NAT and port forwarding 

General information

Network Address Translation (NAT) separates internal (private) and external (public) network areas. A NAT device (which is usually located at the network or zone border) exchanges public and private IP addresses. This way, all internal network addresses are hidden behind the external address and private addresses can be used in the delimited internal network.
Outgoing connections are mapped to different port numbers on the outside. For ingoing connections, one entire private network can be addressed via one "common" external IP address.

Devices in local internal networks can thus be connected to the external network (Internet) without these having public IP addresses and without these addresses having to be known in the external network. 

1:1 NAT

1:1 NAT is always a 1:1 IP address replacement, i.e. to each public address relates exactly one private address. This means IP addresses are mapped and ports numbers are not changed. 1:1 NAT does not strictly need connection tracking as the mapping is static. Both directions, ingoing and outgoing are equal.

Example for 1:1 NAT: 10 machines have the internal network address This could not be routed. The 1:1 NAT-device maps each machine to a different network 10.0.1.x, 10.0.2.x etc such that from outside the machines all components can be distinguished.

NAT with port forwarding

The term NAT is typically used to describe the mapping of an internal network to one external IP address. While 1:1 NAT is always a 1:1 IP address replacement, with NAT, multiple IP addresses share one single IP address after translation.

Port numbers are used to ensure unique assignment of data packets. Consequently port numbers of outgoing connections need to be mapped to avoid conflicts. This requires connection tracking.
This type of address translation may also be known as PAT (Port and Address Translation).

Since incoming connections do not know which internal IP (and port) the connection should be connected to, such a connection must be configured in advance. This is called port forwarding.

As there is an automatic assignment of outgoing connections, no connections to the internal network are possible. Port forwarding allows to specify for external ports to which internal component a connection request should be forwarded. This allows the internal services to be used from the outside.

Security aspect of NAT

As address translation interrupts the end-to-end connectivity of the communication, this technology also provides a way to protect the internal network: The devices in the internal network are located behind the NAT router and cannot be accessed from the public network. Only the end device can establish a connection.

Note: Although this protection effect is similar to that of a simple firewall, NAT cannot substitute a dedicated firewall with packet filtering.




•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari  • 
• Published/reviewed: 2023-11-02 • Revision 011 •