Module 10: NAT & PAT Deep Dive NAT (Network Address Translation) is one of the most critical networking concepts. It’s the reason your home network with private IPs can access the internet, and it’s fundamental to understanding cloud networking, firewalls, and security.
Estimated Time : 3-4 hoursDifficulty : IntermediatePrerequisites : Module 9 (IP Addressing Deep Dive)
10.1 The Problem NAT Solves The IPv4 Exhaustion Crisis Total IPv4 addresses: 4,294,967,296 (2^32) World population: 8,000,000,000+ Devices per person: 3-5 (phone, laptop, tablet, smart devices) Needed addresses: 24,000,000,000+
Problem : We need 6x more addresses than IPv4 provides.Solution : Let millions of devices share a single public IP using NAT.Before NAT (Theoretical) Every device needs a public IP: Home: ├── PC1: 203.0.113.1 (public) ├── PC2: 203.0.113.2 (public) ├── Phone: 203.0.113.3 (public) └── TV: 203.0.113.4 (public) Problem: ISP would need to give you 4+ public IPs Global IP exhaustion would happen much faster
With NAT (Reality) All devices share one public IP: Home (Private: 192.168.1.0/24): ├── PC1: 192.168.1.10 ──┐ ├── PC2: 192.168.1.11 ──┼──→ Router (NAT) ──→ 203.0.113.50 ──→ Internet ├── Phone: 192.168.1.12 ┘ (1 public IP for entire home) └── TV: 192.168.1.13 ───┘
10.2 Types of NAT 1. Static NAT (One-to-One) Maps one private IP to one public IP permanently.
Private IP Public IP 192.168.1.10 ←────→ 203.0.113.10 192.168.1.11 ←────→ 203.0.113.11 192.168.1.12 ←────→ 203.0.113.12
Use Case : Servers that need consistent public IP (web servers, mail servers)Pros : Predictable, allows inbound connections
Cons : Doesn’t save IP addresses2. Dynamic NAT (Many-to-Many) Maps private IPs to a pool of public IPs dynamically.
Private IPs Public IP Pool 192.168.1.10 ──┐ ┌── 203.0.113.10 192.168.1.11 ──┼──NAT──→├── 203.0.113.11 192.168.1.12 ──┤ └── 203.0.113.12 192.168.1.13 ──┘ (First-come, first-served)
Use Case : When you have fewer public IPs than devices, but more than oneLimitation : If pool is exhausted, new connections fail3. PAT / NAT Overload (Many-to-One) ⭐ Most Common Port Address Translation maps many private IPs to ONE public IP using port numbers.Private Public 192.168.1.10:54321 ──┐ 192.168.1.11:54322 ──┼──NAT──→ 203.0.113.50:10001 192.168.1.12:54323 ──┘ 203.0.113.50:10002 203.0.113.50:10003
This is what your home router does! 10.3 How PAT Works Step-by-Step Scenario: Your laptop (192.168.1.10) visits google.com
Outbound Request
Your laptop creates a packet: Source IP: 192.168.1.10 Source Port: 54321 (random ephemeral port) Dest IP: 142.250.190.46 (Google) Dest Port: 443 (HTTPS)
NAT Translation (Outbound)
Router receives packet, creates NAT table entry: Private IP:Port Public IP:Port Destination 192.168.1.10:54321 203.0.113.50:10001 142.250.190.46:443
Rewrites packet: Source IP: 203.0.113.50 (router's public IP) Source Port: 10001 (assigned by router) Dest IP: 142.250.190.46 Dest Port: 443
Google's Response
Google sends response to the source it saw: Source IP: 142.250.190.46 Source Port: 443 Dest IP: 203.0.113.50 (your router) Dest Port: 10001
NAT Translation (Inbound)
Router looks up NAT table:
Dest Port 10001 → maps to 192.168.1.10:54321
Rewrites packet: Source IP: 142.250.190.46 Source Port: 443 Dest IP: 192.168.1.10 (your laptop) Dest Port: 54321
Laptop Receives Response
Your laptop receives the response as if it communicated directly with Google.
