Editing Network address translation (section)

=={{Anchor|MASQUERADING}}One-to-many NAT==
[[File:Network Address Translation (file2).jpg|thumb|Network address mapping]]

Most network address translators map multiple private hosts to one publicly exposed IP address. 

In a typical configuration, a local network uses one of the designated ''private'' IP address subnets (RFC 1918<ref name=":0">{{Cite journal |last=Wing |first=Dan |date=2010-07-01 |title=Network Address Translation: Extending the Internet Address Space |url=https://ieeexplore.ieee.org/document/5496805 |journal=IEEE Internet Computing |volume=14 |issue=4 |pages=66–70 |doi=10.1109/MIC.2010.96 |s2cid=31082389 |issn=1089-7801|url-access=subscription }}</ref>). The network has a router having network interfaces on both the private and the public network.  The public address is typically assigned by an [[Internet service provider]]. As traffic passes from the private network to the Internet, NAT translates the source address in each packet from a private address to the router's public address. The NAT facility tracks each active connection. When the router receives inbound traffic from the Internet, it uses the connection tracking data obtained during the outbound phase to determine to which private address it should forward the reply.<ref name="rfc4787" />

Packets passing from the private network to the public network will have their source address modified, while packets passing from the public network back to the private network will have their destination address modified. To avoid ambiguity in how replies are translated, further modifications to the packets are required. The vast bulk of Internet traffic uses [[Transmission Control Protocol]] (TCP) or [[User Datagram Protocol]] (UDP). For these protocols, the [[port number]]s are changed so that the combination of IP address (within the [[Internet protocol suite#Internet_layer|IP header]]) and port number (within the [[Internet protocol suite#Transport layer|Transport Layer header]]) on the returned packet can be unambiguously mapped to the corresponding private network destination. RFC 2663 uses the term '''network address and port translation''' ('''NAPT''') for this type of NAT.<ref name=":0" /> Other names include '''port address translation''' ('''PAT'''), ''IP masquerading'', ''NAT overload'', and ''many-to-one NAT''. This is the most common type of NAT and has become synonymous with the term ''NAT'' in common usage.

This method allows communication through the router only when the conversation originates in the private network, since the initial originating transmission establishes the required information in the translation tables. Thus, a [[web browser]] within the private network is able to browse websites that are outside the network, whereas web browsers outside the network are unable to browse a website hosted within.{{efn|Most NAT devices today allow the network administrator to configure static translation table entries for connections from the external network to the internal masqueraded network. This feature is often referred to as ''static NAT''. It may be implemented in two types: [[port forwarding]] which forwards traffic from a specific external port to an internal host on a specified port, and designation of a [[DMZ host]] which passes all traffic received on the external interface (on any port number) to an internal IP address while preserving the destination port. Both types may be available in the same NAT device.}} Protocols not based on TCP and UDP require other translation techniques.

The primary benefit of one-to-many NAT is mitigation of [[IPv4 address exhaustion]] by allowing entire networks to be connected to the Internet using a single public IP address.