networkingnetwork-plusBeginner23 min read

What Is Network Address Translation in Networking?

Also known as: Network Address Translation, NAT definition, NAT exam tips, CompTIA Network+ NAT, CCNA NAT

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Network Address Translation, or NAT, lets many computers in your home or office use one internet connection without needing their own unique public addresses. It acts like a receptionist who forwards incoming calls to the right person inside the building. This helps save public IP addresses and adds a layer of privacy because outside devices see only one address instead of each internal device.

Must Know for Exams

NAT is a key topic in both the CompTIA Network+ and Cisco CCNA certification exams. For Network+, NAT appears under domain 1.0 Networking Fundamentals and domain 4.0 Network Security.

Exam objectives ask candidates to explain the purpose of NAT, differentiate between static, dynamic, and PAT, and understand how NAT conserves IPv4 addresses. Network+ questions often ask about the advantages of NAT, such as address conservation and basic security through IP masking. For the CCNA exam, NAT is a major topic in the IP Connectivity section.

Candidates must be able to configure static NAT, dynamic NAT, and PAT on Cisco routers using the command line. The exam also tests troubleshooting skills for NAT misconfiguration, including common issues like mismatched inside and outside interfaces, incorrect access lists, and NAT table exhaustion. CCNA scenario questions often present a small office network where internal hosts cannot reach the internet, and the candidate must identify whether NAT is missing or misconfigured.

Both exams may ask about the differences between NAT and PAT, the private IP ranges reserved for internal use, and how NAT interacts with other protocols like ICMP, DNS, and VoIP. In higher-level certifications like CCNP or security-focused certs, NAT is studied in more depth, including concepts like NAT64 for IPv6 translation, application layer gateways, and NAT traversal for VPNs. For all exams, understanding the NAT table, how entries are created and aged out, and the difference between inside local, inside global, outside local, and outside global addresses is critical.

These terms are standard in Cisco documentation and appear frequently in exam questions.

Simple Meaning

Imagine you live in a large apartment building that has only one street address: 123 Main Street. The building has many apartments, each with its own internal number, like Apartment 4B or Apartment 7A. When a delivery driver brings a package, they go to the main entrance and a doorman looks at the label, finds the correct apartment, and delivers the package.

The outside world never sees your specific apartment number; they only see the main building address. This is what Network Address Translation does for your computer network. Your home router gets one public IP address from your internet provider, which is like the building’s street address.

All your devices, like your phone, laptop, and tablet, have private IP addresses that work only inside your home network. When you request a webpage, your router changes your private address to its own public address and remembers which device made the request. When the webpage data comes back, the router reverses the process and sends the data to the correct device.

Without NAT, every device would need its own public IP address, which is expensive and also less secure because your device would be directly visible to the internet. NAT also helps slow down the exhaustion of public IP addresses because many devices can share just one. It is a core technology that makes modern home and business networking possible and affordable.

The router keeps a translation table, like a logbook, to track all the active connections so it knows where to forward return traffic. This table is essential for the whole process and is managed automatically. NAT is not a security feature by design, but it does hide your internal network structure from outsiders, which provides some basic protection against direct attacks on your devices.

Full Technical Definition

Network Address Translation is a method defined in RFC 2663 and RFC 3022 that modifies IP address information in packet headers while they are in transit across a routing device. NAT operates on a router or firewall that sits at the boundary between a private network and a public network, such as the internet. The core function is to translate private, non-routable IP addresses, as defined in RFC 1918, into a single public IP address or a pool of public addresses.

The private address ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These addresses cannot be routed on the public internet and must be translated before traffic can reach external networks.

NAT maintains a state table, often called the NAT table or connection tracking table, that records each active session. This table contains the original source IP and port, the translated source IP and port, the destination IP and port, and the protocol. When a packet from an internal device arrives at the NAT router, the router checks its routing table, then creates a translation entry.

It overwrites the source IP address with its own public IP and changes the source port to a unique number from a pool of available ports. This process is called Port Address Translation, or PAT, which is the most common form of NAT. When the response packet returns, the router looks up the destination port in the NAT table, finds the matching entry, and rewrites the destination IP and port back to the original internal device.

There are several types of NAT. Static NAT maps a single private IP to a single public IP on a one-to-one basis. Dynamic NAT maps a private IP to an available public IP from a pool.

