NAT Configurations

You can configure NAT in several different ways. Each of the following configuration methods provides a solution for different configuration requirements:

Traditional NAT

Traditional NAT is the most common method of using address translation. Its primary use is translating private addresses to legal addresses for use in an external network. When configured for dynamic operation, hosts within a private network can initiate access to the external (public) network, but external nodes on the outside network cannot initiate access to the private network.

Addresses on the private network and public network must not overlap. Also, route destination advertisements on the public network (for example, the Internet) can appear within the inside network, but the NAT router does not propagate advertisements of local routes that reference private addresses out to the public network.

There are two types of traditional NAT—basic NAT and NAPT.

Basic NAT

Basic NAT provides translation for IP addresses only (called a simple translation) and places the mapping into a NAT table. In other words, for packets outbound from the private network, the NAT router translates the source IP address and related fields (for example, IP, TCP, UDP, and ICMP header checksums). For inbound packets, the NAT router translates the destination IP address (and related checksums) for entries that it finds in its translation table.

Caution: Although NAT is the simplest translation method, it is the least secure. By not including port or external host information in the translation, basic NAT allows access to any port of the private host by any external host.


Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation). This method can translate the addresses and transport identifiers of many private hosts into a few external addresses and transport identifiers, to make efficient use of globally registered IP addresses.

Similar to basic NAT, for outbound packets NAPT translates the source IP address, source transport identifier, and related checksum fields. For inbound packets NAPT translates the destination IP address, destination transport identifier, and checksum fields.

Bidirectional NAT

Bidirectional (or two-way) NAT adds support to basic NAT for the Domain Name System (DNS) so public hosts can initiate sessions into the private network, usually to reach servers intended for public access.

When an outside host attempts to resolve the name of an inside host on a private network, the NAT router intercepts the DNS reply and installs an address translation to allow the outside host to reach the inside host by using a public address. When the outside host initiates a connection with the inside host on the private network, the NAT router translates that public destination address to the private address of the inside host and, on the return path, replaces the source address with the advertised public address.

You might need to perform some additional configuration to allow public access from the Internet to a DNS server that resides in the private domain. (See Bidirectional NAT Example.)

The same address space requirements and routing restrictions apply to bidirectional NAT that were described for traditional NAT. The difference between these two methods is that the DNS exchange might create entries within the translation table.

Twice NAT

In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router in either direction. For example, you would use twice NAT if you are connecting two networks in which all or some addresses in one network overlap addresses in another network, whether the network is private or public.