
If you're reading this article, chances are you're connected to the internet via the Mytour website. This means you're almost certainly using Network Address Translation (NAT) right now.
The internet has expanded far beyond anyone's expectations. While its exact size is unknown, there are over 5.35 billion active internet users today. So how does this massive scale relate to NAT? Everything! In this article, we'll explore how NAT benefits you, but first, let's dive deeper into what NAT is and how it works...
What Happens When the Global IP Address Pool Depletes?
For a computer to interact with other systems and web servers on the internet, it needs an IP address. An IP address (short for Internet Protocol) is a distinct 32-bit number that pinpoints your computer's location on a network. Think of it like your home address — it's used to determine your exact location and route information to you.
When IP addressing was first introduced, it was assumed there would be plenty of addresses to meet any demand. In theory, there were 4,294,967,296 unique addresses (2). However, the actual number of available public IP addresses is lower (around 3.2 to 3.3 billion) due to the way addresses are categorized, and because some are reserved for multicast, testing, or other specialized uses.
With the rapid growth of the Internet and the rise of home networks and business networks, there simply aren't enough IP addresses to go around. A clear solution is to update the public IP address system to allow for more addresses. This is known as IPv6, but it will take several years to implement because it requires overhauling the entire internet infrastructure.
This is where NAT (RFC 1631) steps in. Network Address Translation enables a single device, such as a router, to serve as an intermediary between the Internet (or "public network") and a local (or "private") network. This allows a single unique IP address to represent an entire group of computers. However, the scarcity of public IP addresses is just one reason to use NAT.
What is the Role of NAT?
NAT works like a receptionist in a busy office. Imagine you've instructed the receptionist not to forward any calls to you unless you specifically request it. Later, you reach out to a potential client and ask them to call you back. You inform the receptionist that you're expecting this call and to connect the client to you.
The client calls your office's main number, which is the only number they know. When the client tells the receptionist they're looking for you, the receptionist refers to a lookup table to match your name with your extension. Since you previously requested this call, the receptionist forwards the call to your extension.
Created by Cisco, Network Address Translation is a technology used by a device (firewall, router, or computer) positioned between an internal network and the broader internet. NAT has several variations and can function in different ways:

- Static NAT - This method maps an unregistered IP address to a registered IP address on a one-to-one basis. It's especially beneficial when a device needs to be accessible from outside the network.

- Dynamic NAT - Maps an unregistered IP address to a registered IP address chosen from a pool of available registered IP addresses.
- Overloading - A type of dynamic NAT that assigns multiple unregistered IP addresses to a single registered IP address by using different ports. This technique is also known as PAT (Port Address Translation), single IP address NAT, or port-level multiplexed NAT.

- Overlapping - Occurs when the internal network's IP addresses overlap with registered IP addresses from another network. The router must keep a lookup table for these addresses, enabling it to intercept and replace them with unique registered IP addresses. It's important that the NAT router translates both the internal addresses to registered unique ones and the external registered addresses to ones unique to the private network. This can be achieved either through static NAT or by using DNS and implementing dynamic NAT.

The internal network is typically a LAN (Local Area Network), often called a stub domain. A stub domain is a LAN that uses IP addresses internally. Most network traffic within a stub domain remains local, not leaving the internal network. An internal IP address can be either registered or unregistered, and the stub domain can use either type. Naturally, any devices using unregistered IP addresses will require NAT to communicate with the external world.
In the upcoming section, we will explore the various configurations available for NAT.
We extend special thanks to Cisco for their support in creating this article.
NAT Configuration