PAT, also known as NAT overload, maps multiple private IPs to a single public IP by using different source ports. Destination NAT is used to forward inbound traffic to internal servers, commonly called port forwarding. NAT is implemented in virtually all home routers, enterprise firewalls, and cloud networking gateways.

In IPv6 networks, NAT is less common because IPv6 provides a vast address space, but NAT is still used in some enterprises for security and policy reasons. Understanding NAT is essential for troubleshooting connectivity issues, configuring VPNs, and understanding how traffic flows across network boundaries.

Real-Life Example

Think of a large office building with a single main reception desk and many internal departments. Each department has its own internal room number, like Room 201 for Sales and Room 305 for IT. The building has one main phone number that outside callers dial.

When a client calls that main number, the receptionist answers and asks who they want to speak with. The client says, Sales department. The receptionist keeps a log of all calls and which internal extension they were transferred to.

When the caller is transferred to Sales, the Sales phone rings. If the receptionist gets a return call from Sales, she looks at her log, remembers the original client, and connects them back. The outside caller never knows the internal room number or direct extension.

This is exactly how NAT works. The router is the receptionist, the single main phone number is the public IP address, and the internal room numbers are the private IP addresses of your devices. The logbook is the NAT table.

When you type a website address into your browser, your computer sends a request with its private IP. The router changes that private IP to its own public IP and records this in its NAT table. When the website sends back data, the router checks the table to find which internal device asked for it and forwards the data accordingly.

Without this system, every internal device would need its own public phone number, which would be expensive and hard to manage. Also, if an outside caller dialed a random extension guess, they might reach a sensitive department directly. NAT prevents that because outside devices only know the main number.

This analogy clarifies how NAT saves addresses, enables sharing, and provides basic isolation for internal systems.

Why This Term Matters

NAT is a foundational technology in modern networking. It directly addresses the shortage of available IPv4 public addresses. With billions of devices online, the internet would have run out of unique addresses long ago if every device needed its own public IP.

NAT allows large organizations and home users to connect hundreds of devices using only a handful of public IPs. In cybersecurity, NAT provides a degree of obscurity. Internal IP addresses are hidden from external networks, which makes it harder for attackers to directly target a specific device.

While not a substitute for a firewall, NAT reduces the attack surface. In cloud infrastructure, NAT is used extensively. Virtual private clouds (VPCs) in AWS, Azure, and GCP use NAT gateways to allow private instances to access the internet for updates or external services without exposing them directly.

Network engineers must understand NAT to design and troubleshoot connectivity. Misconfigured NAT can break applications that use IP addresses in their data streams, like VoIP or video conferencing. It can also cause issues with VPNs if both ends use overlapping private IP ranges.

System administrators working with remote access, server hosting, or any service that requires inbound connections need to configure port forwarding or static NAT to make internal services reachable from the outside. NAT is also critical for regulatory compliance in some industries because it can obscure the internal network topology, which is considered a security best practice. Overall, NAT is not a theory; it is a daily reality for anyone who configures routers, firewalls, or cloud networks.

How It Appears in Exam Questions

Exam questions about NAT typically test both conceptual understanding and practical configuration. Multiple-choice questions might ask: Which type of NAT allows multiple internal hosts to share a single public IP address? The correct answer is PAT or NAT overload.

Another common format asks: What is the primary benefit of NAT? Answer options often include address conservation, security, and easier routing. Scenario questions present a small business with five computers that cannot access the internet after a new router is installed.

The candidate is asked to identify the likely cause, such as missing NAT configuration or incorrect inside/outside interface assignments. Troubleshooting questions show output from the command show ip nat translations and ask which device is using which public IP and port. Configuration questions require the candidate to order the steps to configure static NAT: define the inside interface, define the outside interface, create the ip nat inside source static command with the correct addresses.

Drag-and-drop questions may ask the candidate to match NAT types with their definitions. In the Network+ exam, diagram-based questions show a network with private IPs and ask what technology enables these devices to reach the internet. The answer is NAT.

Some advanced questions ask about NAT traversal: if both peers in a VPN are behind NAT, which protocol is needed? Answer: UDP encapsulation or NAT-T. Another pattern involves overlapping IP addresses in company mergers.

