NAT explained

Topic: Networking basics

NAT (Network Address Translation) rewrites source or destination IP and port so many hosts can share one public IP or so internal addresses are hidden. Learn how outbound NAT (SNAT/NAPT) and port forwarding (DNAT) work so you can debug connectivity and configure routers. Use this when traffic from or to a private network fails.

Intent: How-to

Quick answer

  • Outbound NAT (SNAT/NAPT): many private IPs share one public IP; the router rewrites source IP and often source port so replies can be mapped back; state is kept so return traffic is translated correctly.
  • Port forwarding (DNAT): traffic to the router's public IP:port is sent to an internal host:port; the router rewrites destination IP and port; use for exposing a single service (e.g. SSH, HTTP) on a host behind NAT.
  • When a host behind NAT cannot reach the internet, check the router's outbound NAT and default route; when external clients cannot reach an internal service, check port forwarding and firewall.

Prerequisites

Steps

  1. Understand outbound NAT (SNAT/NAPT)

    Hosts with private IPs send to the internet; the NAT router replaces the source IP with its public IP and often the source port with a free port; it keeps a mapping so when the reply comes back it can reverse the translation and forward to the right host.

  2. Understand port forwarding (DNAT)

    External client sends to router's public IP and a specific port; the router has a rule that rewrites destination to an internal IP and port and forwards the packet; return traffic is translated back so the client sees the router as the peer.

  3. Know common failure modes

    Outbound fails: no default route, NAT not applied, or firewall blocking. Inbound fails: port forward not configured, wrong internal IP/port, or firewall on router or internal host blocking.

  4. Debug with care

    From inside: check default gateway and that you can reach the router; traceroute to 8.8.8.8. From outside: test the public IP and port; ensure the service is listening on the internal host and that the forward points to it.

Summary

NAT allows many private hosts to share one public IP (outbound) and allows external clients to reach a specific internal service (port forwarding). Use this when debugging “can’t reach internet” from a private network or “can’t reach my server” from the internet.

Prerequisites

Steps

Step 1: Understand outbound NAT (SNAT/NAPT)

Hosts with private addresses send packets to the internet. The NAT device (router/firewall) replaces the source IP with its public IP and often the source port with an ephemeral port. It stores the mapping (private IP:port ↔ public IP:port) so when the reply arrives it can reverse the translation and deliver to the correct host.

Step 2: Understand port forwarding (DNAT)

Traffic arriving at the router’s public IP on a given port is rewritten: destination becomes an internal IP and port, and the packet is forwarded. Return packets are translated back so the external client only sees the router. Use this to expose one service (e.g. SSH, HTTP) on one internal host.

Step 3: Know common failure modes

  • Outbound: Host has no default route; NAT rule not applied to that traffic; or firewall blocking outbound or return traffic.
  • Inbound: No port forward for that port; forward points to wrong IP or port; or firewall on router or internal host dropping the traffic.

Step 4: Debug with care

From inside the private network: confirm default gateway and that you can ping or traceroute to a public IP. From outside: connect to the router’s public IP and port; verify the internal service is listening and the forward matches.

Verification

  • You can explain the difference between outbound NAT (many share one IP) and port forwarding (inbound to one internal host); you know the typical failure causes for each.

Troubleshooting

Outbound works, inbound does not — Port forward missing or wrong; internal host firewall; or service not listening on the expected interface (e.g. 127.0.0.1 instead of 0.0.0.0).

Intermittent or one-way — Check NAT state timeout; some protocols (e.g. FTP, SIP) need helper or ALG for secondary connections; ensure symmetric path (return traffic through same NAT).

Next steps

Continue to