Network address translation (NAT) is the process of substituting the source or destination IP addresses in an IP packet as it passes through a special router known as a NAT router. NAT is required where a local stub network using private IP addresses wishes to access the Internet. Suppose the NAT router presents m IP numbers to the Internet, yet supports n systems on the local network, each with a private address. Typically n > m.

In simple NAT, only m internal systems can communicate with Internet targets at one time. If an internal system sends an IP packet with (private) source address A, to an external target with destination address B, the NAT router will replace A with one of the public IP addresses available to it, C, say. When the target B replies, it sends its packet to C, which the NAT router translates back to A for internal delivery. To achieve this, the NAT router must maintain a NAT table associating private with public addresses. This table may be static (static NAT) or dynamic (dynamic NAT). Note that it is only possible for an external host to contact an internal system when it has an entry in the NAT table. In the dynamic case however, there is no way to know at any time which public address represents an internal host.

The disadvantage of NAT is that with only m external addresses, no more than m internal hosts may have Internet connections at one time. Yet one of the commonest scenarios is where a local network has just a single external connection to an ISP (m=1). A variation of NAT called network address port translation (NAPT) can overcome this shortcoming by not only translating IP addresses but UDP, TCP port numbers as well. The principle relies on the fact that TCP/UDP clients do not use well-known ports and the source ports actually used can be substituted for by the NAPT router. It is now possible to support many private hosts with just a single public IP number. There are a few important observations.

  1. NAPT can also support ICMP query/response exchanges, even though ICMP does not use ports, by substituting for the identifier field in the ICMP query header. This is returned unchanged by the responder and can be used by the NAPT router to track the private host which sent the original query.

  2. Pure NAPT does not allow any external access to internal servers, but NAPT routers can usually be configured to pass requests to say port 80 (HTTP) of the public address to a selected internal system which will act as the local network's web server. The same can be done for other well-known ports and the services they provide.

  3. There is a performance penalty for NAT and NAPT because IP packets and their contents have to be disassembled altered and reassembled (e.g. new checksums must be computed).

Basic NAT and NAPT are described in RFC 3022.