Understanding NAT

I am having trouble understanding how NAT  works when a client with public IP on the internet
 wants to communicate with local private ip.

 am i getting in any way close with  example below ?

internet client  needs to talk to  local server on port 80
local router has public ip of
internet client targets ip and requests service on port 80
static nat entry on router maps port 80 request  to port 80
local server responds to which is translated back by same nat entry to

I'm getting confused as someone told me that although PAT lets you map many private ip's
to one public ip, its not possible to map two public ip's on same port number to a single private ip
Is that right?  Simple as possible explanation would be  appreciated :)


Who is Participating?
You are correct in that static mappings are needed to combine both addresses to one internal IP address on most devices.  However, a Cisco PIX/ASA will allow you to do the exact opposite in which you are describing.  On either of these firewalls, you can have multiple public IP address overloaded to one internal address.  For example:

You have an internal mail server at that needs to be accessed from the outside

interface ethernet0/0
nameif outside
security-level 0
ip address 84.x.x.8

interface ethernet0/1
nameif inside
security-level 100
ip add

access-list OUTSIDE-PAT permit tcp any host 84.x.x.8 eq smtp
access-group OUTSIDE-PAT in interface outside

access-list PAT-IN permit ip any host 84.X.X.8

nat (outside) 1 access-list PAT-IN outside
global (inside) 1 interface

static (inside,outside) interface tcp 25
the internet client replies to to port 80 but in its header there is a destination port on which is mapped to your on its nat table. So multiple clients can request the same page but requests will be assigned different ports on NAT

ps see the attached image of how a nat table will look like


How NAT Works

When a computer running NAT receives a packet from an internal client, it replaces the packet header and translates the client's port number and internal IP address to its own port number and external IP address. It then sends the packet to the destination host on the Internet, and keeps track of the mapping information in a table, so that it can route the reply to the appropriate client computer. When the computer running NAT receives a reply from the Internet host, it again replaces te packet header and sends the packet to the client. Both the client computer and the Internet host appear to be communicating directly with each other.

For example, a client computer with the IP address wants to contact a Web server with the IP address The client is configured to use as the default gateway, which is the internal IP address of the computer running NAT. The external IP address of the computer running NAT is In this example, the NAT process occurs as follows:

    * The client computer sends a packet to the computer running NAT. The packet header indicates that the packet originates from port 1074 on the computer with the IP address, and has a destination of port 80 on
    * The computer running NAT changes the packet header to indicate that the packet originates from port 1563 on host, but does not change the destination. The computer running NAT then sends the packet to the Web server over the Internet.
    * The external Web server receives the packet and sends a reply. The packet header for the reply indicates that the packet originates from port 80 on, and has a destination of port 1563 on host
    * The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate a destination of port 1074 on, and then sends the packet to the client. The source of the packet remains as port 80 on, which is the IP address of the Web server.



Try this one on for size, in understanding NAT vs PAT http://www.enterprisenetworkingplanet.com/netsp/article.php/3632496/Networking-101-Understanding-NAT-and-PAT.htm
From my understanding, unless the state already exists, the IP's are different (vs ports or PAT) and the NAT routers do not detect anomalies - you will not be able to establish connection. Because of the nature of NAT routers, one of the NAT routers will be able to detect that a sequence number anomaly has occurred, and can immediately terminate all communication. When the TCP session completes with a FIN, the state is wiped clean.
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

A very good description of NAT, but I do not understand your answer to the question posed by jly999. You are saying that the 2 distinct 'public' addresses going to a single private address (NAT'd also) with distinct ports assigned to each connection itself will be able to establish communication in both directions....like a web server.
DOH! I think I just answered my own question or rather you did :)
NAT or Network Address Translation works by taking private RFC 1918 address and converts them to globally routable addresses.

RFC 1918 address are:
---------------------------------- (Class A) (Class B) (Class C)

Static NAT:
Suppose that you have an internal web server that you would like to allow users on the internet to access.  However, your internal web server has a private address of  To do this, you would need to request a public IP address from the ISP.  Let's say that the ISP assigned you the 74.x.x.212 globally routable IP address.

What you would do in this case is establish a "Static NAT" mapping, which is a direct one to one relationship of a private address (RFC1918) to a publicly routable address.  For example, on a Cisco router you would enter the following command:

ip nat inside source static

How it works:
A user surfing the web types in yourwebsite.com and DNS resolves the name to your publicly routable IP address of  The request for yourwebsite.com gets to your router and is converted from the public IP address of to the internal IP address of

When the router received the HTTP header, it made note of the address and realizes that it has a static nat statement to translate the address.  So, the router "translates" the IP address of to the internal address of and sends the packet on to the internal web server.

