Organizations that have not implemented IPv6 SHOULD utilize Network Address Translation (NAT) to conserve IP address space and further obscure their network surface from the public Internet.

Description: Network Address Translation (NAT) is a technical method that allows businesses to use multiple private IP addresses with one public IP address. What does this mean? IPv4 is the most widely used standard for assigning IP addresses to clients. IPv4 addresses utilize a 32-bit numbering scheme divided into four sections by periods. This looks something like 200.123.30.2. When IPv4 was first devised, it did not account for how widespread Internet communication would become; thus, the IPv4 numbering scheme maxes out at 4,294,967,296 individual addresses. Clearly, in the year 2026, there are more devices on the Internet than that. Plus, not all IPv4 addresses are available for public use. Some are reserved for testing/experimentation. IPv6 is the new standard for assigning IP addresses. IPv6 uses 128-bit hexadecimal addresses, with a total supply of 340 undecillion unique addresses. Clearly, this is enough. The issue is that IPv6 has not been widely adopted, and many organizations see it as too risky to adopt. NAT exists so that networks can continue using IPv4 addresses even though the supply has maxed out.

The IP addresses consumers utilize on the Internet are known as public IP addresses and are routable across the web. If you go online and search for What's My IP, you will see your current public IP address. When businesses purchase Internet services from an Internet Service Provider (ISP), they are paying for public IP addresses.RFC 1918 defines three blocks of IP addresses known as private IP addresses:

  • Class A = 10.0.0.0 -- 10.255.255.255
  • Class B = 172.16.0.0 -- 172.31.255.255
  • Class C = 192.168.0.0 -- 192.168.255.255

These addresses are not routable and can't be used for normal Internet connectivity. If routers on the Internet detect an RFC 1918 private IP address, they will drop its packets. However, these addresses can be used on private local area networks, such as those in business environments. If you open up a command prompt and search ipconfig /all, you will almost certainly see that you are using an address in one of the RFC 1918 ranges.

NAT is used to take private IP addresses used on the local network and translate them into a public IP address to be routed on the Internet. This has many advantages. First of all, it enhances network security, as a host's actual IP address is not exposed on the Internet. If every network device were using a unique routable IP, then threat actors could see the exact address being used by a host. Secondly, NAT saves money, since networks can use even a single public IP address on the Internet while using private IP addresses on the local network.

When using NAT, the following basic process is performed:

  1. An internal client requests to access a resource on the Internet.
  2. The NAT router grabs the packet and replaces the private IP address and source port with its own public IP address and a random unused port.
  3. NAT will store this address mapping in its table, then send out the new packet to the destination on the Internet.
  4. The destination resource receives the packet and sees the public IP address and port, not the original private IP address and port. The resource sends a response back to the NAT router.
  5. NAT receives the response from the Internet resource, and uses its mapping table to find the original source private IP address on the internal network, and sends the packet to it.

This is the basic functionality of NAT. However, NAT can be further broken down into three types, each of which takes a different approach to the process:

Static NAT: One private IP address is mapped to one public IP address in a 1-1 mapping. This is not usually used in business networks since it still requires a unique public IP address to be purchased for each device.

Dynamic NAT: Uses a pool of public IP addresses that can be used for mapping. Once the pool is exhausted, additional requests for NAT functionality are dropped. This is a suitable method for networks with smaller numbers of devices that won't likely deplete the pool.

Port Address Translation (PAT): One unique public IP address maps to multiple private IP addresses. Port numbers are used to distinguish requests and make each mapping unique. When a private IP address sends a packet out to the Internet, the router replaces the source port with a random unused port in its pool. This is the most commonly utilized form of NAT since it allows thousands of private IPs to map to one single public IP.

When consumer-grade routers state that they employ NAT, they are usually referring to PAT specifically. Even though PAT is a separate category, it has been widely adopted as the default strategy for NAT routers.

NAT is generally implemented by default on basic business-grade networking equipment. Small to medium-sized businesses that use general-purpose enterprise networking equipment will not usually have to do any extra configuration to implement NAT. However, larger businesses that seek to break down networking to an extremely granular level may need to do extra configuration to make NAT work properly.