The candidate needs to understand how NAT can be used to translate one side's addresses to avoid collisions. On the CCNA exam, a typical performance-based question asks the candidate to enter configuration commands on a simulated router to allow a pool of internal hosts to access the internet using PAT. This requires configuring an access list, defining a NAT pool, and applying the ip nat inside source list command.

These question types ensure that the candidate can both explain the concept and apply it in a realistic context.

Practise Network Address Translation Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small company named Bright Solutions has a single office with 20 employees. Each employee has a desktop computer with a private IP address like 192.168.1.10, 192.168.1.11, and so on.

The internet service provider gives the company one public IP address: 203.0.113.50. The company's router uses NAT to allow all 20 computers to browse the web and send email using that single public IP.

One day, the office manager notices that employees cannot reach an external cloud application they use for accounting. The IT specialist checks the router and finds that the NAT translation table is full because many employees are streaming video at the same time, and each connection uses a unique port entry. The specialist explains that the NAT table can only hold a limited number of translations, and when it is full, new connections are dropped.

The solution is to increase the number of available ports or add a second public IP address to expand capacity. This scenario shows how NAT works in daily operations and how its limitations can affect business productivity.

Common Mistakes

Thinking NAT is a security feature that fully protects devices from hacking.

NAT does hide internal IP addresses, but it is not a firewall. It does not inspect traffic for malware or block malicious connections. It simply translates addresses. An attacker who can trick a user into clicking a link or who sends a crafted packet to the public IP can still reach internal devices if port forwarding is open.

Always use a proper firewall and security software in addition to NAT. Think of NAT as a receptionist who hides internal extensions but does not screen calls for threats.

Confusing private IP addresses with public IP addresses and assuming private addresses work on the internet.

Private IP addresses like 192.168.x.x are not routable on the public internet. If a packet with a private source address reaches an internet router, that router will drop it because it does not know where to send replies. Devices with only private addresses cannot access the internet without NAT.

Remember that private addresses are for internal use only. NAT translates them to a public address so they can reach the internet.

Setting up NAT without defining inside and outside interfaces correctly.

The router needs to know which interface connects to the internal network and which connects to the external internet. If these are reversed or missing, NAT will not work. Traffic may be dropped or translated incorrectly.

Always configure the ip nat inside command on the internal interface and ip nat outside on the external interface before applying any NAT rules.

Assuming static NAT and port forwarding are the same thing.

Static NAT maps an entire internal IP address to an entire external IP address, forwarding all ports. Port forwarding maps only specific ports from the external IP to a specific internal IP. They serve different purposes and are configured differently.

Use static NAT when an internal device needs full inbound access, like a web server with its own public IP. Use port forwarding to expose only certain services, like port 80 for a web server, while blocking other ports.

Forgetting that NAT breaks some applications that embed IP addresses in the data payload.

Applications like FTP, SIP (VoIP), and some video conferencing protocols send IP address information inside the packet payload. NAT only changes the header, not the payload. This causes the receiving device to get wrong addresses and the connection fails.

Use an Application Layer Gateway (ALG) on the router that inspects the payload and rewrites embedded addresses for those applications. Alternatively, use a VPN or newer protocols that are NAT-friendly.

Exam Trap — Don't Get Fooled

When asked about the difference between NAT and PAT, some learners incorrectly say that PAT uses a pool of public IP addresses while NAT uses a single address. Remember that PAT is a form of NAT that always uses a single public IP address and relies on port numbers to distinguish connections. Static or dynamic NAT may use a pool of addresses, but PAT is specifically for many-to-one mapping with ports.

On exams, look for keywords like multiple hosts, single IP, and port numbers to identify PAT.

Commonly Confused With

Network Address TranslationvsProxy Server

A proxy server acts as an intermediary that fetches data on behalf of a client, often caching content and filtering traffic. NAT simply translates addresses without caching or filtering. A proxy operates at the application layer, while NAT operates at the network layer.

With a proxy, your browser sends requests to the proxy, which then goes to the web server and returns the data. With NAT, your device sends packets directly through the router, which just rewrites the addresses without inspecting the content.

Network Address TranslationvsPort Forwarding

Port forwarding is a feature within NAT that allows external devices to connect to a specific internal device by mapping a public port to a private IP and port. NAT itself refers to the entire translation process, while port forwarding is a specific rule that enables inbound connections.

