Understanding NAT Rules: NAT/PAT, Port Forwarding, Static NAT, and Dynamic NAT

NAT stands for Network Address Translation. It is used by a firewall or router to change IP address information in network traffic.

The most common use of NAT is to allow private LAN users to access the internet through one public or WAN-side IP address.

Private LAN user: 10.10.10.2
Firewall WAN IP: 203.x.x.x
Internet server: 8.8.8.8

Before NAT: 10.10.10.2 -> 8.8.8.8
After NAT:  203.x.x.x -> 8.8.8.8

Short summary
NAT hides or translates internal IP addresses so traffic can move correctly between private and public networks.

NAT/PAT is used for outbound traffic from LAN to internet. It allows many internal users to share one WAN or public IP address. PAT means Port Address Translation. It tracks every user session using different source ports.

Real-world example

In an office, 100 employees are connected to the LAN. Each laptop has a private IP address such as 10.10.10.10, 10.10.10.11, and 10.10.10.12. These private IPs cannot directly access the internet. NAT/PAT allows all employees to browse websites using the firewall WAN IP.

Employee laptop 1: 10.10.10.10 -> Internet
Employee laptop 2: 10.10.10.11 -> Internet
Employee laptop 3: 10.10.10.12 -> Internet

All traffic goes out as firewall WAN IP: 203.x.x.x

Where NAT/PAT is used

• LAN users accessing internet.
• Office, hotel, campus, branch, or home broadband internet sharing.
• Multiple private users sharing one WAN IP.
• Most common rule for general internet access.

Short summary
NAT/PAT is mainly used for LAN to internet access. It is the normal rule used when many internal users share one firewall WAN IP.

Port Forwarding is used for inbound traffic from the internet to an internal LAN server. It forwards a specific public port to a specific internal IP and port.

Real-world example

A company has a CCTV/NVR or web server inside the LAN. The server IP is private, so users from outside cannot reach it directly. Port forwarding allows users from the internet to access that internal service using the firewall public IP and a selected port.

External user opens: 203.x.x.x:8080
Firewall forwards to: 10.10.10.2:8080

External SSH test: 203.x.x.x:2222
Firewall forwards to: 10.10.10.3:22

Where Port Forwarding is used

• Remote access to an internal web server.
• Remote access to CCTV/NVR systems.
• Publishing an internal application to external users.
• Testing SSH/SFTP access from an outside network.

Short summary
Port Forwarding is used when someone from outside needs to access a service hosted inside the LAN.

Static NAT is a fixed one-to-one mapping between one internal IP address and one translated IP address. The mapping does not change.

Real-world example

A company hosts a mail server or application server inside the LAN. The server must always be reachable using the same public IP. Static NAT maps the internal server IP to one fixed public IP.

Internal server IP: 10.10.10.50
Mapped public IP: 203.1.1.50

10.10.10.50 <-> 203.1.1.50

Where Static NAT is used

• Public-facing servers that need a fixed public identity.
• Mail server, web server, application server, or VPN server.
• When inbound and outbound traffic should use the same dedicated public IP.
• When one internal device must always map to one translated IP.

Short summary
Static NAT is a permanent one-to-one IP mapping. It is useful when a server needs a dedicated translated IP address.

Dynamic NAT translates internal IP addresses to an available IP from a NAT pool. Unlike Static NAT, the mapping is not permanently fixed for one user.

Real-world example

An organization has 50 users and a small pool of public IPs. When a user starts internet traffic, the firewall assigns one available translated IP from the pool. When the session ends, that translated IP can be reused by another user.

Internal users: 10.10.10.10 – 10.10.10.60
NAT pool: 203.1.1.10 – 203.1.1.20

User gets any available translated IP from the pool.

Where Dynamic NAT is used

• Organizations with a pool of public IP addresses.
• Cases where fixed one-to-one mapping is not required.
• Outbound access where translated IP can be selected dynamically.
• Larger networks that need controlled use of available public IPs.

