How Network Address Translation Works

IP addresses have different designations based on whether they are on the private network (stub domain) or on the public network (Internet), and whether the traffic is incoming or outgoing.

NAT Configuration

NAT can be configured in various ways. In the example below, the NAT router is configured to translate unregistered (inside, local) IP addresses, that reside on the private (inside) network, to registered IP addresses. This happens whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network.

  • An ISP assigns a range of IP addresses to your company. The assigned block of addresses are registered, unique IP addresses and are called inside global addresses. Unregistered, private IP addresses are split into two groups. One is a small group (outside local addresses) that will be used by the NAT routers. The other, much larger group, known as inside local addresses, will be used on the stub domain. The outside local addresses are used to translate the unique IP addresses, known as outside global addresses, of devices on the public network.
  • Most computers on the stub domain communicate with each other using the inside local addresses.
  • Some computers on the stub domain communicate a lot outside the network. These computers have inside global addresses, which means that they do not require translation.
  • When a computer on the stub domain that has an inside local address wants to communicate outside the network, the packet goes to one of the NAT routers.
  • The NAT router checks the routing table to see if it has an entry for the destination address. If it does, the NAT router then translates the packet and creates an entry for it in the address translation table. If the destination address is not in the routing table, the packet is dropped.
  • Using an inside global address, the router sends the packet on to its destination.
  • A computer on the public network sends a packet to the private network. The source address on the packet is an outside global address. The destination address is an inside global address.
  • The NAT router looks at the address translation table and determines that the destination address is in there, mapped to a computer on the stub domain.
  • The NAT router translates the inside global address of the packet to the inside local address, and sends it to the destination computer.

NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows a computer to maintain several concurrent connections with a remote computer (or computers) using different TCP or UDP ports. An IP packet has a header that contains the following information:

  • Source Address - The IP address of the originating computer, such as
  • Source Port - The TCP or UDP port number assigned by the originating computer for this packet, such as Port 1080
  • Destination Address - The IP address of the receiving computer, such as
  • Destination Port - The TCP or UDP port number that the originating computer is asking the receiving computer to open, such as Port 3021

The addresses specify the two machines at each end, while the port numbers ensure that the connection between the two computers has a unique identifier. The combination of these four numbers defines a single TCP/IP connection. Each port number uses 16 bits, which means that there are a possible 65,536 (216) values. Realistically, since different manufacturers map the ports in slightly different ways, you can expect to have about 4,000 ports available.