NAT [Network Address Translation] is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.

NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses.

Most outbound NATs translate both IP addresses and ports to let many users share a public single IP address. Many VPN users run into trouble sending IPsec through a NAT-ing device like a firewall because [a] NAT changes IP and TCP/UDP headers carried inside packets, invalidating IPsec's integrity check, and [b] the TCP/UDP header in an IPsec ESP packet is encrypted, preventing NAT from mapping ports.

NAT [Network Address Translation] is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.

VPN Passthroughs usually fix [b] by NAT-ing encrypted packets without mapping ports inside the TCP/IP payload. An IPsec VPN Passthrough translates an IPsec ESP packet's source IP to the firewall's external interface while ignoring encrypted payload. A PPTP VPN Passthrough NATs PPTP GRE packets in a similar fashion. Some Passthroughs are limited to one VPN tunnel at a time; other implementations use fields like IPsec SPI to multiplex several tunnels through one NAT-ing device. VPN Passthrough isn't a standard and behavior varies by product.

NAT Traversal refers to a series of IETF Internet Drafts that fix [a] by wrapping encrypted IPsec packets inside a cleartext UDP wrapper. Any NAT-ing device can translate both the source IP address and source UDP port of the cleartext wrapper without changing any part of the encrypted IPsec packet carried inside. The challenge is that both ends of the IPsec tunnel must support the same version of NAT Traversal, be able to detect when to use NAT Traversal, keep the NAT mapping alive for the lifetime of the tunnel, etc. Many VPN vendors implement NAT Traversal drafts, and NAT Traversal works well today in single-vendor VPNs. Multi-vendor VPN NAT Traversal should improve when everyone aligns with the final IETF standard.

NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses.

A virtual private network [VPN] is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol [L2TP]. In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a tunnel that cannot be entered by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

A SOHO network device that supports VPN will probably support either IPsec, PPTP, L2TP or SSL VPN technologies. This means that the device actually has an implementation of the protocol running on it and can be used to connect to a central server or VPN gateway; therefore, a VPN client would not be required

A SOHO network device that supports VPN pass-thru simply means that it can support passing through packets that originate from VPN clients [typically on laptops or PC's] out through a VPN server on the Internet. A special feature like this is needed because:

1. These SOHO devices are involved with NAT and PAT,
2. VPN protocols like IPsec [the data path is called ESP] doesn't have a specific port number for the device to multiplex the port address translation back to your laptop or PC
3. That's why this feature enables some special processing of packets that are IPsec ESP data packets and allows the device to keep a table of active connected VPN tunnels.