NAT can be configured in various ways. For instance, in the example below, the NAT router is set to translate unregistered (inside, local) IP addresses from the private (inside) network into registered IP addresses. This translation occurs whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network.
- An ISP assigns your company a block of IP addresses. These addresses are registered, unique IPs, called inside global addresses. The unregistered, private IP addresses are divided into two categories: one is a small group (outside local addresses) used by the NAT routers, while the other, the much larger group, known as inside local IP addresses, is used on the stub domain. The outside local addresses are used to map the unique IPs, known as outside global addresses, for devices on the public network.
- The majority of computers within the stub domain communicate using the inside local addresses.
- Some computers in the stub domain frequently communicate outside the network. These machines are assigned inside global addresses, which means they do not require translation.
- When a computer with an inside local address wants to send data to the outside, the packet is directed to a NAT router.
- The NAT router checks its routing table to see if it has an entry for the destination address. If the entry exists, the NAT router translates the packet and adds an entry for it in the address translation table. If the destination address is absent, the packet is discarded.
- Using the inside global address, the router forwards the packet to its destination.
- A computer on the public network sends a packet to the private network. The packet’s source address is an outside global address, while the destination address is an inside global address.
- The NAT router consults the address translation table and finds the mapped inside global address for a computer on the stub domain.
- The NAT router translates the inside global address of the packet to the inside local address and forwards it to the destination computer.
The Connections of a NAT Overload
NAT overloading takes advantage of a feature in the TCP/IP protocol stack called multiplexing, which allows a single computer to establish multiple simultaneous connections with a remote computer (or multiple computers) using different TCP or UDP ports. Each IP packet carries the following header information:
- Source Address - The IP address of the sending computer, such as 201.3.83.132
- Source Port - The TCP or UDP port number assigned by the sending computer for this packet, like Port 1080
- Destination Address - The IP address of the receiving computer, such as 145.51.18.223
- Destination Port - The TCP or UDP port number that the sending computer requests the receiving computer to open, such as Port 3021
The addresses identify the two devices involved, while the port numbers ensure that each connection between them has a unique identifier. This set of four values—source address, source port, destination address, and destination port—defines a single TCP/IP connection. Each port number is 16 bits long, allowing for 65,536 possible values. However, because different manufacturers may assign ports slightly differently, you can typically expect around 4,000 ports to be available for use.
Dynamic Network Address Translation
This is the process of dynamic NAT:
- A private network (stub domain) is configured with IP addresses that were not specifically allocated by IANA (Internet Assigned Numbers Authority), the global body responsible for distributing IP addresses. These addresses are non-routable because they lack uniqueness.
- The company installs a NAT-enabled router, which is assigned a block of unique IP addresses by IANA.
- A computer within the stub domain attempts to make a connection with an external device, like a web server.
- The router receives the data packet sent from the internal computer.
- The router records the non-routable IP address of the sending computer in the address translation table. It substitutes the computer's non-routable IP with the first available unique IP from its assigned range. This creates an entry in the translation table mapping the non-routable address to a unique IP address.
- When a return packet comes from the external device, the router checks its destination address. It then consults the translation table to identify the internal computer to which the packet should be sent. If a match is found, the router updates the destination address with the corresponding one from the table and forwards the packet. If no match is found, the packet is discarded.
- The internal computer receives the returned packet. This cycle repeats as long as communication persists with the external system.
How NAT Overloading Operates
Here’s how overloading functions:
- A private network (stub domain) is established with non-routable IP addresses that have not been assigned by IANA.
- The company installs a NAT-enabled router, which is given a unique IP address by IANA.
- A computer within the stub domain attempts to connect to an external device, such as a web server.
- The router receives the data packet from the internal computer.
- The router records both the non-routable IP address and the source port number in the address translation table. It then substitutes the non-routable IP address with the router’s own IP address and replaces the source port with the one used for that entry in the translation table. The mapping now includes both the non-routable IP address and port number, along with the router’s IP address.
- When a return packet arrives from the destination device, the router checks the destination port in the packet. It looks up the corresponding entry in the translation table and updates both the destination address and port number, then forwards the packet to the appropriate computer on the stub domain.
- The computer receives the packet from the router. This process repeats for the duration of the connection to the external system.
- As the router now has the computer’s source address and port in the translation table, it continues using the same port number for the duration of the session. The timer for that entry is reset every time it is accessed, and if it isn't accessed before the timer expires, the entry is deleted.
In the following section, we will explore how stub domains are structured.
Stub Domains
Take a look below to understand how computers within a stub domain are perceived by external networks.
Source Device A
IP Address: 192.168.32.10
Computer Port: 400
NAT Router IP Address: 215.37.32.203
Port Number Assigned by NAT Router: 1
Source Device B
IP Address: 192.168.32.13
Computer Port: 50
NAT Router IP Address: 215.37.32.203
NAT Router Allocated Port Number: 2
Source Device C
IP Address: 192.168.32.15
Computer Port: 3750
NAT Router IP Address: 215.37.32.203
NAT Router Allocated Port Number: 3
Source Device D
IP Address: 192.168.32.18
Computer Port: 206
NAT Router IP Address: 215.37.32.203
NAT Router Allocated Port Number: 4
As shown, the NAT router records both the IP address and port number for each device. It then substitutes the original device's IP address with its own registered IP address, while replacing the source computer's port number with the appropriate port number assigned by the router. To any external network, only the NAT router's IP address and the port number given to that specific source computer will be visible on the packet.
It is also possible to have computers within the stub domain that retain static IP addresses. You can set up an access list that tells the router which devices need NAT translation, while leaving the other devices' IP addresses unchanged during transmission.
The number of concurrent translations that a router can handle is primarily determined by its DRAM (Dynamic Random Access Memory) capacity. A typical address translation entry uses about 160 bytes, meaning a router equipped with 4 MB of DRAM could theoretically manage 26,214 simultaneous translations—sufficient for most typical applications.
How IP Address Information is Categorized
The IANA has designated specific IP address ranges to be used for non-routable, internal network addresses. These addresses are classified as unregistered (for further details, refer to RFC 1918: Address Allocation for Private Internets, which defines these address blocks). No organization or individual is permitted to claim ownership of these unregistered addresses or use them on publicly accessible machines.
Routers are programmed to discard unregistered addresses rather than forward them. This means that a packet from a device with an unregistered address might successfully reach a registered destination, but the response will be discarded by the first router it encounters.
For networking purposes, each of the three main IP address classes has a designated address range:
- Range 1: Class A - 10.0.0.0 to 10.255.255.255
- Range 2: Class B - 172.16.0.0 to 172.31.255.255
- Range 3: Class C - 192.168.0.0 to 192.168.255.255
Although the address ranges belong to different classes, you are not obligated to choose any specific range for your internal network. However, following this practice is recommended as it significantly reduces the likelihood of encountering IP address conflicts.
Security and Network Management

