Editing Network address translation (section)

==Implementation==

===Establishing two-way communication===
[[File:Bidirectional NAT-en.svg|thumb|In bidirectional NAT the session can be established both from inside and outside realms.]]
Every TCP and UDP packet contains a source port number and a destination port number. Each of those packets is encapsulated in an IP packet, whose [[IP header]] contains a source IP address and a destination IP address. The IP address/protocol/port number triple defines an association with a [[network socket]].

For publicly accessible services such as web and mail servers the port number is important. For example, port 443 connects through a socket to the [[web server]] software and port 465 to a mail server's [[SMTP]] [[Daemon (computer software)|daemon]].<ref>{{IETF RFC|8314}}</ref> The IP address of a public server is also important, similar in global uniqueness to a postal address or telephone number. Both IP address and port number must be correctly known by all hosts wishing to successfully communicate.

Private IP addresses as described in RFC 1918 are usable only on private networks not directly connected to the internet. Ports are endpoints of communication unique to that host, so a connection through the NAT device is maintained by the combined mapping of port and IP address. A private address on the inside of the NAT is mapped to an external public address. Port address translation (PAT) resolves conflicts that arise when multiple hosts happen to use the same source port number to establish different external connections at the same time.

===Translation process===
With NAT, all communications sent to external hosts actually contain the ''external'' IP address and port information of the NAT device instead of internal host IP addresses or port numbers. NAT only translates IP addresses and ports of its internal hosts, hiding the true endpoint of an internal host on a private network.

When a computer on the private (internal) network sends an IP packet to the external network, the NAT device replaces the internal source IP address in the packet header with the external IP address of the NAT device. PAT may then assign the connection a port number from a pool of available ports,{{efn|As the NAT router allocates an individual port for each outgoing connection, a huge number of outgoing connections may saturate the range of available ports. As ports typically get freed when the connection doesn't produce any more traffic for a certain time, the maximum number of active connections is limited to approximately 64K.}} inserting this port number in the source port field. The packet is then forwarded to the external network. The NAT device then makes an entry in a translation table containing the internal IP address, original source port, and the translated source port. Subsequent packets from the same internal source IP address and port number are translated to the same external source IP address and port number. The computer receiving a packet that has undergone NAT establishes a connection to the port and IP address specified in the altered packet, oblivious to the fact that the supplied address is being translated.

Upon receiving a packet from the external network, the NAT device searches the translation table based on the destination port in the packet header. If a match is found, the destination IP address and port number is replaced with the values found in the table and the packet is forwarded to the inside network. Otherwise, if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it.