NAT (Network Address Translation)
NAT (Network Address Translation) was invented as a temporary hack to save the dying IPv4 address space, but it became so successful that it defined how the internet works today.
Layer 3 NAT (Network Layer)
Also known as: Static NAT or 1NAT.
Layer 3 NAT only looks at the IP Header. It swaps one IP address for another but leaves the rest of the packet untouched.
- How it works: Every time a packet from Private IP
192.168.1.10hits the router, the router swaps it with Public IP203.0.113.5. - The Mapping: It is a 1-to-1 relationship. One internal device "owns" one external IP.
- Use Case: Mostly used when a company has a block of public IPs and wants to map a specific public IP to a specific internal server (like a Mail server or Web server).
- Packet Change:
- Original:
Source: 192.168.1.10 - Translated:
Source: 203.0.113.5 - TCP/UDP Ports: Unchanged.
- Original:
Layer 4 NAT (Transport Layer)
Also known as: PAT (Port Address Translation) or NAPT (Network Address Port Translation).
This is the NAT used in your home router and 99% of business networks. It looks at the IP Header AND the TCP/UDP Header.
- How it works: It allows many internal devices to share one single public IP address. To keep track of who is who, it uses the Port Number.
- The Mapping: It is a Many-to-1 relationship.
- Use Case: Home Wi-Fi. Your phone, laptop, and TV all share the same public IP from your ISP.
- Packet Change:
- Original:
Source: 192.168.1.10 : Port 5000 - Translated:
Source: 203.0.113.5 : Port 32415 - Logic: The router creates a "Translation Table." When a reply comes back to
Port 32415, the router looks at its table and says, "Ah, that belongs to the laptop at 192.168.1.10."
- Original:
Layer 7 NAT (Application Layer Gateway - ALG)
Traditional NAT only looks at headers. Layer 7 NAT (or ALG) inspects the payload of the packet to find and translate IP addresses embedded inside the application data.
- How it works: Certain protocols (like FTP, SIP for VoIP, or H.323) send the sender's IP address inside the data stream. A Layer 7 NAT device opens the packet, finds the internal IP string, and replaces it with the public IP.
- Use Case: Ensuring VoIP calls can be established through a firewall or handling "Active" FTP mode.
Layer 2 NAT (MAC Address Translation)
Also known as L2NAT, this occurs at the Data Link Layer. Instead of changing IP addresses, it translates MAC addresses.
- How it works: It maps a set of MAC addresses from one network segment to another.
- Use Case: This is frequently used in industrial automation (like Allen-Bradley/Cisco hardware) to connect machines with identical internal MAC/IP configurations to a factory network without changing the machine's internal settings.
NAT64 and NAT46 (Protocol Translation)
These are used to bridge the gap between IPv4 and IPv6 networks.
- NAT64: Allows IPv6-only clients to communicate with IPv4-only servers. The NAT device maps the IPv6 address to an IPv4 address.
- NAT46: The reverse, allowing IPv4-only clients to reach IPv6 resources (less common).
- Use Case: Modern cellular networks (like T-Mobile) are often IPv6-only internally and use NAT64 to let users access the older IPv4 internet.
Carrier-Grade NAT (CGN / NAT444)
This is an architectural type of NAT used by Internet Service Providers (ISPs).
- How it works: Instead of giving you a public IP address, the ISP gives you a private IP address. Your home router performs NAT (NAT #1), and then the ISP's massive router performs NAT again (NAT #2) before hitting the public internet.
- Use Case: Conserving the limited supply of public IPv4 addresses across thousands of customers.
Twice NAT (Double NAT)
While "Double NAT" is often seen as an error in home networking, Twice NAT is a specific technical configuration.
- How it works: It translates both the Source IP and the Destination IP in a single pass through the device.
- Use Case: Commonly used when two companies merge and both use the same internal IP range (e.g., both use
192.168.1.0/24). Twice NAT allows them to communicate by mapping both sides to unique "virtual" ranges.
Destination NAT (DNAT)
While standard NAT (Source NAT) changes the IP of the person leaving the network, DNAT changes the IP of the person entering the network.
- How it works: It changes the destination IP address in the packet header.
- Use Case: Port Forwarding. When you want to host a web server behind your home router, the router takes packets addressed to its public IP and changes the destination to the server's private internal IP.
Static NAT vs. Dynamic NAT
These refer to the "mapping" logic rather than the OSI layer:
- Static NAT (1): Maps one private IP to one specific public IP. It is used for servers that need to be reachable from the outside consistently.
- Dynamic NAT (Many-to-Many): Maps a private IP to the first available IP from a "pool" of public IPs. Once the session ends, the public IP is returned to the pool for another user.
Summary Table
| Type | OSI Layer | Primary Function |
|---|---|---|
| L2NAT | Layer 2 | Translates MAC addresses |
| NAT32 | Layer 3 | Basic IP-to-IP translation |
| NAPT/PAT | Layer 4 | Translates IPs + TCP/UDP Ports |
| ALG | Layer 7 | Translates IPs inside application data (FTP/SIP) |
| NAT64 | Cross-Protocol | Translates IPv6 to IPv4 |
| CGNAT | Infrastructure | Large scale NAT performed by ISPs |