NetworkingNetwork+

NAT Concepts for CompTIA Network+ N10-009

Network Address Translation (NAT) is a foundational concept tested on CompTIA Network+ N10-009 in both networking concepts and troubleshooting domains. NAT allows private IP addresses (RFC 1918) to communicate with the internet by translating them to public IPs. You must understand the types of NAT (static, dynamic, PAT/overload), why NAT exists, NAT terminology (inside local, inside global), and common NAT-related troubleshooting scenarios.

8 min

3 sections · 7 exam key points

2 practice questions

NAT Types

Static NAT: one-to-one permanent mapping between a private IP and a public IP. Used when a specific internal device (server) must always be reachable from the internet at a fixed public IP. Every private IP requires its own dedicated public IP.

Dynamic NAT: maps private IPs to a pool of public IPs on a first-come, first-served basis. When the pool is exhausted, new connections are blocked. Unlike static NAT, mappings are temporary. Still requires one public IP per active session.

PAT (Port Address Translation) / NAT Overload: maps many private IPs to a single public IP by adding unique port numbers to differentiate sessions. This is the type of NAT used in virtually every home router and most enterprise internet connections — thousands of internal devices share one public IP. Also called 'NAT with overload' on Cisco devices.

NAT Terminology

Inside local: the private IP address of the internal device (as seen from inside the network). Inside global: the public IP address representing the internal device (as seen from the internet). Outside global: the public IP of the external destination server. Outside local: how the external destination is seen from inside the network (usually the same as outside global).

NAT translations table: the router maintains a table of all active NAT mappings. For PAT, each entry includes private IP, private port, public IP, public port, protocol, and destination. The router uses this table to correctly forward returning traffic to the originating internal host.

NAT Benefits and Limitations

Benefits: conserves public IPv4 addresses (thousands of devices share one public IP). Provides basic security by hiding internal IP structure — external hosts cannot directly initiate connections to internal devices (unless port forwarding is configured). Simplifies IP management — internal IPs can be renumbered without changing public IP.

Limitations: NAT breaks end-to-end connectivity — some applications (active FTP, SIP, IPsec in transport mode) require special NAT traversal support (ALG — Application Layer Gateway). NAT adds latency from table lookup and translation. NAT complicates network troubleshooting when inside/outside address translation obscures real IPs. IPv6 was designed to eliminate the need for NAT by providing enough address space for every device.

Port forwarding (DNAT — Destination NAT): maps a specific port on the public IP to an internal device's IP and port. Used to allow inbound connections to internal servers (e.g., port 80 → internal web server at 192.168.1.10:80).

NAT Types Comparison

Type	Mapping	Public IPs Required	Use Case
Static NAT	One-to-one (permanent)	One per internal device	Servers needing fixed public IP
Dynamic NAT	One-to-one (from pool)	One per active session	Large pools, less common
PAT (Overload)	Many-to-one (port-based)	Single public IP	Home/enterprise internet access
Port forwarding	Inbound port→internal IP	Uses existing public IP	Hosting servers behind NAT

Key exam facts — Network+

PAT (overload) maps many internal IPs to one public IP using unique port numbers
Static NAT = one-to-one permanent; used for internal servers needing public access
Inside local = private IP inside network; inside global = public IP seen from internet
NAT hides internal IP structure — provides security by obscurity
Port forwarding allows inbound connections to specific internal services
Active FTP fails through NAT — requires ALG or passive mode
IPv6 was designed to eliminate NAT by providing sufficient global addresses

Common exam traps

NAT is a security solution

NAT provides incidental security by hiding internal IP addresses, but it is not a firewall — it does not inspect traffic content or enforce security policies. A firewall is still required

All devices behind a NAT router share the same IP address permanently

With PAT, all devices appear to share the same public IP, but port numbers differentiate each session. The NAT table maintains per-session mappings that are created and destroyed dynamically

NAT is required for IPv6

IPv6 was specifically designed to eliminate NAT — every device gets a globally unique public IPv6 address. NAT64 exists to translate between IPv6 and IPv4, but NAT is not a feature of native IPv6 networks

Practice questions — NAT Concepts

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company has 500 workstations accessing the internet through a single router with one public IP address. Which NAT type allows all 500 devices to share this single public IP?

A.Static NAT

B.Dynamic NAT

C.PAT (NAT overload)

D.Port forwarding

Explanation: PAT (Port Address Translation), also called NAT overload, allows many internal devices to share a single public IP address by using unique port numbers to track each session. Static NAT requires one public IP per device. Dynamic NAT uses a pool. Port forwarding maps inbound connections to internal servers.

Q2.What does 'inside local' refer to in NAT terminology?

A.The public IP address assigned by the ISP

B.The private IP address of a device on the internal network

C.The IP address of the NAT router's external interface

D.The external server's IP address as seen from inside

Explanation: Inside local is the actual private IP address of the internal device as it exists within the internal network (before NAT translation). Inside global is what that same device looks like from the outside (the translated public IP). Outside global is the actual public IP of the external destination.

Frequently asked questions — NAT Concepts

What is the difference between NAT and a proxy server?

NAT translates IP addresses at Layer 3 — the client is unaware of the NAT and maintains its own TCP connections to the destination. A proxy server operates at Layer 7 (Application layer) — it terminates the client's connection and creates a new connection to the destination on the client's behalf. Proxies can inspect, filter, and cache application content; NAT cannot.

Why does active FTP fail through NAT?

In active FTP, the server initiates the data connection back to the client's IP and a negotiated port. The NAT router doesn't know about this server-initiated connection and may block it. The FTP Application Layer Gateway (ALG) on the NAT router inspects FTP control traffic and creates a NAT mapping for the expected inbound data connection. Alternatively, passive FTP (where the client initiates both connections) avoids this problem.

Practice this topic

Network+practice questions

Test yourself on NAT Concepts

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime