Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

If you administer a network that has enough
IP addresses to cover your hosts and servers, you probably haven’t
needed to implement Network Address Translation (NAT). NAT allows a
single device to act as a proxy between your private network and
the Internet, allowing a single routable IP address to represent a
large group of computers.

But NAT isn’t just for covering a short IP
space; it also increases security and eases administration. If you
haven’t implemented NAT, it may be time to rethink your choice.

Before deciding to implement NAT, it’s
important to understand how NAT works and to be familiar with the
different types of NAT that you can implement.

NAT vs. proxy servers

People sometimes confuse NAT with the term proxy server. However,
there’s a big difference. NAT is transparent to both the source and
destination computers. A proxy server is not transparent; you must
configure a source computer to communicate with a proxy server.

In addition, the destination computer sends
network requests to the proxy server, which forwards the
communication back to the requesting computer. Proxy servers
usually work at Layer 4 (Transport) or higher of the OSI Reference
Model; NAT is a Layer 3 (Network) protocol.

Now that you understand the differences between
NAT and proxy servers, let’s examine four types of NAT.


Also known as inbound mapping, static NAT maps
an unregistered/nonroutable internal IP address to a
registered/routable IP address on a one-to-one basis. This is
necessary when a network device needs to be accessible from outside
the network.

Example: Your mail server
has an IP address of (a nonroutable IP address on the
Internet). Your NAT device translates that address to (a
routable IP address).


Dynamic NAT maps an unregistered IP address to
a registered IP address from a pool of registered IP addresses.
Dynamic NAT creates a one-to-one mapping between unregistered and
registered IP addresses. However, this mapping varies depending on
the registered addresses available in the pool at the time of

Example: An internal client
has an IP address of When this address tries to
communicate with an outside network, your NAT device translates it
to the first available address in the range of to


Also known as Port Address Translation (PAT),
single-address NAT, or port-level multiplexed NAT, overloading is a
type of dynamic NAT that maps multiple unregistered IP addresses to
one registered IP address by using source port substitution before
it translates the network request.

Example: Your NAT device
translates all internal clients to a single routable IP address,
but it assigns each source session a different port before sending
it to the destination IP address.


Overlapping NAT occurs when the internal IP
addresses are routable but used on another network. The NAT device
translates these addresses to unique routable addresses before
forwarding the communication.

Organizations use this type of NAT when using
the same routable addresses for internal clients in physically
different locations on the network. You usually implement
overlapping NAT using dynamic DNS.

Example: Your NAT device
translates a client with an IP address of (a routable
address also used by a different client in a physically different
location) to an address in the range of to

Final thoughts

Don’t worry that implementing NAT will cause a
performance decrease on your network. An entry in the address
translation table of your router takes about 160 bytes, and a
router with only 2 MB of DRAM can process 13,107 simultaneous

This should be sufficient for any small
network. In addition, keep in mind that adding memory to your
router can help if you encounter a problem.

When implementing NAT, most organizations
usually prefer the Dynamic NAT approach. It creates a Layer-3
firewall between the internal network and the Internet.

This way, computers on the Internet can’t
connect to the internal client unless the internal client initiates
the communication. Keeping hostile networks from connecting to your
internal clients is a good beginning to securing your network.