NAT is the general process of sharing a public IP among many devices. Port forwarding is the specific configuration that lets you host a web server at home by telling the router to send incoming traffic on port 80 to your server's private IP.

Network Address TranslationvsVPN

A VPN creates an encrypted tunnel between two networks or devices, ensuring privacy and data integrity. NAT does not encrypt traffic; it only changes addresses. NAT may interfere with VPN unless the VPN uses NAT traversal protocols.

When you use a VPN, your data is encrypted and sent inside a tunnel that hides your IP address from the internet. With NAT, your data is not encrypted, and only the router's public IP is shown, but the content is still readable.

Network Address TranslationvsFirewall

A firewall inspects incoming and outgoing traffic and decides whether to allow or block it based on rules. NAT does not inspect or filter traffic; it simply rewrites addresses. A firewall can work alongside NAT, and many routers combine them, but they are distinct functions.

A firewall is like a security guard checking ID at the door. NAT is like the receptionist who changes the room numbers on the mail. They do different jobs but often work in the same building.

Step-by-Step Breakdown

1

Device Sends Packet

A device on the internal network, such as a laptop with private IP 192.168.1.10, sends a packet to a web server on the internet. The packet contains the source IP (192.168.1.10), source port (e.g., 12345), destination IP (the web server), and destination port (usually 80 for HTTP).

2

Router Receives Packet on Inside Interface

The packet arrives at the router's internal interface, which is configured as the NAT inside interface. The router checks its routing table to see if the destination is reachable. It sees that the destination is outside the local network and needs to be forwarded to the internet.

3

NAT Table Entry Created

The router checks its NAT table to see if there is already a translation for this internal IP and port. Since this is a new connection, the router creates a new entry. It records the internal IP and port, assigns a new source port from its pool (e.g., port 40001), and sets the translated source IP to its own public IP.

4

Packet Header Rewritten

The router modifies the packet header. It changes the source IP address from 192.168.1.10 to the public IP, and changes the source port from 12345 to 40001. It also updates the IP checksum and any other header fields as needed so the packet is valid. The original packet is then forwarded out the outside interface toward the internet.

5

Response Packet Arrives

The web server sends a response packet back to the router's public IP address, using destination port 40001. The internet routers route the packet to the router because the public IP belongs to that router.

6

Router Looks Up NAT Table

The router receives the response on its outside interface. It examines the destination port 40001 and looks up that port in its NAT table. The table tells the router that this port corresponds to internal IP 192.168.1.10 and original port 12345.

7

Packet Header Translated Back

The router rewrites the destination IP and port back to the internal device's private IP and original port. It recalculates the checksum and forwards the packet out the inside interface to the laptop.

8

Table Entry Removed After Timeout

When the session ends or after a period of inactivity, the router removes the entry from the NAT table. This frees up the port number for future connections. This cleanup prevents the table from filling up with stale entries.

Practical Mini-Lesson

Network Address Translation is a process that every network professional must understand and configure. In practice, NAT is almost always used in combination with PAT, which allows many internal hosts to share a single public IP. When configuring NAT on a Cisco router for a small office, you start by designating the inside and outside interfaces.

For example, interface GigabitEthernet0/0 is the inside interface connected to the switch, and interface GigabitEthernet0/1 is the outside interface connected to the modem. You then use the commands ip nat inside and ip nat outside on each respective interface. Next, you define which traffic should be translated.

For PAT, you create an access list that permits the internal private IP ranges, for example access-list 1 permit 192.168.1.0 0.0.0.255. Then you apply the NAT rule: ip nat inside source list 1 interface GigabitEthernet0/1 overload.

The keyword overload is what enables PAT. For static NAT, the command is ip nat inside source static 192.168.1.10 203.0.113.50, which maps that internal server permanently to a public IP.

A common issue is that the NAT table fills up because each connection uses a unique port. Most home routers have a table of around 5000 entries. If you have a busy network with many devices streaming, downloading, or using peer-to-peer applications, you can exhaust the table.

This causes new connections to fail. The solution is either to reduce the timeout for idle entries or add a second public IP address to double the available ports. In enterprise environments, NAT is often performed on dedicated firewalls or routers with large tables.

For cloud networking, AWS uses a NAT Gateway service that provides managed PAT for private subnets. When you set up a VPC, you can launch a NAT Gateway in a public subnet and route traffic from private subnets through it. The gateway translates the private addresses to its own Elastic IP.

