Network Address Translation (NAT).

Network Address Translation maps private IP addresses inside a network to public addresses used on the Internet, and back again. Traditional NAT and the terminology around it are described in RFC 3022 and RFC 2663. The most common variant, PAT (also called NAT overload), multiplexes thousands of internal hosts behind a single public address by also rewriting source ports and keeping a translation table keyed on the 5-tuple. NAT was introduced primarily to slow IPv4 address exhaustion, but it also conceals internal topology and blocks unsolicited inbound traffic by default, providing weak but useful obscurity.

NAT is not a security boundary on its own. It complicates protocols that embed addresses in their payloads (SIP, FTP, IPsec), so routers ship Application Level Gateways (ALGs) that rewrite those payloads. Samy Kamkar's 2020 NAT Slipstreaming attack (CVE-2020-28041) weaponised exactly this: malicious JavaScript on a web page tricked the victim's browser into sending crafted packets that the router's SIP ALG misread, opening an inbound pinhole to any internal port. Chrome (v87.0.4280.141) and Firefox (v85) shipped patches blocking the abused ports, and Armis researchers later published a v2.0 bypass.

Defences: disable unnecessary ALGs, pair NAT with a real stateful firewall, and remember that NAT is fading on IPv6 where every host can hold a globally routable address.

flowchart LR
  subgraph LAN [Private network]
    H1[192.168.1.10:51000]
    H2[192.168.1.11:51001]
  end
  H1 --> N[NAT router<br/>translation table]
  H2 --> N
  N -->|src 203.0.113.5:40001| I[Internet]
  N -->|src 203.0.113.5:40002| I