Network address translation (NAT, also known as Network masquerading or IP-masquerading) is a technique used in computer networking, which relies on rewriting IP addresses of network packets passing through a router or firewall. This is merely a trick, in the sense that routers are not supposed to act in this way, however, it is still a very useful and widely used trick.

NAT became necessary because the number of IP address are too few to cover all of computers to be connected to the Internet after the number of computers connected to the Internet exponentially increased. NAT is vital particularly in the countries other than the United States, where the assigned IP addresses are relatively too few.

Personal routers usually provide NAT as their core function. Those routers are quite popular in some countries such as Japan.

Some people regard NAT as a detriment to the Public Internet, since it destroys end-to-end connectivity which the Internet Architecture Board has stated as a goal. Many people do not regard users connected behind a NAT-enabled gateway as real Internet users, hence a discussion has arisen as to whether some Internet Service Providers sell Internet service at all (some ISPs only sell NAT-based services, which do not inherently provide end-to-end connectivity).

In addition to the necessity, some arguments proposed in favor of NAT are simplicity and security. Some also claim that the shortage of IP addresses problem is non-existent. However, Internet consultants most often disregard such arguments as nonsense or incompetence, and often propose IP version 6 as a long-term alternative for those who need many devices. IPv6 assignment policies ensure that even end users get a well-sized pool of IP addresses for devices such as Computers, Set-top Boxes, internet phones and other network devices.

There are two kinds of network address translation. What is often called simply "NAT" is also sometimes named "NAPT", and refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address. The other simpler form is also called NAT, or "basic NAT" or "static NAT", and involves only address translation, not port mapping. This requires an external IP address for each simultaneous connection. The feature is often found in ADSL routers, sometimes labelled "DMZ host", to allow a computer to accept all external connections even when the only available external IP address is used by the router itself.

NAT with port-translation can be further distinguished to two kinds: source address translation (source NAT), where the IP address of the computer which initiated the connection is rewritten, and its counterpart: destination address translation (destination NAT).

Table of contents
1 Masquerading
2 Other examples of use
3 Related Links


IP masquerading is a particular case of source NAT; this is a common technique often used to allow multiple computers to relatively transparently share an Internet connection. To the computers on the local network, the "NAT box" looks like just another router, but in reality, it is doing all sorts of magic.

When the computer performing the NAT routes the systems behind it onto the Internet, it transparently changes the source IP address of the internal system to its external (Internet) address and remembers basic data about the connection. The packet then traverses the Internet to its destination as if it had been generated by the router itself. When the reply is sent back, the router looks at the connection tracking data it stored before and determines where to send it back on the internal network.

The benefits of NAT are great. It allows many computers to access the internet utilizing only a single IP address on the internet. This not only saves money for the organization employing NAT, but also conserves addresses on the internet as few are still available. Another benefit of NAT is the ability to conceal the internal configuration of your network from external observers such as hackers or your ISP.

Downsides of NAT include difficulty in using services that require the initiation of TCP connections from the outside network, or stateless protocols such as those utilising UDP; unless the NAT router makes specific effort to support such protocols, incoming connections cannot reach their destination. However, this can also can be regarded as a form of simple firewall functionality, and many users who do not want to expose server functionality on their machines to incoming connections from the Internet see this as an advantange.

Masquerading example

A Linux box can be set up to masquerade connections from local networks (e.g. eth0) out on a dial-up line (ppp0) like this:

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Other computers on the local network (eth0) need to set the IP address of the masquerading box as their gateway. (For specific networking protocols as well as for this to work, the appropriate kernel modules need to be loaded if that does not happen automatically.)

Other examples of use

  • Load Balancing: Destination NAT can be used to redirect connections pointed at some server to randomly chosen servers to do load balancing.

  • Fail over: Destination NAT can be used to setup a service requiring high availability. Say you have a critical server you access through a router, if the router notice that the server is down, it could use destination NAT to transparently make your connection arrive on a backup server.

  • Transparent proxying: NAT can be used to redirect HTTP connections targeted at Internet to a special HTTP proxy, which will be able to cache content and filter requests. This technique is used by some ISPs to reduce bandwidth usage without requiring their clients to configure their browser for proxy support.

Related Links