How NAT and NAPT Translate Private IPs and Enable Intranet Penetration

NAT Working Principle

In a typical home network a router with a public IP (e.g., 20.20.20.20) provides private IPs (e.g., 192.168.30.5) to devices. When a device sends a packet to an external address ( 30.30.30.30), the router rewrites the source IP to its public address (SNAT) and stores a mapping 192.168.30.5 → 20.20.20.20. The packet then traverses the Internet and reaches the destination.

When the destination replies, it sends the packet to the router’s public IP. The router looks up the stored mapping, rewrites the destination IP back to the original private address (DNAT), and forwards the packet to the internal host.

NAPT Principle

Because many internal hosts share one public IP, NAT must also translate ports. When a device sends a packet, the router changes both the source IP and source port (e.g., 192.168.30.5:5000 → 20.20.20.20:6000) and records the full mapping 192.168.30.5:5000 → 20.20.20.20:6000. The reverse process (DNAT) restores the original private IP and port for returning traffic.

Since ports range up to 65535, each internal host can be uniquely identified, avoiding conflicts.

What Is Intranet Penetration?

Because NAT only allows outbound connections, an external host cannot directly initiate a connection to a private host. To expose an internal service, a public server (often called a “relay” or “gateway”) is deployed. Internal machines first establish outbound connections to this server, creating NAT mappings. The server then forwards inbound traffic to the appropriate internal host, effectively achieving “intranet penetration”.

NAT Hole Punching for Peer‑to‑Peer

For direct peer‑to‑peer communication (e.g., P2P file sharing), both peers first contact a third‑party server, which learns each peer’s external IP and port. The server then instructs each peer to send UDP packets to the other’s external address, creating temporary NAT mappings on both sides. After the mappings exist, the peers can exchange UDP (and later TCP) traffic directly.

Even though UDP is used to open the hole, most applications switch to TCP after the NAT entries are established.

Summary

IPv4 address space is limited, but NAT allows many internal devices to share a single public IP, conserving address resources.

Internal devices must initiate outbound connections; the NAT translates private IPs (and ports) to the public IP, enabling two‑way communication.

Simple NAT only rewrites IP addresses, which can cause conflicts in large LANs; NAPT (port‑address translation) also rewrites ports to keep mappings unique.

Because NAT blocks inbound connections, “intranet penetration” techniques—using a public relay server—allow external hosts to reach internal services.