Enabling dynamic NAT automatically creates a protective barrier, or firewall, between your internal network and the outside world, including the Internet. With NAT, only connections originating from inside the stub domain are allowed.
In essence, this means that an external computer cannot establish a connection to yours unless you initiate the communication. You can browse the web, visit websites, and download files; however, no one can hijack your IP address to connect to a port on your computer.
In certain situations, Static NAT, also known as inbound mapping, permits external devices to initiate connections to computers within the stub domain. For example, if you need to route traffic from an inside global IP address to a specific inside local IP address assigned to your web server, Static NAT will facilitate the connection.
Some NAT routers offer advanced filtering and traffic logging features. Filtering helps your organization control the types of websites employees can access, preventing access to inappropriate content. Traffic logging allows you to record website visits and generate reports based on this data.
Information about Proxy Servers
NAT is often mistaken for proxy servers, but there are clear distinctions. NAT operates in a way that is invisible to both the source and destination computers; neither is aware of the intermediary device. In contrast, a proxy server is not transparent.
The source computer is aware that it is requesting services from the proxy server, which must be explicitly configured to allow for this. The destination computer perceives the proxy server as the source and interacts with it directly. Proxy servers typically operate at layer 4 (transport) of the OSI Reference Model or higher, whereas NAT is a layer 3 (network) protocol. Because proxy servers function at a higher layer, they tend to be slower than NAT devices in most cases.

One significant advantage of NAT is its impact on network management. For example, if you need to relocate your Web or FTP server to another machine, you don’t have to worry about broken links. Simply adjust the inbound mapping on the router to reflect the new host. Changes to your internal network can also be easily made since only the router's external IP address or one from a global address pool is exposed externally.
NAT and DHCP (Dynamic Host Configuration Protocol) work very well together. You can designate a range of unregistered IP addresses for your stub domain and have the DHCP server assign them as needed. This setup makes scaling your network much easier as it grows. Rather than requesting additional IP addresses from IANA, you simply expand the available range in the DHCP configuration to quickly accommodate more devices on your network.
Multi-homing
As businesses increasingly depend on the Internet, having multiple connections to the Internet is becoming an essential part of their network strategy. This practice, known as multi-homing, helps prevent a disastrous shutdown in case one of the connections fails.
Beyond ensuring a reliable connection, multi-homing also facilitates load balancing by reducing the number of computers using any single Internet connection. By distributing the traffic across multiple connections, the overall performance is optimized, leading to reduced wait times.
Multi-homed networks are often linked to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or a block of addresses) to the company. Routers utilize BGP (Border Gateway Protocol), part of the TCP/IP protocol suite, to route traffic between networks that use different protocols. In multi-homed networks, routers use IBGP (Internal Border Gateway Protocol) on the stub domain side, and EBGP (External Border Gateway Protocol) to communicate with external routers.
Multi-homing proves invaluable when one of the ISP connections goes down. Once the router responsible for the failed connection detects the issue, it quickly reroutes all traffic through one of the alternative routers.
NAT can aid in scaling routing for multi-homed, multi-provider networks. For additional information on multi-homing, refer to Cisco: Enabling Enterprise Multihoming.