This is a common scenario in cloud certification exams. Another practical consideration is that NAT can interfere with protocols that embed IP addresses. For example, FTP in active mode fails because the client sends its private IP in the PORT command.

The router must have an FTP ALG enabled to inspect and rewrite that command. Similarly, SIP and H.323 for VoIP require ALG support. If you encounter issues with voice calls or file transfers, always check whether the NAT device is properly handling those protocols.

Some applications now use UPnP to automatically configure port forwarding, but this is a security risk and should be disabled in corporate environments. A professional should always test NAT connectivity using tools like ping, traceroute, and by checking the NAT table with commands like show ip nat translations on Cisco or the equivalent on other platforms. Understanding how NAT interacts with other technologies, such as VPNs, quality of service, and load balancing, is crucial for advanced roles.

For example, when building a site-to-site VPN, if both sites use the same private IP range, you need to implement NAT on one side to remap addresses before packets enter the tunnel. This is called NAT exemption or NAT traversal depending on the setup. In summary, NAT is not just a concept to memorize; it is a configurable tool that directly affects network performance, security, and application compatibility.

Memory Tip

Think of NAT as a receptionist: the receptionist has one main phone number (public IP), keeps a log (NAT table) of all incoming and outgoing calls, and transfers each call to the correct internal extension (private IP). The outside caller never knows the extension.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Does NAT provide security?

NAT alone does not provide strong security because it does not inspect or filter traffic. However, it does hide internal IP addresses, which makes it harder for attackers to directly target internal devices. You should still use a firewall for real security.

What is the difference between NAT and PAT?

NAT translates private IPs to public IPs, possibly using a pool of public addresses. PAT is a type of NAT that maps many private IPs to a single public IP by using different port numbers for each connection. PAT is also called NAT overload.

Can I use NAT with IPv6?

NAT is not commonly needed with IPv6 because IPv6 has enough addresses for every device to have a unique public IP. However, some organizations still use NAT for IPv6 in certain scenarios, such as hiding internal network structure or during migration from IPv4.

Why do some online games not work with NAT?

Some games require direct peer-to-peer connections and embed IP addresses in the game data. NAT can interfere with these connections. Using UPnP or manual port forwarding often solves the problem, but some strict NAT types may still cause issues.

What happens if the NAT table becomes full?

When the NAT table is full, new connections from internal devices are dropped. This can cause internet access to fail for some users. The router usually logs this event. You can free up space by reducing timeout values or adding more public IP addresses.

What is the difference between static NAT and dynamic NAT?

Static NAT maps a specific private IP to a specific public IP permanently. Dynamic NAT maps a private IP to an available public IP from a pool on a first-come, first-served basis. Static NAT is used for servers that need a fixed public address, while dynamic NAT is for temporary outbound connections.

How does NAT affect VPN connections?

NAT can interfere with VPN protocols like IPsec because they encrypt the entire packet, including the IP addresses. Many modern VPNs use NAT traversal (NAT-T) to encapsulate the VPN packets inside UDP, allowing them to pass through NAT devices.

What is the command to view the NAT table on a Cisco router?

The command is show ip nat translations. It displays all active translations including inside local, inside global, outside local, and outside global addresses. You can also use show ip nat statistics to see the number of active translations and hits.

Summary

Network Address Translation is a fundamental networking technology that enables multiple devices to share a single public IP address, conserving the limited pool of IPv4 addresses and simplifying network management. It works by rewriting the source IP and port in outgoing packets and reversing the process for incoming replies using a stateful translation table. While NAT provides a basic layer of obscurity, it is not a substitute for a firewall.

Understanding NAT is essential for anyone studying for CompTIA Network+ or Cisco CCNA exams, as it appears in multiple-choice, scenario, and configuration questions. You must know the differences between static, dynamic, and PAT, how to configure inside and outside interfaces, and how to troubleshoot common issues like table exhaustion and application layer compatibility. In professional practice, NAT is used in home routers, enterprise firewalls, and cloud gateways.

It affects everything from web browsing to VPNs and VoIP. Remember that NAT is a tool, not a security blanket, and that careful configuration is required to avoid breaking critical applications. Mastery of NAT will serve you well in both certification exams and real-world network administration.