Skip to content

What is NAT, and how does PAT differ from it?

Short answer

NAT (Network Address Translation) rewrites the source and/or destination IP as packets cross a boundary, typically mapping private internal addresses to public ones. PAT (Port Address Translation, or NAT overload) extends this by also translating ports, letting many internal hosts share a single public IP — each flow distinguished by its port. PAT is what home and office routers use to put a whole LAN behind one address.

NAT exists chiefly because IPv4 addresses ran short: there aren't enough public addresses for every device, so organizations use private ranges internally and translate to public addresses at the edge. Knowing the NAT/PAT distinction shows you understand how real networks reach the internet.

Plain NAT

Network Address Translation rewrites IP addresses in packet headers as they cross a router or firewall. Static NAT maps one private address to one public address (useful for a server that must be reachable). Dynamic NAT maps a pool of private addresses to a pool of public ones. In both, the translation is IP-to-IP.

PAT (NAT overload)

Port Address Translation is the version almost everyone actually uses. It maps many internal hosts to a single public IP by also translating the source port. The NAT device keeps a translation table keyed by the combination of internal IP, internal port, and a unique external port. Return traffic is matched back to the right host using that table. This is how an entire home network browses the web through one ISP-assigned address.

Security side effects

NAT is sometimes called security by accident: because inbound connections have no mapping by default, hosts behind PAT aren't directly reachable from outside. That's a useful side effect, not a firewall — it provides no inspection or policy, and once a host initiates outbound traffic, the return path is open. To expose an internal service deliberately you configure port forwarding (a static inbound mapping). NAT also breaks protocols that embed IPs in their payload (SIP, FTP), requiring ALGs to fix them up.

Interviewers want the IP-only vs IP+port distinction, that PAT is what shares one public IP, and the caveat that NAT is not a security control.

Likely follow-ups

  • Why is NAT often described as 'security by accident' rather than a real control?
  • How does port forwarding let an inbound connection reach a host behind NAT?
  • What problems does NAT create for protocols like SIP or for end-to-end connectivity?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.