NAT Table Example When multiple devices are active:
Private IP:Port Public IP:Port Destination Protocol Timeout 192.168.1.10:54321 203.0.113.50:10001 142.250.190.46:443 TCP 3600s 192.168.1.10:54322 203.0.113.50:10002 151.101.1.69:443 TCP 3600s 192.168.1.11:60000 203.0.113.50:10003 142.250.190.46:443 TCP 3600s 192.168.1.12:49152 203.0.113.50:10004 13.107.42.14:443 TCP 3600s
10.4 NAT Terminology NAT Address Types ┌──────────────────────────────────────────────────────────┐ │ INSIDE │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ Inside │ │ Inside │ │ │ │ Local │ NAT │ Global │ │ │ │ 192.168.1.10 │ ──────→ │ 203.0.113.50 │ │ │ └──────────────┘ └──────────────┘ │ │ Your PC What internet sees │ └──────────────────────────────────────────────────────────┘ │ │ Internet ▼ ┌──────────────────────────────────────────────────────────┐ │ OUTSIDE │ │ ┌──────────────┐ ┌──────────────┐ │ │ │ Outside │ │ Outside │ │ │ │ Local │ (rare) │ Global │ │ │ │ 10.0.0.1 │ │ 8.8.8.8 │ │ │ └──────────────┘ └──────────────┘ │ │ When ISP uses NAT too Google's actual IP │ └──────────────────────────────────────────────────────────┘
Term Meaning Inside Local Private IP of internal host (your device’s IP) Inside Global Public IP representing internal host (router’s public IP) Outside Local How external host appears to internal network Outside Global Actual public IP of external host
10.5 NAT Gateway in Cloud (AWS Example) In cloud environments like AWS, NAT Gateways serve a specific purpose:
The Problem ┌─────────────────────────────────────────────────┐ │ VPC │ │ ┌─────────────────┐ ┌─────────────────────┐ │ │ │ Public Subnet │ │ Private Subnet │ │ │ │ │ │ │ │ │ │ Web Server │ │ Database │ │ │ │ (has public IP)│ │ App Servers │ │ │ │ │ │ (NO public IPs) │ │ │ │ Can reach │ │ │ │ │ │ internet ✓ │ │ Need to download │ │ │ │ │ │ updates... how? │ │ │ └────────┬────────┘ └─────────────────────┘ │ │ │ │ └───────────┼──────────────────────────────────────┘ │ Internet Gateway │ Internet
The Solution: NAT Gateway ┌─────────────────────────────────────────────────────────┐ │ VPC │ │ ┌─────────────────┐ ┌─────────────────────────┐ │ │ │ Public Subnet │ │ Private Subnet │ │ │ │ │ │ │ │ │ │ ┌───────────┐ │ │ ┌─────────────────┐ │ │ │ │ │ NAT │◄─┼──────┼──│ App Server │ │ │ │ │ │ Gateway │ │ │ │ 10.0.2.10 │ │ │ │ │ └─────┬─────┘ │ │ └─────────────────┘ │ │ │ │ │ │ │ │ │ │ │ Has Elastic IP │ │ Route: 0.0.0.0/0 → │ │ │ │ (public) │ │ NAT Gateway │ │ │ └────────┼────────┘ └─────────────────────────┘ │ │ │ │ └───────────┼──────────────────────────────────────────────┘ │ Internet Gateway │ Internet
How it works:
Private instance sends packet to internet (e.g., apt-get update)
Route table sends 0.0.0.0/0 traffic to NAT Gateway
NAT Gateway translates private IP to its Elastic IP
Response comes back to NAT Gateway
NAT Gateway translates back to private IP
Key Point : Private instances can reach OUT but internet cannot reach IN.10.6 Port Forwarding NAT blocks inbound connections by default. Port forwarding creates explicit mappings.