When the web server responds, the router has the job of "translating" the internal address of to the publicly routable IP address of

NAT Pool:
NAT pools are setup to allow a group of publicly available IP addresses to internal private addresses.  For example, lets suppose that your organization has 30 users and you use the RFC 1918 private address block of  Since RFC 1918 address are not routable on the Internet, you would need to obtain some public addresses from an ISP.  Lets say that the ISP allocated you 10 public IP addresses in the range of 84.x.x.12 - 84.x.x.21.

To configure a NAT pool, you would need to configure your private IP addresses to obtain one of the global IP addresses.  On a Cisco router the commands would be as follows:

1) Create an Access Control List (ACL) that allows your internal network address can be translated to a public IP address:

access-list 10 permit

2) Create the NAT pool that maps to the Global IP addresses assigned by the ISP:

ip nat pool GLOBAL-ADDRESSES 84.x.x12 84.x.x.21 netmask

3) Combine the permitted internal translation addresses to the global IP address:

ip nat inside source list 10 pool GLOBAL-ADDRESSES

How NAT Pools Work
If a user in your network wanted to access a web server on the Internet, then the router would need to translate the private IP address of the internal network to a public address.  In this case you have 30 users and 10 global IP addresses.  This means that only 10 users could be online at any given time.  If an 11th user attempted to access a host, server, or other resource on the Internet, they would not be translated and the connection would fail.  Only when one of the 10 addresses was returned to the pool would that user be allowed to access the Internet.

User with the internal IP address of is making a request to access a web server at 202.x.x.55.  As the packet is going through the various OSI layers, the transport layer will add a port to your internal IP address to track what application and session is in use.  It will be randomly assigned a port anywhere from 1025 - 65535.  

The users packet of gets a random port of 1033 to track the application and session.  The term utilized in the industry is a socket and a socket is the combination of an IP address and port combined with a colon.  The socket for this session would be

The router would receive the packet with the following information and check for an ACL that allows for a translation.  If there is an ACL permitting the network, then the router will record the following in the translation table:

Internal IP Address           External IP Address             84.x.x.12:1033

The addresses will be translated to 84.x.x.12:1033 and sent to the web server on the internet.  The web server will respond back to your request using the IP address of 84.x.x.12:1033.  

The router will receive the response packet with the IP address of 84.x.x.12:1033 and look at the translation table to see where to deliver the packet.  

Internal IP Address           External IP Address             84.x.x.12:1033

It looks at the translation table and notes that 84.x.x.12:1033 should be translated back to and sent on its way.

Port Address Translation (PAT)
The main difference in Static NAT and NAT Pools when compared to PAT is the fact that a single address can be used among a large number of users.  Static NAT and NAT pools do not conserve IPv4 addresses.

PAT takes an internal private network and converts it to a single globally routable IP address.  It does this by utilizing sockets.  For example, let's assume that you are using the internal network of and have been assigned the global IP address from the ISP of 94.x.x.212.

PAT Configuration:
To configure PAT on a Cisco router, you would do the following:

1) Create an ACL to allow your private network:

access-list 20 permit

2) Bind the ACL to the global IP address and enable PAT:

ip nat inside source list 20 interface atm0 overload

How PAT Works:

Say that you have two users that would like to connect to the Internet.  The first user is going to Google at IP address  The second user is going to Yahoo! at IP address  

At the transport layer, the user is assigned the port 3525 to create the socket of

At the transport layer, the user is assigned to the port 3525 to create the socket

The first users packet arrives at the router first and is check against the ACL to permit translation from private to public.  The router records the information into the translation table and send the packet on with the routable IP address obtained from the ISP.

Internal IP Address           External IP Address             94.x.x.212:3525

The second users packet arrives moments after the first users packet and is checked against the ACL to permit the translation.  The router goes to record the information in the translation table, but notices that the port 3525 has already been used.  So the router increments the port number for the external address until one is available.  However, the important thing to note is that the external port number changes, BUT not the internal.  If the port numbers were different, then the router would simply record the provided port number from the user.

Internal IP Address           External IP Address             94.x.x.212:3525           94.x.x.212:3526

Now when a packet comes into the router with 94.x.x.212:3525, it forward it off to the first user at  When a packet arrives with 94.x.x.212:3526, it forwards it off to the second user.  When I say forwards it off, the translation is successfully made.

jly999Author Commented:

I cant understand why is it you can have NAT overload going out (many private to one public) but you cant have the same coming back in -

eg  - If i want 2  public ip's to translate to  one internal private ip - this is not possible i think as it needs static mapping - why is that?

jly999Author Commented:
thanks jfrizzell - i didnt know that was possible i'd read that connections initiated from from internet to reach private server needed static nat

But i was trying to understand why that would have to be the case - and i guess it isnt always...

hopefully starting to understand nat a bit more..Cheers

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.