooting scenario.

protocols that embed IP addresses in the payload, such as FTP or SIP, can break NAT because the router only modifies the IP header, not the application data. This requires Application Layer Gateway (ALG) functionality, which many exams test the ability to identify and configure ALGs for protocols like FTP, PPTP, and SIP.

NAT Security Implications and Bypass Techniques

NAT is often mistaken for a security feature, but in reality, it provides limited security benefits. While NAT hides internal IP addresses from the internet, it does not inspect traffic or block malicious packets. For the Security+ and CCNA exams, understanding the security implications of NAT is crucial.

The primary security advantage of NAT is that it prevents unsolicited inbound connections by default. Since the NAT table only contains entries for sessions initiated from the inside, external hosts cannot directly initiate a connection to an internal host unless a static NAT or port forwarding rule is configured. This reduces the attack surface. However, once a connection is established, it is vulnerable to session hijacking if the attacker can guess or spoof the correct source port.

NAT can also be bypassed using techniques like STUN (Session Traversal Utilities for NAT), TURN (Traversal Using Relays around NAT), and ICE (Interactive Connectivity Establishment). These are commonly tested in the context of VoIP and peer-to-peer applications. A typical exam question might ask why a VoIP call fails when both clients are behind NAT, and the answer involves using a STUN server to help clients discover their public IP and port.

Another security concern is that NAT breaks end-to-end encryption authenticity because the device in the middle modifies the IP header. IPsec, for example, can be problematic because it authenticates the entire packet, including the IP header. NAT-T (NAT Traversal) was developed to encapsulate IPsec packets in UDP to avoid this issue. The Security+ exam often includes questions about IPsec modes and NAT traversal.

NAT can complicate audit trails. Since multiple internal hosts share a single public IP, identifying which internal host performed a specific action requires logging at the NAT device. This is a challenge for compliance and forensics. Exams like AZ-104 may ask about Azure NAT Gateway logs and how to enable them for audit purposes.

Finally, consider the risk of DNS rebinding attacks. NAT does not protect against this; a malicious website can trick the browser into sending requests to internal IPs through the NAT device. Using DNS over HTTPS and proper firewall rules is recommended. The exam may ask you to identify the best defense against DNS rebinding when using NAT.

Troubleshooting Clues

NAT translation table exhaustion

Symptom: Users randomly unable to access internet or external services; new TCP connections fail, but existing ones work.

The NAT device has a finite number of entries; when all are used, new sessions are dropped. This often happens under heavy traffic or when idle sessions are not cleared.

Exam clue: CCNA and Network+ simulate this with a 'show ip nat statistics' command check. The exam might present a scenario with 65,536 concurrent sessions hitting the limit.

Port forwarding not working (static NAT inbound)

Symptom: External users cannot reach an internal server (e.g., web server) despite configured static NAT.

Possible causes: incorrect static NAT binding, interface not marked as 'ip nat inside' or 'ip nat outside', or firewall rules blocking inbound traffic.

Exam clue: Security+ and CCNA often include a configuration where the inside interface is missing the 'ip nat inside' command, causing the static NAT to be ignored.

PAT port exhaustion

Symptom: New outbound connections time out, especially for web browsing; email clients fail to send.

Each PAT session uses a unique source port. With one public IP, only about 65,535 ports are available per protocol. Rapid creation of connections (e.g., from many clients) depletes the port pool.

Exam clue: AWS SAA scenario: a NAT Gateway handling 55,000+ concurrent connections needs an additional Elastic IP to scale ports.

Asymmetric routing with NAT

Symptom: Some packets reach destination but replies never come back; intermittent or one-way traffic.

If outbound traffic goes through NAT device A, but return traffic enters through NAT device B (or no NAT), the translation state is lost. Both directions must traverse the same NAT device.

Exam clue: Network+ troubleshooting: multi-homed network with two internet connections and one configured NAT gateway.

FTP over NAT fails

Symptom: FTP connection establishes, but directory listing or file transfer hangs after login.

FTP active mode uses separate data connections that embed the internal IP. Without an ALG or passive mode, the data connection fails.

Exam clue: Security+ and CCNA often ask for the solution: enable FTP ALG or configure client to use passive mode.

VPN traffic failing due to NAT

Symptom: IPsec VPN tunnel establishes but data does not pass; or tunnel fails to establish at all.

NAT modifies IP headers, breaking IPsec integrity checks. NAT-T (UDP encapsulation) is needed to allow IPsec through NAT.

Exam clue: Security+ expects you to recommend enabling NAT-T on both VPN endpoints.

NAT Gateway in AWS with missing route table entry

Symptom: Instances in private subnet cannot reach internet, but security groups and NACLs allow traffic.

Private subnets must have a default route (0.0.0.0/0) pointing to the NAT Gateway ID. Without it, traffic has no path.

Exam clue: AWS SAA quiz: after creating a NAT Gateway, you must update the route table of the private subnet.

Azure NAT Gateway idle timeout too low

Symptom: Long-running TCP connections (e.g., database replication) disconnect after short idle periods.

Azure NAT Gateway drops idle connections after the configured timeout (default 4 minutes). Applications with no keepalive can be affected.

Exam clue: AZ-104 scenario: increase the idle timeout to match application requirements.

Memory Tip

NAT = Not Another Public IP: NAT lets many devices share one public IP by changing the port number, like a receptionist using a different extension for each caller.

Learn This Topic Fully

This glossary page explains what NAT means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.In Cisco IOS, which command is required to enable PAT (NAT overload) on a router?

2.An organization uses a NAT Gateway in AWS in us-east-1a. They have EC2 instances in a private subnet in us-east-1b. What is a potential cost implication?

3.A network admin notices that after configuring NAT on a Cisco router, FTP file transfers fail. What is the most likely cause?

4.What tool can help clients behind NAT determine their public IP address and port for peer-to-peer applications?

5.On an Azure NAT Gateway, what is the default idle timeout for connections?

6.Which of the following scenarios would require a static NAT configuration?

Frequently Asked Questions

What is the difference between static NAT and dynamic NAT?

Static NAT maps a single private IP to a fixed public IP permanently — used for servers that must be reachable from outside the network. Dynamic NAT maps private IPs to a pool of public IPs on demand, but external hosts cannot initiate connections. Neither uses port numbers for multiplexing; that is PAT.

Does NAT provide security?

NAT hides internal IP addresses from external networks, which adds obscurity. However NAT is not a firewall and does not inspect traffic content. A stateful firewall is still required for real security. Exam questions frequently test that NAT does not equal security.

What is the difference between NAT and PAT?

PAT (Port Address Translation), also called NAT overload, maps many private IP addresses to a single public IP by tracking port numbers. Standard dynamic NAT maps one private IP to one public IP from a pool. PAT is the most common form used in home and small-office routers because it conserves public IPs.

What is a NAT translation table?

The NAT table on a router tracks active address translations. Each entry maps an inside local IP:port to an inside global IP:port. When a reply arrives from the internet, the router looks up the table to forward the packet to the correct internal host.

Can NAT break certain protocols?

Yes. NAT breaks the end-to-end IP model because the source IP seen by the destination differs from the actual device IP. Protocols that embed IP addresses inside their payload — such as FTP active mode and SIP — can break without an Application Layer Gateway (ALG) to rewrite the embedded addresses.

What is hairpin NAT?

Hairpin NAT (also called NAT reflection or loopback NAT) allows an internal host to reach another internal host using the host's public IP address. Without it, traffic from inside the network to the public IP loops and fails. It must be explicitly configured on the router and is a common exam scenario.