What is NAT in Networking?

Network Address Translation is the full form of NAT. The concept is common in computer networking that enables private hosts to access resources located at public IP addresses.

The routing in the public network (e.g., the Internet) uses globally unique addresses known as public IPs. A public IP is an address that is similar to a postal address. All the web services are hosted over the public IP so that everyone can access the websites.

Browse a website from a LAN device is the most common example of Network Address Translation. The following steps demonstrate how the NAT works conceptually.

  • The user types the URL in the web browser and presses the enter key.
  • The computer sends an HTTP request (with a private IP address as the source address) to the router.
  • Which forwards the request to the web server that hosts the website for the entered URL.
  • While forwarding, the router replaces the private LAN IP with its own public IP while sending the request to the server (no private IP in the source address).
  • The server’s response has the router’s destination IP (public IP), not your laptop’s LAN IP.
  • Router sends the response to the computer.

Have you ever wondered how the router knows which LAN computer response to send? The answer is through NAT. Without the network address translation, it is not possible. The below diagram shows how a NAT table replaces the host addresses.

How NAT works -
How NAT works

LAN and NAT?

A LAN is a group of connected computers using switches, hubs, and routers. Each computer (or any other network device) is assigned an internal IP, e.g., The IP allocation could be static or via DHCP.

A complete range of private IPs (e.g., 192.168.1.xx) based on a subnet mask belongs to the local network. When a device sends a message to a destination, the network router (default gateway) checks if the IP belongs to the LAN device.

For example, a user on the host pings IP address First, the ping request reaches the router, then the message to the destination IP, and no translation is needed.

Suppose the same host needs to access a public computer such as  (www.yahoo.com). The router forwards to the URL and keeps an entry in its using memory using NAT.

When it comes to LANs, why do we need NAT?

Imagine, if there is no NAT, how will each computer access the Internet? Simply each computer should have a public IP from the ISP.

Does this feasible for an organization or even at home? With Network Address Translation,  a group of computers can access the Internet using the same public IP.

Firewall And NAT:

Most organizations use firewalls instead of a router. It may block, unblock, or shape the network traffic based on various parameters, such as ports, IP ranges, etc. The Network Address Translation and routing features are coupled with the firewall. NAT maintains the state between the external server and internal IP. During data transfer, a firewall can look into the payloads and apply traffic rules.

There are two sub-sessions, one between the firewall and the internal LAN computer and another from the firewall to the public internet server.

How to restrict the IPs using NAT?

While configuring translation, we can specify the private IP ranges. This will restrict Internet access. For example, if only the marketing department is allowed to access the Internet in a company, then the NAT table will have only the addresses of the marketing department’s computers.

How to configure a Linux machine as a router with NAT?

Linux is an open-source operating system. It comes with a useful functionality named as iptables. With iptables you can create a router with NAT.

When you access the Internet, the router does the Network Address Translation. But when software needs to bridge a LAN device and the Internet, operating system settings require to relay the IP packet to the Internet and vice versa. This requires NAT settings on the Linux machine.

For example, a telecom network has a gateway between mobile and the packet network named GGSN. The mobile device gets a private IP from the GGSN for GPRS attach, and a logical tunnel is set up over UDP between GGSN and SGSN for uplink and downlink data.

When a mobile user browses a website, HTTP packets reach the GGSN with private IP as the source address.