Short summary
Dynamic NAT uses a pool of translated IP addresses. The mapping is temporary and depends on availability.

Source NAT means the firewall changes the source IP address of outgoing traffic to a specific configured IP address.

Real-world example

A SaaS provider allows access only from the company public IP 203.1.1.10. The firewall can use Source NAT so all selected LAN users access that SaaS application using exactly 203.1.1.10.

Original source: 10.10.10.2
Translated source: 203.1.1.10

Destination sees traffic from 203.1.1.10

Where Source NAT is used

• When a specific translated source IP is required.
• When a third-party service has whitelisted one public IP.
• When different LAN subnets must use different public IPs.
• When predictable source IP behavior is required.

Short summary
Source NAT is used when traffic must go out using a defined translated source IP address.

Masquerade is a simple and automatic form of Source NAT. The firewall automatically uses the current IP address of the outbound WAN interface.

Real-world example

A branch office uses broadband, PPPoE, or 4G/5G where the WAN IP can change. Masquerade is useful because the firewall automatically translates LAN traffic using whatever WAN IP is currently assigned.

LAN user: 10.10.10.2
WAN IP today: 49.x.x.x
WAN IP tomorrow: 103.x.x.x

Masquerade automatically uses the active WAN IP.

Where Masquerade is used

• Normal LAN to internet access.
• Dynamic WAN IP links.
• DHCP WAN, PPPoE, LTE, 4G, or 5G connections.
• Most branch and small office deployments.

Short summary
Masquerade is the easiest and most common option for normal internet NAT when the WAN IP may change.

No NAT means the firewall does not change the source IP address. The original client IP remains visible to the destination side.

Real-world example

A branch office connects to Head Office through an IPsec tunnel. The Head Office firewall must see the real branch LAN IPs for routing and policy control. If NAT is applied, the Head Office may not identify the real branch users correctly. In this case, No NAT is used.

Branch user: 10.10.10.2
Head Office server: 192.168.50.10

With No NAT: 10.10.10.2 -> 192.168.50.10
Original source IP is preserved.

Where No NAT is used

• VPN traffic.
• Site-to-site IPsec traffic.
• MPLS or private WAN routing.
• Inter-branch communication.
• Any case where the remote side must see the real LAN IP.

Short summary
No NAT is used when traffic should be routed without changing the original source IP address.

NAT/PAT vs Port Forwarding

NAT/PAT is for users going out from LAN to internet. Port Forwarding is for outside users coming in from internet to an internal server.

NAT/PAT:        LAN -> Internet
Port Forwarding: Internet -> LAN Server

Static NAT vs Dynamic NAT

Static NAT gives a permanent fixed mapping. Dynamic NAT uses an available translated IP from a pool and the mapping can change.

Static NAT:  One internal IP always maps to one translated IP.
Dynamic NAT: Internal IP maps to any available translated IP from a pool.

Source NAT vs Masquerade

Source NAT uses a manually defined translated IP. Masquerade automatically uses the current WAN interface IP.

Source NAT:  Use this exact translated IP.
Masquerade:  Use whatever IP is currently on the WAN interface.

• Use NAT/PAT when LAN users need internet access.
• Use Port Forwarding when an internal server must be accessed from outside.
• Use Static NAT when one internal server needs one fixed translated IP.
• Use Dynamic NAT when internal users should use an available IP from a translated IP pool.
• Use Source NAT when traffic must go out using one specific source IP.
• Use Masquerade when traffic should use the current WAN IP automatically.
• Use No NAT when original IPs must remain unchanged, mainly for VPN or private routing.

NAT rules decide how traffic is translated when it passes through the firewall. The correct NAT type depends on the traffic direction and the business requirement.

• For normal internet access, NAT/PAT with Masquerade is usually used.
• For external access to an internal service, Port Forwarding is used.
• For permanent one-to-one IP mapping, Static NAT is used.
• For IP pool based translation, Dynamic NAT is used.
• For fixed outgoing translated IP, Source NAT is used.
• For VPN or routed private network traffic, No NAT is used.