In this article, we will discuss SNAT (Source NAT) and DNAT (Destination NAT). Both terminologies are related to NAT (Network Address Translation). Before continue, I recommend, please take a look at Network Address Translation.
Table of Contents
Source NAT (SNAT)
SNAT stands for Source NAT. Source NAT, as the name suggests, is used when an internal user initiates a connection with an outside Host. Here, the layer 3 device on which we already configured NAT, translate the private IP address of Host to Public IP. It may also translate the source port in the TCP or UDP protocol headers. Although, Cisco abbreviate it with Stateful NAT.
Destination NAT (DNAT)
On the other hand, DNAT abbreviation for Destination NAT. DNAT is used when an external Host with a Public IP, initiates a connection towards our Internal/Private Network. Here, the same layer 3 devices, convert the public IP address of that host to the private IP of the internal Host/Server.
The Destination NAT is configured for Demilitarized Zone (DMZ). In the DMZ, we usually put our Server with Private IP addresses. So, public users can access them with the help of Destination NAT (DNAT).
The differences between SNAT and DNAT
Below are some differences between SNAT and DNAT!
Source NAT (SNAT) | Destination NAT (DNAT) |
---|---|
SNAT stands for Source NAT. | DNAT stands for Destination NAT. |
Here, Private IP address is converted into Public IP. | Here, Public IP is converted into Private IP. |
It is used by a client which is inside our private network and want to access the Internet. | It is used when someone from public network wants to access a Server inside the DMZ. |
SNAT is performed after the routing decision. | DNAT is performed before the routing decision. |
SNAT, can allow one or more than one hosts of private network to get connect to public hosts. | DNAT, allows connection of any host on the public network to a particular host on the private network. |
Summary
In this article, we discussed SNAT (Static NAT) and DNAT (Destination NAT). Both terms are related to NAT (Network Address Translation). SNAT converts the source IP address of internal hosts to a public IP address. DNAT translates the destination IP of a Public User to a Private IP address so that it can communicate with DMZ servers.
Did you find this article helpful? Please leave a comment in the comment box!
Support our work:
If you appreciate what we do and would like to contribute to our efforts, we kindly ask you to consider buying us a coffee or donate a small contribution on PayPal. Your small donation can go a long way in helping us cover the costs of hosting, maintenance, and further development.
Please consider buying us a coffee or donation on PayPal as a token of appreciation.

We are always thankful for your never-ending support.
At the beginning “In this article, we will discuss SNAT (Source NAT) and DNAT (Destination NAT)”
At the summary end “In this article, we discussed SNAT (Static NAT) and DNAT (Dynamic NAT).”
Confusing terminology that appears the same but also not in meaning when you look around, so which is it?
Hi bob, Yes, I just checked it and DNAT is Destination NAT. Although, the dynamic nat, is ususally configured in clouds, i.e. AWS, where, the machines have dynamically IP assigned. We configure FQDN, in case of Dynamic NAT.
“Here, private IP address is converted to Public” — Actually, that’s only true for outbound traffic.
“Here, public IP address is converted to Private” — Actually, that’s only true for inbound traffic.
In both cases, LOCAL address are changed (from private to public on outbound, from public to private on inbound.) The difference is the direction of session initiation; not which addresses are swapped or whether they’re swapped from public to private or vice-versa.
I wish, oh I wish, that when people write about NAT they would consider the return traffic!
SNAT and DNAT are misnomers, and not defined in any RFCs. RFC2663 calls SNAT “Traditional NAT” and “Outbound NAT.” It does not define a term for DNAT, but does define “Bidirectional NAT,” which is pretty much always used whenever DNAT is used. (Why would anyone have a private network that provided a service but was unable to use any services?)