NAT & PAT

NAT & PAT

Why This Matters

Think of NAT like a receptionist at a company. When you call the company, you call the main number (public IP). The receptionist (NAT) routes your call to the right person (private IP). NAT does the same for networks—it translates private IPs to public IPs, allowing many devices to share one public IP address.

This matters because IPv4 addresses are limited (4.3 billion total). Without NAT, every device would need its own public IP, which isn't feasible. NAT allows private networks (home, office) to use private IPs and share one public IP. This conserves IPv4 addresses and provides some security (hides internal network structure).

In interviews, when someone asks "How do devices on a private network access the internet?", they're testing whether you understand NAT. Do you know how NAT translates addresses? Do you understand PAT? Most engineers don't. They just use networks and assume they work.

What Engineers Usually Get Wrong

Most engineers think "NAT is just address translation." But NAT maintains translation tables that map private IPs to public IPs (and ports for PAT). When a packet comes back, NAT looks up the table to route it to the correct private IP. Understanding this helps you understand how NAT works and troubleshoot connectivity issues.

Engineers also don't understand that NAT breaks some protocols. Protocols that embed IP addresses (like FTP) don't work well with NAT because the embedded addresses aren't translated. Understanding this helps you understand why some applications don't work behind NAT.

How This Breaks Systems in the Real World

A service was running behind NAT. It needed to accept incoming connections, but NAT only allows outbound connections (private → public). Incoming connections failed because NAT didn't have a translation entry. The fix? Use port forwarding (static NAT) or UPnP to create translation entries for incoming connections. Or use a service that doesn't require incoming connections (like polling).

Another story: A service was using many connections behind NAT. NAT tables have limits (typically 1000-10000 entries). When the service created many connections, the NAT table filled up. New connections failed. The fix? Reuse connections (connection pooling), or use fewer connections. Understanding NAT table limits helps you design systems that work behind NAT.

What is NAT?

NAT (Network Address Translation) translates private IP addresses to public IP addresses (and vice versa) at the network boundary.

Why needed:

• IPv4 exhaustion: Limited public IP addresses
• Private networks: Use RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
• Security: Hide internal network structure
• Cost: Reduce need for multiple public IPs

NAT Types

1. Static NAT

One-to-one mapping: One private IP → One public IP

Private Network          Public Network
192.168.1.10    →    203.0.113.10
192.168.1.20    →    203.0.113.20

Use case: Servers that need consistent public IP

2. Dynamic NAT

Many-to-many mapping: Multiple private IPs → Pool of public IPs

Private Network          Public IP Pool
192.168.1.10    →    203.0.113.10-15
192.168.1.20    →    (assigned dynamically)
192.168.1.30    →

Use case: Multiple devices sharing a pool of public IPs

3. PAT (Port Address Translation / NAT Overload)

Many-to-one mapping: Multiple private IPs → Single public IP (using ports)

Private Network          Public Network
192.168.1.10:5000  →  203.0.113.1:10000
192.168.1.20:5000  →  203.0.113.1:10001
192.168.1.30:5000  →  203.0.113.1:10002

Use case: Home networks, small offices (most common)

NAT Process

Outbound Traffic (Private → Public)

1. Device (192.168.1.10) sends packet to 8.8.8.8
   Source: 192.168.1.10:5000
   Dest: 8.8.8.8:53

2. NAT router receives packet
   - Checks NAT table
   - If no entry, creates translation
   - Translates source IP/port

3. NAT router forwards packet
   Source: 203.0.113.1:10000 (translated)
   Dest: 8.8.8.8:53

4. Response comes back
   Source: 8.8.8.8:53
   Dest: 203.0.113.1:10000

5. NAT router translates back
   Source: 8.8.8.8:53
   Dest: 192.168.1.10:5000 (original)

NAT Table

NAT router maintains a translation table:

Inside Local          Inside Global          Outside Global    Outside Local
192.168.1.10:5000  →  203.0.113.1:10000  ↔  8.8.8.8:53      →  8.8.8.8:53
192.168.1.20:5000  →  203.0.113.1:10001  ↔  93.184.216.34:80 → 93.184.216.34:80

Table entries expire after timeout (typically 30-60 seconds of inactivity)

PAT (Port Address Translation)

PAT allows multiple devices to share one public IP by using different ports.

