Network Administration: Network Address Translation

Many firewalls use a technique called network address translation (NAT) to hide the actual IP address of a host from the outside world. When that’s the case, the NAT device must use a globally unique IP to represent the host to the Internet. Behind the firewall, though, the host can use any IP address it wants. When packets cross the firewall, the NAT device translates the private IP address to the public IP address and vice versa.

One of the benefits of NAT is that it helps to slow down the rate at which the IP address space is assigned. That’s because a NAT device can use a single public IP address for more than one host. It does so by keeping track of outgoing packets so that it can match incoming packets with the correct host. To understand how this works, consider the following sequence of steps:

  • A host whose private address is sends a request to, which happens to be Google. The NAT device changes the source IP address of the packet to, the IP address of the firewall. That way, Google will send its reply back to the firewall router. The NAT records that sent a request to

  • Now another host, at address, sends a request to, which happens to be The NAT device changes the source of this request to so that Microsoft will reply to the firewall router. The NAT records that sent a request to

  • A few seconds later, the firewall receives a reply from The destination address in the reply is, the address of the firewall. To determine to whom to forward the reply, the firewall checks its records to see who is waiting for a reply from It discovers that is waiting for that reply, so it changes the destination address to and sends the packet on.

Actually, the process is a little more complicated than that, because it’s very likely that two or more users may have pending requests from the same public IP. In that case, the NAT device uses other techniques to figure out to which user each incoming packet should be delivered.