SNAT vs DNAT | Source NAT vs Destination NAT

In this article, we will discuss SNAT (Source NAT) and DNAT (Destination NAT). Both terminologies are related to NAT (Network Address Translation). Before continue, I recommend, please take a look at Network Address Translation.

snat-vs-dnat

Source NAT (SNAT)

what-is-source-nat

SNAT stands for Source NAT. Source NAT, as the name suggests, is used when an internal user initiates a connection with an outside Host. Here, the layer 3 device on which we already configured NAT, translate the private IP address of Host to Public IP. It may also translate the source port in the TCP or UDP protocol headers. Although, Cisco abbreviate it with Stateful NAT.

Destination NAT (DNAT)

what-is-dnat

On the other hand, DNAT abbreviation for Destination NAT. DNAT is used when an external Host with a Public IP, initiates a connection towards our Internal/Private Network. Here, the same layer 3 devices, convert the public IP address of that host to the private IP of the internal Host/Server.

Recommended:  Destination NAT - DNAT in Palo Alto Networks Firewall

The Destination NAT is configured for Demilitarized Zone (DMZ). In the DMZ, we usually put our Server with Private IP addresses. So, public users can access them with the help of Destination NAT (DNAT).

The differences between SNAT and DNAT

Below are some differences between SNAT and DNAT!

Source NAT (SNAT)Destination NAT (DNAT)
SNAT stands for Source NAT.DNAT stands for Destination NAT.
Here, Private IP address is converted into Public IP.Here, Public IP is converted into Private IP.
It is used by a client which is inside our private network and want to access the Internet. It is used when someone from public network wants to access a Server inside the DMZ.
SNAT is performed after the routing decision.DNAT is performed before the routing decision.
SNAT, can allow one or more than one hosts of private network to get connect to public hosts.DNAT, allows connection of any host on the public network to a particular host on the private network.
Recommended:  OSPF Packet Types / Message Types and Neighborship Requirements

Summary

In this article, we discussed SNAT (Static NAT) and DNAT (Destination NAT). Both terms are related to NAT (Network Address Translation). SNAT converts the source IP address of internal hosts to a public IP address. DNAT translates the destination IP of a Public User to a Private IP address so that it can communicate with DMZ servers.

Did you find this article helpful? Please leave a comment in the comment box!

5 Comments

  1. At the beginning “In this article, we will discuss SNAT (Source NAT) and DNAT (Destination NAT)”
    At the summary end “In this article, we discussed SNAT (Static NAT) and DNAT (Dynamic NAT).”

    Confusing terminology that appears the same but also not in meaning when you look around, so which is it?

    1. Hi bob, Yes, I just checked it and DNAT is Destination NAT. Although, the dynamic nat, is ususally configured in clouds, i.e. AWS, where, the machines have dynamically IP assigned. We configure FQDN, in case of Dynamic NAT.

  2. “Here, private IP address is converted to Public” — Actually, that’s only true for outbound traffic.
    “Here, public IP address is converted to Private” — Actually, that’s only true for inbound traffic.
    In both cases, LOCAL address are changed (from private to public on outbound, from public to private on inbound.) The difference is the direction of session initiation; not which addresses are swapped or whether they’re swapped from public to private or vice-versa.

    I wish, oh I wish, that when people write about NAT they would consider the return traffic!

    SNAT and DNAT are misnomers, and not defined in any RFCs. RFC2663 calls SNAT “Traditional NAT” and “Outbound NAT.” It does not define a term for DNAT, but does define “Bidirectional NAT,” which is pretty much always used whenever DNAT is used. (Why would anyone have a private network that provided a service but was unable to use any services?)

  3. Hi,

    Had similar confusion with the terminology based on Watchguard and ‘industry’ standard naming conventions.

    Watchguard:
    SNAT = Static NAT, Public IP to Private IP mapping
    DNAT = Dynamic NAT, Private IP(s) to Public IP

    ‘Industry Standard’:
    SNAT = Source NAT; Private IP(s) to Public IP
    DNAT= Destination NAT: Public IP to Private IP

    Highly confusing.
    Always thought the networking world was highly standardized…

    Regards,

    1. Right, it’s confusing! In my experience, terms coined by programmers tend to be questionable, especially in the early days of the Internet and before, the “cowboy days.” Then came OSI which went too far in the opposite direction. These days, the RFC community tends to be a lot better, in the reasonable middle.

      SNAT and DNAT are particularly troublesome. The Watchguard terms you mention above are common in the industry, and there really are no “industry standard” definitions for SNAT and DNAT: just common (and sloppy) definitions.

      The typical NAT case, that happens in everyone’s home router, is Dynamic NAT, and it performs SNAT for egress traffic and DNAT (literally, performing Destination Network Address Translation) for ingress traffic — yet in many routers, it’s configured as the “SNAT” feature. And more often than not, when people talk about “DNAT”, they do mean what is discussed in the article above (which is often Static NAT as well … sigh.)

      IMHO, we should use the terms LNAT and RNAT, for “local” and “remote.” But nobody asked me, just like they didn’t ask me how to spell “kludge,” which mysteriously rhymes with “huge,” and not “sludge” “judge” or “fudge”.

Leave a Reply

Your email address will not be published. Required fields are marked *