PAT Example

Device A (192.168.1.10) → Public IP (203.0.113.1:10000)
Device B (192.168.1.20) → Public IP (203.0.113.1:10001)
Device C (192.168.1.30) → Public IP (203.0.113.1:10002)

How it works:

1. Device sends packet with source port (e.g., 5000)
2. NAT router assigns unique public port (e.g., 10000)
3. Maps private IP:port → public IP:port
4. Response uses same mapping to route back

Port range: Typically 1024-65535 (ephemeral ports)

Examples

NAT Configuration (Router)

# Static NAT (Cisco)
ip nat inside source static 192.168.1.10 203.0.113.10
interface GigabitEthernet0/0
  ip nat inside
interface GigabitEthernet0/1
  ip nat outside

# Dynamic NAT
ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.15 netmask 255.255.255.0
ip nat inside source list 1 pool PUBLIC_POOL
access-list 1 permit 192.168.1.0 0.0.0.255

# PAT (NAT Overload)
ip nat inside source list 1 interface GigabitEthernet0/1 overload

NAT Simulation

1interface NATEntry {
2  publicPort: number;
3  timestamp: number;
4}
5
6class NATRouter {
7  private publicIP: string;
8  private natTable: Map<string, NATEntry>; // "privateIP:privatePort" → entry
9  private portCounter: number = 10000;
10  private timeout: number = 60; // seconds
11  
12  constructor(publicIP: string) {
13    this.publicIP = publicIP;
14    this.natTable = new Map

NAT Table Monitoring

1function showNATTable(natRouter: NATRouter): void {
2  // Display NAT translation table
3  console.log("NAT Translation Table:");
4  console.log(`${'Inside Local'.padEnd(20)} ${'Inside Global'.padEnd(20)} ${'Age'.padEnd(10)}`);
5  console.log("-"

NAT Limitations

Problems with NAT

1. End-to-end connectivity: Breaks end-to-end principle
2. Peer-to-peer applications: Difficult for P2P (need port forwarding)
3. IPsec: Can conflict with NAT (NAT traversal needed)
4. Logging: Harder to track individual users
5. Port exhaustion: PAT can run out of ports (65,535 limit)

NAT Traversal

NAT Traversal techniques for applications that need direct connections:

1. STUN (Session Traversal Utilities for NAT): Discover public IP:port
2. TURN (Traversal Using Relays around NAT): Relay server for NAT traversal
3. ICE (Interactive Connectivity Establishment): Combines STUN and TURN
4. UPnP (Universal Plug and Play): Automatic port forwarding

Common Pitfalls

• Port exhaustion: Too many connections exhaust available ports. Fix: Increase port range, use connection pooling, reduce timeout
• NAT table overflow: Too many translations consume memory. Fix: Reduce timeout, limit connections per device
• Breaking applications: Some apps don't work through NAT. Fix: Use NAT traversal (STUN/TURN), port forwarding
• Not understanding PAT: Confusing static NAT with PAT. Fix: Understand PAT uses ports, static NAT doesn't
• Double NAT: NAT behind NAT causes issues. Fix: Avoid nested NAT, use bridge mode
• Timeout too short: Connections drop prematurely. Fix: Increase NAT timeout for long-lived connections
• Security through obscurity: Relying on NAT for security. Fix: Use proper firewalls, don't rely on NAT alone

Interview Questions

Beginner

Q: What is NAT and why is it used?

A:

NAT (Network Address Translation) translates private IP addresses to public IP addresses at the network boundary.

