What is NAT?
NAT stands for Network Address Translation.
Many devices sold as Firewalls or Routers are actually combined Firewall, Router
and NAT device in one box. NAT is the mechanism that allows you to have many PC's
on your LAN all connected to the Internet through a single external IP address.
When one of the PC's on the private side of the NAT device initiates a connection
with a server on the Internet, then it is essential that the IP packets arriving
at the remote server appear to have come from the external IP address on your router/firewall.
To do this, the router/firewall modifies every outgoing IP packet by substituting
its own external IP address for that of the internal PC that initiated the request.
At the same time, it must also substitute the apparent port number of the sending
device using a port that is free on its own external interface. The remote server
will be fooled into thinking that it is receiving packets from the external interface
of your router/firewall on the new port when in fact it is receiving packets from
a PC on the LAN behind your router/firewall using some other port number. Because
it is totally fooled by this deception, the remote server will always send layer
3 replies back to the IP address and Port Number on the external interface of your
The NAT device has to keep track of the substitutions it has been making because
it is responsible for reversing the substitutions whenever it receives a reply on
its external interface. It must also be consistent in the way it substitutes the
senders Port Number whenever a new packet is sent out from the PC on the LAN. This
is called "stateful inspection" of packets because it has to keep track of the state
of every Internet connection and modify the outbound and inbound packets consistently
so they are forwarded to the correct internal destination when coming from the Internet
(i.e. the correct PC on the LAN) and are substituted with the correct source port
number and IP address when going out to the Internet.
Port Address Translation (PAT)
The description above explains how basic NAT works and you will have noticed
that it actually involves Port Address Translation as well as Network (or IP) Address
Translation. The term Port Address Translation is not widely used and most technical
personnel do not mention it - they just refer to everything as NAT. This might be
because they are unaware of the distinction or do not feel it is necessary to make
the distinction. What is perhaps of more importance is to be aware of the case where
NAT can occur without Port Address
Translation. This is the case for One-to-one NAT.