NAT explained: SNAT vs DNAT, PAT, and Why Network Address Translation Exists

Introduction — NAT explained (what this article covers

NAT explained in this guide covers the purpose of Network Address Translation, how it fits into networking fundamentals, and why SNAT and DNAT exist. You’ll learn how NAT interacts with IP addressing and subnetting basics, private vs public IPs, and where NAT shows up in home routers, enterprise edges, and NAT in cloud gateways. Practical examples, common pitfalls, and troubleshooting steps are included so you can apply NAT basics quickly.

NAT explained: What is NAT?

Network Address Translation (NAT) is a function on routers, firewalls, and gateways that rewrites IP addresses—and often ports—in packet headers as traffic crosses a boundary between networks. The most common pattern is translating RFC 1918 private IP addresses to a public IP so internal hosts can reach the internet. A translation table (often maintained via connection tracking in stateful NAT) records each mapping so return traffic is delivered back to the correct internal host.

Why NAT exists

The main reason NAT is used is IPv4 address scarcity: there aren’t enough globally routable public IP addresses for every device. NAT allows many devices to reuse private ranges while sharing one or a small pool of public IPs. NAT also supports common edge designs such as basic segmentation between internal networks and the internet, controlled egress, and inbound publishing patterns like port forwarding.

Key NAT concepts and terminology

Private IP addresses and RFC

RFC 1918 defines private ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These addresses are not routable on the public internet. NAT and private IP addresses work together by keeping internal addressing consistent while translating traffic at the gateway when it needs to reach external networks.

Public IPs and scarcity

A public IP is internet-routable and typically allocated by an ISP or cloud provider. Because IPv4 space is limited, NAT helps organizations and households reduce how many public IPs they require. This is why NAT is used in broadband routers, corporate firewalls, and managed cloud egress services.

Translation table, stateful NAT, and connection tracking

NAT devices maintain a translation table that maps an internal tuple (source IP/port) to an external tuple (public IP/port). With stateful NAT, connection tracking stores session state (NEW/ESTABLISHED/RELATED) so return packets match the correct entry. Many platforms support logging translations to aid auditing, incident response, and troubleshooting NAT issues.

SNAT vs DNAT — high-level comparison

If you’re asking what is SNAT vs DNAT, focus on which side of the packet is changed. SNAT (Source NAT) modifies the source address on outbound traffic so replies return to the translating gateway. DNAT (Destination NAT) modifies the destination address on inbound traffic so external clients reach an internal service. Both depend on translation tables and connection tracking, and both can affect end-to-end connectivity.

What is SNAT?

SNAT rewrites the source IP (and sometimes the source port) of packets leaving a private network. In Linux, SNAT is often paired with masquerade (IP masquerading) for dynamic public IPs. Typical use cases include internet access for internal subnets, forcing egress through a specific public IP, and scaling outbound connectivity with cloud NAT services.

What is DNAT?

DNAT rewrites the destination IP and/or port of incoming packets so they reach an internal target. DNAT underpins port forwarding, publishing internal services, and some load-balancing patterns. For example, mapping publicIP:80 to 10.0.1.5:8080 is a DNAT rule that exposes an internal web service.

PAT and masquerade (how ports are translated

Port Address Translation (PAT) is a common NAT mode that multiplexes many internal connections onto one public IP by translating source ports. Home routers commonly use PAT plus masquerade so dozens of devices can browse the web simultaneously. The NAT gateway records the port mappings in its translation table and uses connection tracking to forward return packets to the right host.

Practical examples and short configs

iptables/nftables SNAT example (Linux

# Example using iptables (legacy)
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -o eth0 -j SNAT --to-source 203.0.113.45

# Masquerade (dynamic public IPs)
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Use SNAT when you have a stable public IP, and MASQUERADE when the public IP can change (for example, DHCP). Ensure your routing and firewall policy allow return traffic, otherwise the translation table entries won’t be used successfully.

iptables/nftables DNAT (port-forward) example

# Forward external port 8080 to internal web server 10.0.1.5:80
iptables -t nat -A PREROUTING -p tcp -d 203.0.113.45 --dport 8080 -j DNAT --to-destination 10.0.1.5:80
iptables -A FORWARD -p tcp -d 10.0.1.5 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

DNAT usually requires a corresponding FORWARD rule (or equivalent firewall allowance). Also validate that the internal service’s default gateway points back through the NAT device, otherwise replies may bypass the translator.

Cloud examples (AWS NAT Gateway, Azure NAT, GCP Cloud NAT

Managed options like AWS NAT Gateway, Azure NAT Gateway, and GCP Cloud NAT provide scalable outbound SNAT/PAT for private subnets. They simplify egress design, but you should understand cloud NAT limitations such as port allocation behavior, logging granularity, per-zone or per-region scope, and how metrics expose connection counts and drops. Inbound publishing typically uses a load balancer, reverse proxy, or explicit DNAT/port-forwarding pattern depending on the platform.

NAT limitations and modern considerations

How NAT affects protocols and end-to-end connectivity

NAT changes addressing, which can reduce true end-to-end connectivity. Protocols that embed IP/port information inside payloads (for example, SIP, FTP in active mode, and some VPN designs) may need helpers or application-aware gateways. NAT can also complicate peer-to-peer traffic and inbound connections unless DNAT/port forwarding is configured.

IPv6 and the future of NAT

IPv6’s large address space reduces the need for NAT by making global addressing practical again. While IPv6 can still use translation techniques, many designs prefer native routing plus firewall policy. In mixed environments, organizations often keep NAT for IPv4 while adopting IPv6 to improve end-to-end reachability and simplify addressing.

Logging, monitoring, and troubleshooting NAT translations

When troubleshooting NAT, inspect active translation entries and verify that return traffic matches connection tracking state. On Linux, use conntrack -L to view tracked flows and iptables -t nat -L -n -v (or nftables equivalents) to confirm counters increase on the correct rules. For cloud NAT, combine VPC/VNet flow logs, NAT gateway metrics, and centralized logging to correlate dropped connections with port exhaustion, misrouted subnets, or overly restrictive security rules.

Summary and conclusion — NAT explained (key takeaways

NAT explained in one line: it’s address translation at a gateway that lets private networks communicate externally while conserving public IP space. SNAT is mainly for outbound connectivity, DNAT is mainly for inbound publishing (port forwarding), and PAT/masquerade enables many-to-one sharing of a public IP via port translation. For deeper study, review networking fundamentals such as the OSI model vs TCP/IP model, routing vs switching, TCP vs UDP ports and protocols, and related topics like DNS and DHCP explained.

Frequently Asked Questions (FAQ

What is SNAT vs DNAT in simple terms?

SNAT changes the source address on outbound packets; DNAT changes the destination address on inbound packets. Both rely on a translation table so replies map correctly.

Is PAT the same as NAT?

PAT is a common form of NAT that also translates ports, allowing many internal connections to share one public IP simultaneously.

Does NAT provide security?

NAT can hide internal addresses, but it is not a replacement for firewall policy. Treat NAT as address translation; enforce security with explicit filtering and monitoring.

How do I troubleshoot a broken port forward?

Confirm the DNAT rule matches the incoming interface/IP/port, allow forwarding in your firewall, verify the internal host’s default route returns through the NAT device, and check connection tracking entries and logs. In summary, a strong NAT explained strategy should stay useful long after publication.