Why used:

1. IPv4 exhaustion: Limited public IP addresses available
2. Private networks: Use RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
3. Security: Hide internal network structure from internet
4. Cost: Reduce need for multiple public IP addresses
5. Flexibility: Easy to change internal network without affecting external

How it works:

Private Network          NAT Router          Internet
192.168.1.10    →    203.0.113.1    →    8.8.8.8
(Private IP)         (Public IP)         (Internet)

Types:

• Static NAT: One private IP → One public IP
• Dynamic NAT: Multiple private IPs → Pool of public IPs
• PAT (NAT Overload): Multiple private IPs → One public IP (using ports)

Intermediate

Q: Explain the difference between NAT and PAT. How does PAT allow multiple devices to share one public IP?

A:

NAT (Network Address Translation):

• Translates IP addresses only
• Requires one public IP per private IP (or pool)
• Used for static or dynamic mapping

PAT (Port Address Translation / NAT Overload):

• Translates both IP addresses and ports
• Allows multiple private IPs to share one public IP
• Uses different ports to distinguish connections

How PAT works:

Device A (192.168.1.10:5000) → Public (203.0.113.1:10000)
Device B (192.168.1.20:5000) → Public (203.0.113.1:10001)
Device C (192.168.1.30:5000) → Public (203.0.113.1:10002)

PAT Process:

1. Device sends packet: Source 192.168.1.10:5000
2. NAT router assigns unique public port: 10000
3. Creates mapping: (192.168.1.10:5000) → (203.0.113.1:10000)
4. Forwards packet with translated source
5. Response comes to 203.0.113.1:10000
6. NAT router looks up mapping, translates back to 192.168.1.10:5000

NAT Table:

Inside Local          Inside Global
192.168.1.10:5000  →  203.0.113.1:10000
192.168.1.20:5000  →  203.0.113.1:10001
192.168.1.30:5000  →  203.0.113.1:10002

Benefits of PAT:

• Efficiency: One public IP for entire network
• Cost: No need for multiple public IPs
• Scalability: Support many devices (up to port limit)

Limitations:

• Port exhaustion: Maximum 65,535 ports
• Peer-to-peer: Difficult for P2P applications
• Logging: Harder to track individual users

Senior

Q: Design a high-performance NAT system for a cloud provider that handles millions of concurrent connections. How do you handle port exhaustion, connection tracking, and ensure low latency?

A:

1class HighPerformanceNAT {
2  private natTable: DistributedNATTable;
3  private portAllocator: PortAllocator;
4  private connectionTracker: ConnectionTracker;
5  private loadBalancer: LoadBalancer;
6  
7  constructor() {
8    // Distributed NAT table (Redis cluster)
9    this.natTable = new DistributedNATTable({
10      backend: 'redis-cluster',
11      replication: 3,
12      sharding: 'consistent-hashing'
13    });
14    
15    // Port allocator with port pools
16    this.portAllocator = new PortAllocator({
17      portRange

Features:

1. Distributed NAT table: Redis cluster for scalability
2. Port pools: Allocate port ranges per public IP
3. Connection tracking: Monitor active connections
4. Port exhaustion handling: Reuse expired ports, add IPs, aggressive cleanup
5. Load balancing: Distribute across multiple public IPs
6. Monitoring: Track metrics, detect issues

• IP Addressing (IPv4/IPv6) - NAT translates between private and public IP addresses, understanding IP addressing explains NAT functionality

• Subnetting & CIDR - NAT often works with subnets, understanding subnetting helps configure NAT properly

• Firewall Rules & ACLs - NAT is often implemented in firewalls, understanding firewall rules complements NAT knowledge

• OSI Model (7 Layers) - NAT operates at Layer 3 (Network), understanding the OSI model provides context

• Load Balancers (L4 vs L7) - Load balancers can perform NAT, understanding NAT helps configure load balancing

• NAT: Translates private IPs to public IPs at network boundary

• Types: Static (1:1), Dynamic (many:many), PAT (many:1 with ports)

• PAT: Uses ports to allow multiple devices to share one public IP

• NAT table: Tracks translations, entries expire after timeout

• Process: Outbound (private→public), inbound (public→private) using table lookup

• Limitations: Breaks end-to-end connectivity, P2P issues, port exhaustion

• NAT traversal: STUN/TURN/ICE for applications needing direct connections

• Best practices: Monitor port usage, use connection pooling, implement proper timeouts