NAT translates private IP addresses to public ones. While primarily designed to conserve IPv4 space, NAT provides a side-effect of security by hiding internal topology. However, relying on NAT as a security control is a dangerous fallacy.
PAT (Port Address Translation) acts as a basic stateful firewall. Unsolicited inbound packets are dropped because there is no matching translation table entry. This stops casual internet background radiation and automated scanners.
💡 Pro-tip: NAT breaks end-to-end connectivity. Protocols that embed IP addresses in their payload (like FTP Active Mode or SIP) require Application Layer Gateways (ALGs) to function through NAT.
This table maps the internal host (192.168.1.10) to the public IP. If an attacker doesn't know the internal IP, they can't target it directly without an inbound port forward.
NAT provides zero protection against outbound threats. If an internal host is compromised by phishing, it initiates the outbound connection, and NAT happily translates and allows the C2 traffic to flow.
⚠️ Never cite NAT as a primary defense mechanism in compliance audits. It does not inspect payloads, prevent malware, or stop authorized outbound data exfiltration.
| Feature | Benefit | Limitation |
|---|---|---|
| Topology Hiding | Masks internal IPs | Useless against outbound C2 |
| Port Forwarding | Allows inbound services | Creates permanent holes in perimeter |
| IPv4 Conservation | Shares single IP | Breaks P2P and E2E protocols |
Verify exercises to earn ★ 170 XP and unlock next lab level.