Explain why NAT exists and the IPv4 exhaustion problem
Differentiate between Static NAT, Dynamic NAT, and PAT
Trace a packet through the NAT translation process
Configure port forwarding for inbound service access
Understand NAT traversal challenges and solutions
Why NAT Exists
IPv4 provides roughly 4.3 billion addresses. With billions of devices online, we ran out. NAT is the solution that lets entire networks share a single public IP address. Your home router does NAT -- every device in your house (phone, laptop, smart TV) uses a private 192.168.x.x address internally but appears as one public IP to the internet.
Inside LocalThe private IP address of the internal device (e.g., 192.168.1.50). How YOU see the device.
Inside GlobalThe public IP address assigned to the inside device after NAT (e.g., 203.0.113.10). How the INTERNET sees your device.
Outside LocalHow the external device appears from the inside perspective. Usually the same as Outside Global.
Outside GlobalThe real public IP of the external device (e.g., 93.184.216.34). The server's actual address.
Types of NAT
Type
Mapping
Use Case
Static NAT
1:1 -- one private IP to one public IP, permanently
Servers that need a consistent public address (web, mail)
Dynamic NAT
Many:Many -- pool of public IPs assigned on demand
Organizations with a block of public IPs, fewer than internal hosts
PAT (Overload)
Many:1 -- all devices share one public IP using port numbers
Home routers, small offices. Most common form of NAT.
PAT (Port Address Translation) in Action
PAT (also called NAT Overload) is how your home router lets dozens of devices share one public IP. It tracks connections using a combination of IP address and port number in the NAT table.
/* Three devices browsing the web simultaneously */Outbound (LAN --> Internet):
Laptop 192.168.1.50:49152 --> NAT --> 203.0.113.10:50001 --> 93.184.216.34:443
Phone 192.168.1.51:49153 --> NAT --> 203.0.113.10:50002 --> 93.184.216.34:443
Desktop 192.168.1.52:49154 --> NAT --> 203.0.113.10:50003 --> 142.250.80.46:443
/* NAT Translation Table */
Inside Local Inside Global Outside Global
192.168.1.50:49152203.0.113.10:50001 93.184.216.34:443
192.168.1.51:49153203.0.113.10:50002 93.184.216.34:443
192.168.1.52:49154203.0.113.10:50003 142.250.80.46:443
/* Inbound: Router uses the port number to determine
which internal device to forward the response to. */
NAT Configuration (Cisco IOS)
/* Static NAT -- map internal web server to public IP */Router(config)# ip nat inside source static 192.168.1.10203.0.113.10Router(config)# interface gi0/0
Router(config-if)# ip nat insideRouter(config)# interface gi0/1
Router(config-if)# ip nat outside/* PAT (Overload) -- share one public IP for all internal hosts */Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255Router(config)# ip nat inside source list 1 interface gi0/1 overloadRouter(config)# interface gi0/0
Router(config-if)# ip nat inside
Router(config)# interface gi0/1
Router(config-if)# ip nat outside
/* Verify NAT translations */Router# show ip nat translations
Router# show ip nat statistics
Port Forwarding
Port forwarding maps an external port on the public IP to an internal server. This allows inbound connections to reach services behind NAT -- essential for hosting web servers, game servers, or SSH access from the internet.
/* Port Forwarding Examples *//* Forward external port 80 to internal web server */Router(config)# ip nat inside source static tcp 192.168.1.10 80203.0.113.10 80/* Forward external port 2222 to internal SSH (non-standard port) */Router(config)# ip nat inside source static tcp 192.168.1.10 22203.0.113.10 2222/* Result: Internet user connects to 203.0.113.10:2222
Router translates to 192.168.1.10:22 (SSH) */
NAT Traversal Challenges
NAT breaks the end-to-end connectivity model that IP was designed for. Some protocols and applications struggle with NAT:
VoIP / SIPSIP embeds IP addresses in the payload (not just headers). NAT rewrites headers but not payloads, breaking call setup. ALGs (Application Layer Gateways) or STUN/TURN servers solve this.
IPsec VPNIPsec in tunnel mode encrypts the original IP header. NAT cannot modify encrypted headers. NAT-T (NAT Traversal) encapsulates IPsec in UDP port 4500 to work around this.
Peer-to-PeerBoth peers are behind NAT -- neither can initiate a direct connection. STUN, TURN, and ICE (used by WebRTC) punch holes through NAT for direct peer communication.
Active FTPThe server tries to connect back to the client's data port. NAT blocks this inbound connection. Passive FTP (client initiates both connections) is the workaround.
NAT and IPv6
IPv6 provides 340 undecillion addresses -- enough for every device to have a globally unique address. NAT is technically unnecessary with IPv6. However, some organizations still use NAT66 (IPv6-to-IPv6 translation) for privacy or policy reasons, and NAT64 translates between IPv6 and IPv4 during the transition period.
The Big Picture:
NAT was a brilliant hack to extend IPv4's lifespan. But it adds complexity, breaks protocols, and makes troubleshooting harder. IPv6 eliminates the need for NAT by providing enough addresses for everything -- but the transition is still ongoing decades later.
Key Takeaways
NAT translates private IP addresses to public ones, solving IPv4 exhaustion
PAT (overload) is the most common type -- many devices share one public IP using port numbers
Static NAT provides 1:1 mapping for servers that need consistent public addresses
Port forwarding maps specific external ports to internal servers
NAT breaks end-to-end connectivity; protocols like SIP, IPsec, and P2P need workarounds
IPv6 eliminates the need for NAT with its vast address space