Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a

public address to a computer (or group of computers) inside a private network. The main use of NAT
is to limit the number of public IP addresses an organization or company must use, for both economy
and security purposes.

The most common form of network translation involves a large private network using addresses in a
private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255). The private addressing scheme works well for computers that only have to access
resources inside the network, like workstations needing access to file servers and printers. Routers
inside the private network can route traffic between private addresses with no trouble. However, to
access resources outside the network, like the Internet, these computers have to have a public
address in order for responses to their requests to return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite complex but happen so
rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a
request to a computer on the Internet. Routers within the network recognize that the request is not
for a resource inside the network, so they send the request to the firewall. The firewall sees the
request from the computer with the internal IP. It then makes the same request to the Internet using
its own public address, and returns the response from the Internet resource to the computer inside
the private network. From the perspective of the resource on the Internet, it is sending information to
the address of the firewall. From the perspective of the workstation, it appears that communication is
directly with the site on the Internet. When NAT is used in this way, all users inside the private
network access the Internet have the same public IP address when they use the Internet. That means
only one public address is needed for hundreds or even thousands of users.

Most modern firewalls are stateful – that is, they are able to set up the connection between the
internal workstation and the Internet resource. They can keep track of the details of the connection,
like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the
connection. In this way, they are able to keep track of the session composed of communication
between the workstation and the firewall, and the firewall with the Internet. When the session ends,
the firewall discards all of the information about the connection.

There are other uses for Network Address Translation (NAT) beyond simply allowing workstations
with internal IP addresses to access the Internet. In large networks, some servers may act as Web
servers and require access from the Internet. These servers are assigned public IP addresses on the
firewall, allowing the public to access the servers only through that IP address. However, as an
additional layer of security, the firewall acts as the intermediary between the outside world and the
protected internal network. Additional rules can be added, including which ports can be accessed at
that IP address. Using NAT in this way allows network engineers to more efficiently route internal
network traffic to the same resources, and allow access to more ports, while restricting access at the
firewall. It also allows detailed logging of communications between the network and the outside
world.

Additionally, NAT can be used to allow selective access to the outside of the network, too.
Workstations or other computers requiring special access outside the network can be assigned
specific external IPs using NAT, allowing them to communicate with computers and applications that
require a unique public IP address. Again, the firewall acts as the intermediary, and can control the
session in both directions, restricting port access and protocols.

NAT is a very important aspect of firewall security. It conserves the number of public addresses used
within an organization, and it allows for stricter control of access to resources on both sides of the
firewall.