Use Case: Hosting a Minecraft Server at Home Internet user wants to connect to your Minecraft server (port 25565) Without Port Forwarding: Internet → 203.0.113.50:25565 → Router → ??? (no mapping exists) ❌ Dropped With Port Forwarding: Router config: External port 25565 → 192.168.1.100:25565 Internet → 203.0.113.50:25565 → Router → 192.168.1.100:25565 ✓ Minecraft Server
Common Port Forwarding Scenarios Service External Port Internal Target Web Server 80, 443 192.168.1.10:80 SSH 22 192.168.1.10:22 Minecraft 25565 192.168.1.100:25565 Plex 32400 192.168.1.50:32400
10.7 NAT Traversal Problems NAT breaks the end-to-end principle of the internet. This causes issues for:
1. Peer-to-Peer Applications Alice (behind NAT) Bob (behind NAT) 192.168.1.10 192.168.1.20 │ │ NAT Router NAT Router 203.0.113.10 198.51.100.20 │ │ └───────── Internet ────────────┘ Problem: Neither can initiate connection to the other's private IP!
Solutions
STUN Session Traversal Utilities for NAT
Discovers your public IP and port
Works for ~80% of NAT types
TURN Traversal Using Relays around NAT
Relay server forwards all traffic
Works for all NAT types
Higher latency, more bandwidth cost
ICE Interactive Connectivity Establishment
Tries STUN first, falls back to TURN
Used by WebRTC
UPnP Universal Plug and Play
Apps automatically configure port forwarding
Security risk if enabled
10.8 Double NAT (Carrier-Grade NAT) Some ISPs use NAT themselves due to IPv4 exhaustion:
Your Device Your Router ISP's CGNAT Internet 192.168.1.10 → 100.64.1.5 → 203.0.113.1 → Google (NAT 1) (NAT 2)
100.64.0.0/10 is reserved for Carrier-Grade NAT (CGNAT).Problems with Double NAT
Port forwarding doesn’t work (you don’t control ISP’s NAT)
Slower due to double translation
Some games/VoIP may have issues
You might share public IP with hundreds of other customers
How to Check for CGNAT # Check your router's WAN IP # If it's in 100.64.0.0/10, you're behind CGNAT # Your router's WAN IP: 100.64.x.x → CGNAT # Your router's WAN IP: Public IP → No CGNAT
10.9 NAT vs Firewall People often confuse NAT with firewalls. They’re different:
Aspect NAT Firewall Purpose Address translation Security filtering Function Rewrites IP/port Allows/blocks traffic Default Inbound Drops (no mapping) Configurable rules Security Side effect, not purpose Primary purpose
NAT is NOT a security feature. It happens to block unsolicited inbound connections, but that’s a side effect of how it works, not a security guarantee. Always use a proper firewall.
10.10 Summary: NAT at a Glance ┌─────────────────────────────────────────────────────────────────┐ │ NAT CHEAT SHEET │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ Static NAT 1:1 mapping Servers needing fixed IP │ │ Dynamic NAT Pool-based Multiple public IPs available │ │ PAT/Overload Many:1 via ports Home routers, most common │ │ │ │ ───────────────────────────────────────────────────────────── │ │ │ │ Outbound: Private IP → NAT Table → Public IP:Port │ │ Inbound: Public IP:Port → NAT Table Lookup → Private IP │ │ │ │ ───────────────────────────────────────────────────────────── │ │ │ │ NAT breaks: P2P, VoIP, Gaming, Port forwarding behind CGNAT │ │ Solutions: STUN, TURN, ICE, UPnP, IPv6 │ │ │ └─────────────────────────────────────────────────────────────────┘
Next Module
Module 11: Routing Deep Dive Master how routers make decisions, understand BGP, OSPF, and how the internet’s routing actually works.
