Articles

NAT and PAT Explained: Address Translation Deep Dive (2026)

April 18, 2026 9 min read

The most surprising truth about NAT and PAT is that they don’t actually "translate" addresses in the way most people imagine; they fundamentally alter the connection state associated with an IP address and port combination.

Let’s see this in action. Imagine a simple web server (192.168.1.100) serving a request to a client (10.0.0.5).

Client (10.0.0.5) -> Server (192.168.1.100)

SYN to 192.168.1.100:80 from 10.0.0.5:54321

Now, picture a NAT gateway (192.168.1.1 on the internal network, 203.0.113.1 on the external).

[Internal Network] --- 192.168.1.1 (NAT Gateway) --- [External Network] --- 203.0.113.1 (Public IP)

When the SYN packet from 10.0.0.5:54321 hits the NAT gateway (192.168.1.1), it’s destined for 192.168.1.100:80. The NAT gateway, configured to perform PAT (Port Address Translation) for the internal network, does something like this:

  1. Intercepts the packet: SYN from 10.0.0.5:54321 to 192.168.1.100:80.
  2. Chooses an external source port: It picks an available port on its own public IP address. Let’s say it picks 50000.
  3. Modifies the packet:
    • Source IP changes from 10.0.0.5 to 192.168.1.1 (its internal IP).
    • Source port changes from 54321 to 50000.
    • Destination IP remains 192.168.1.100.
    • Destination port remains 80.
    • The packet is now SYN from 192.168.1.1:50000 to 192.168.1.100:80.

Wait, that’s not right. NAT/PAT typically translates the source IP to the public IP. Let’s correct that. The NAT gateway has a public IP 203.0.113.1.

  1. Intercepts the packet: SYN from 10.0.0.5:54321 to 192.168.1.100:80.
  2. Chooses an external source port: It picks an available port on its public IP address. Let’s say it picks 50000.
  3. Modifies the packet:
    • Source IP changes from 10.0.0.5 to 203.0.113.1 (the gateway’s public IP).
    • Source port changes from 54321 to 50000.
    • Destination IP remains 192.168.1.100.
    • Destination port remains 80.
    • The packet is now SYN from 203.0.113.1:50000 to 192.168.1.100:80.

This is still not quite right. The destination IP also needs to be translated if the server is behind the NAT gateway and not directly routable from the external interface. However, the prompt is about NAT/PAT explained, implying the gateway is between the client and the server, and the server is on the internal network.

Let’s reset the scenario:

Scenario: A client on the internet (203.0.113.5:54321) wants to reach a web server (192.168.1.100:80) on a private network. The gateway for the private network has a private IP 192.168.1.1 and a public IP 203.0.113.1.

Network Topology: [Internet] <--- 203.0.113.1 (Gateway Public IP) --- 192.168.1.1 (Gateway Private IP) --- 192.168.1.100 (Web Server)

The Problem: The client on the internet only knows how to reach 203.0.113.1. It has no idea 192.168.1.100 exists. The web server 192.168.1.100 only knows how to talk to things on its 192.168.1.0/24 network and doesn’t know how to reply to 203.0.113.5 directly.

The NAT Gateway’s Role: It acts as the intermediary.

1. Outbound Connection (Client to Server):

  • Client Packet: SYN from 203.0.113.5:54321 to 203.0.113.1:80.
    • Notice the destination IP is the gateway’s public IP. The client is sending the request to the gateway, not directly to the server.
  • NAT Gateway Action (Ingress on public interface):

    • The gateway receives the packet on its public interface (203.0.113.1).

    • It looks up its NAT rules. It sees a rule for incoming traffic on port 80 destined for 203.0.113.1.

    • This rule is configured to forward this traffic to the internal web server 192.168.1.100 on port 80. This is often called Destination NAT (DNAT) or Port Forwarding.

    • The gateway rewrites the destination IP address and port:

      • Destination IP: 203.0.113.1 becomes 192.168.1.100.
      • Destination Port: 80 remains 80.

    • Crucially, for the return traffic to work, the gateway also needs to track this connection. It creates an entry in its NAT translation table.

    • Translation Table Entry Example:

      • External IP: 203.0.113.1, External Port: 80 (this is the incoming destination port that triggered the rule, but the gateway uses its own internal mapping for state tracking).
      • Internal IP: 192.168.1.100, Internal Port: 80
      • Client IP: 203.0.113.5, Client Port: 54321
      • NATed Source IP: 192.168.1.1 (the gateway’s private IP), NATed Source Port: some_ephemeral_port (e.g., 49152)

    • The packet is then forwarded to the internal network.

