IT Knowledge DB

NAT & PAT

4 min read

NAT & PAT — Network & Port Address Translation

The duct tape that kept IPv4 alive long past its demographic sell-by date. A kludge that became infrastructure.

Why NAT exists

IPv4 has 2³² addresses ≈ 4.3 billion, minus reservations → ~3.7 billion usable. The internet has ~30 billion connected devices. The gap was closed by:

  1. RFC 1918 private addressing — 10/8, 172.16/12, 192.168/16 — reusable at every site
  2. NAT — translate private ↔ public at the boundary so many internal hosts share a smaller pool of public IPs

NAT was never meant to be a security feature. It is, accidentally, a weak one (hosts behind NAT aren’t directly reachable), but that’s a side effect.

The translation taxonomy

TypeMappingTypical use
Static NAT1 private IP ↔ 1 public IP, permanentServers that need to be reachable from the outside
Dynamic NATN private ↔ M public (M < N), pool-assigned per flowLegacy; rare today
PAT / NAPT (aka “NAT overload”)Many private ↔ 1 public IP, distinguished by source portThe common case — home routers, enterprise edge

“NAT” in casual conversation almost always means PAT.

How PAT works

The NAT device maintains a translation table:

Inside-local  →  Outside-global (+source port)
10.0.0.5:34521  →  198.51.100.1:61001   ← outbound flow 1
10.0.0.6:51200  →  198.51.100.1:61002   ← outbound flow 2
10.0.0.5:49200  →  198.51.100.1:61003   ← outbound flow 3
  • Outbound: rewrite src IP:port to public IP:new-port, track in table
  • Inbound: match dst IP:port against table, rewrite back to private

Entries are per-flow (5-tuple: protocol + src IP + src port + dst IP + dst port), timed out on idle.

The NAT vocabulary (RFC 2663)

  • Inside local — private IP, seen inside
  • Inside global — public IP that the private host appears as, seen outside
  • Outside global — public IP of the remote host
  • Outside local — how the outside host appears to the inside (rare; used in twice-NAT)

Memorise one sentence: “Local is what the inside sees, global is what the outside sees.”

Protocols that break with NAT

NAT rewrites L3 + L4 headers. Anything that embeds IP addresses in the payload breaks unless the NAT device has a helper (“ALG”, Application Layer Gateway):

  • FTP (active mode) — PORT command carries client’s IP in ASCII
  • SIP — Contact headers carry IPs
  • H.323 — extensive IP embedding
  • IPsec AH — cryptographically signs the IP header → NAT invalidates the signature
  • IPsec ESP — tunnelled between NAT endpoints requires NAT-T (UDP 4500 encapsulation, RFC 3947)
  • ICMP — “works” but tracking echo-reply requires identifier matching

ALGs are a common source of silent corruption — they rewrite payloads, and when they get it wrong, debugging is painful. Many production shops disable the SIP ALG specifically because it breaks more than it fixes.

Hairpin / NAT loopback

A client on the inside network wants to reach an internal server via its public IP. The traffic goes out, hits the NAT, and needs to come back in — hairpin NAT. Many cheap routers don’t support it → “works from outside, not from inside.” Fix: split-DNS (return private IP to internal clients) instead of relying on hairpin.

Carrier-Grade NAT (CGN, RFC 6888)

When an ISP doesn’t have enough public IPs for customers, it NATs customers’ already-NATed traffic:

Home LAN (10.0.0.0/24) → Home router → ISP CGN (100.64.0.0/10) → Public internet
        NAT #1                                  NAT #2
  • 100.64.0.0/10 is the “shared address space” reserved for CGN (RFC 6598)
  • Breaks inbound anything (IPv4 gaming, BitTorrent, P2P, direct WebRTC)
  • Makes law-enforcement attribution hard
  • Major driver for IPv6 adoption

Why NAT is not security

Common myth: “I’m behind NAT, so I’m safe.”

  • NAT blocks unsolicited inbound because there’s no translation entry. That is not a security policy; it’s a side effect of address rewriting.
  • Once a translation entry exists (because the inside host initiated something), inbound matches are accepted — no inspection of the content.
  • A proper stateful firewall is a strict superset of what NAT-for-security offers.
  • IPv6 (no NAT) with a stateful firewall is strictly more secure than IPv4 with NAT.

NAT in the cloud

  • AWS NAT Gateway — managed PAT for private subnets to reach the internet. One per AZ for HA.
  • AWS IGW — 1:1 NAT for instances with public IPs (inside global = inside local elsewhere, but AWS abstracts this).
  • Azure NAT Gateway — same concept, subnet-scoped.
  • Egress-only internet gateway (AWS IPv6) — stateful, no address rewriting, since IPv6 doesn’t need NAT.
  • Security Groups / NSGs handle the actual policy; NAT just handles reachability.

The IPv6 reality

IPv6 was designed to end NAT. Every device gets a globally-routable address; a stateful firewall provides the security. NAT66 exists but is discouraged. As IPv6 adoption grows, NAT becomes a legacy concern — but it will stay with us for another decade at least.

See also

Graph View

Backlinks