    • Rewritten Packet (forwarded internally): SYN from 192.168.1.1:49152 to 192.168.1.100:80.

      • The source IP is now the gateway’s internal IP, and the source port is the ephemeral one it chose. This is Source NAT (SNAT) happening implicitly for the return traffic path.

2. Inbound Connection (Server to Client):

  • Web Server Response: The web server 192.168.1.100 receives the SYN (from 192.168.1.1:49152). It sends back a SYN-ACK.
  • Server Packet: SYN-ACK from 192.168.1.100:80 to 192.168.1.1:49152.
  • NAT Gateway Action (Ingress on private interface):
    • The gateway receives the SYN-ACK on its private interface (192.168.1.1).
    • It consults its NAT translation table for an entry matching the destination of this packet: 192.168.1.1:49152.
    • It finds the entry created earlier: Internal IP: 192.168.1.100, Internal Port: 80, Client IP: 203.0.113.5, Client Port: 54321, NATed Source IP: 192.168.1.1, NATed Source Port: 49152.
    • The gateway rewrites the source IP and port of the packet to match the original client’s details:
      • Source IP: 192.168.1.1 becomes 203.0.113.1 (the gateway’s public IP).
      • Source Port: 49152 becomes 80 (this is where PAT comes in for the return path, mapping the gateway’s internal port back to the original public-facing port).
    • Rewritten Packet (forwarded externally): SYN-ACK from 203.0.113.1:80 to 203.0.113.5:54321.
  • Client Receives Response: The client 203.0.113.5 receives the SYN-ACK as if it came directly from the web server, with the source IP 203.0.113.1 and port 80.

Key Concepts:

  • NAT (Network Address Translation): The general process of modifying IP address and port information in packet headers.
  • PAT (Port Address Translation) / NAT Overload: A specific type of NAT where multiple private IP addresses are mapped to a single public IP address using different source port numbers. This is what allows many devices on a private network to share one public IP.
  • Inside Local: The IP address of a host on the inside network. (e.g., 192.168.1.100)
  • Inside Global: The IP address of a host on the inside network as seen from the outside. This is usually the IP address of the NAT gateway’s public interface. (e.g., 203.0.113.1)
  • Outside Local: The IP address of a host on the outside network as seen from the inside. This is usually the IP address of the NAT gateway’s private interface. (e.g., 192.168.1.1)
  • Outside Global: The IP address of a host on the outside network. (e.g., 203.0.113.5)
  • NAT Translation Table: The stateful table maintained by the NAT device to track active translations. This is what makes PAT possible and allows return traffic to be correctly routed.

Types of NAT:

  1. Static NAT: Maps one private IP address to one public IP address, and vice-versa. This is often used for servers that need to be accessible from the internet.
    • 192.168.1.100 <—> 203.0.113.100
  2. Dynamic NAT: Maps private IP addresses to a pool of public IP addresses on a first-come, first-served basis. When a device on the inside needs to go outside, it’s assigned an IP from the pool.
    • Internal Pool: 192.168.1.100, 192.168.1.101
    • External Pool: 203.0.113.100, 203.0.113.101
    • If 192.168.1.100 initiates a connection, it might get 203.0.113.100 as its source IP. If 192.168.1.101 initiates, it might get 203.0.113.101.
  3. PAT (Overload): Maps multiple private IP addresses to a single public IP address by using different port numbers. This is the most common type used in homes and small businesses.
    • 192.168.1.100:54321 -> 203.0.113.1:50000
    • 192.168.1.101:54322 -> 203.0.113.1:50001

Why is this important? NAT/PAT is fundamental to how the internet works today. It conserves IPv4 addresses by allowing many private devices to share a limited number of public IPs. It also provides a basic level of security by hiding the internal network structure from the outside world.

The one thing most people don’t know is how the NAT table is populated for outbound connections. When a device on the private network initiates an outbound connection, the NAT device doesn’t just translate the source IP to its public IP. It also picks a source port on its public IP, modifies the packet, and critically, creates an entry in its translation table that maps: (Original Private IP, Original Private Port) to (NAT Gateway Public IP, Chosen Public Port). This entry is what allows the NAT device to know, upon receiving return traffic destined for (NAT Gateway Public IP, Chosen Public Port), that it needs to change the destination back to (Original Private IP, Original Private Port) and send it to the correct internal host. Without this stateful tracking, return packets would have no idea where to go.

The next concept you’ll likely encounter is the complexity that arises when NAT interacts with protocols that embed IP addresses within their payloads, such as FTP or certain VoIP protocols, often requiring Application Layer Gateways (ALGs) to function correctly.

Want structured learning?

Take the full Computer Networking course →