What is the difference between source NAT and destination NAT?

Source NAT (SNAT) rewrites the source IP address of a packet — used when a private/internal client connects outbound (LAN → internet) and you want the public-facing world to see a single shared public IP. Destination NAT (DNAT) rewrites the destination IP address — used when external clients connect inbound to a public IP that the firewall must translate to an internal server's private IP (port forwarding, server publishing, hairpin). On Cisco ASA / Palo Alto / Fortinet, SNAT is "PAT/dynamic NAT", DNAT is "static NAT" or "policy-based NAT".

Where is source NAT used in real networks?

Source NAT is the most common NAT type in the world — any home or office network where multiple private devices (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) share a single public IP for internet access uses PAT (a form of SNAT). Every consumer broadband router does this. In enterprises: branch-office firewalls translating LAN to ISP-assigned public IPs, AWS NAT Gateways letting private subnets reach the internet.

Where is destination NAT used in real networks?

Destination NAT is used for "server publishing": you want internet users to reach 203.0.113.10 but your actual web server lives at 10.1.1.50 inside the data centre — the firewall translates the destination. Also used in load-balancing (DNAT to a VIP), port forwarding on home routers, and Kubernetes services (ClusterIP → Pod IP is a form of DNAT). On Cisco ASA: "static NAT" rules. On Palo Alto: explicit DNAT policy.

Can a single connection use both source NAT and destination NAT?

Yes — this is called "double NAT" or "twice NAT". Common in hairpin / U-turn scenarios where an internal user accesses an internal server via the firewall's public IP. The firewall must DNAT the destination (to reach the internal server) and SNAT the source (so return traffic comes back through the firewall, not directly). Configured on Palo Alto as a U-Turn NAT policy, on Cisco ASA via twice NAT statements.

PAT (Port Address Translation, also called NAPT) is a form of source NAT that maps many private IPs to a single public IP by varying the source port. NAT in the strict sense maps 1:1 (one private IP → one public IP). PAT is N:1 (many private → one public). In practice, "NAT" colloquially includes PAT — what most home routers do is technically PAT but everyone calls it NAT.

Source NAT vs Destination NAT — How They Work and When to Use Each (2026)

Last updated 2026-05-17 · Reviewed by the Networkers Home technical writing team

Source NAT (SNAT) rewrites the source IP of a packet — used when private clients connect outbound (LAN → internet). Destination NAT (DNAT) rewrites the destination IP — used when external clients connect inbound to a public IP that the firewall must translate to an internal server's private IP (port forwarding, server publishing). Both are CCNA 200-301 exam topics under Domain 4 (IP Services).

Quick comparison table

Aspect	Source NAT	Destination NAT
Rewrites	Source IP (and often source port)	Destination IP (and often destination port)
Traffic direction	Outbound (inside → outside)	Inbound (outside → inside)
Primary use case	Many private clients sharing a public IP	External users reaching internal servers
Cisco ASA terminology	Dynamic NAT / PAT	Static NAT
Palo Alto terminology	Source Translation (Dynamic IP and Port)	Destination Translation
Fortinet terminology	IP Pool / Outgoing NAT	VIP (Virtual IP)
Address mapping	Usually many-to-one (PAT)	Usually one-to-one (or one-to-many for load balancing)
Real-world example	Home Wi-Fi devices reaching the internet	www.example.com pointing to a private 10.1.1.50 server

Source NAT — how it works

Source NAT replaces the source IP (and sometimes port) of an outbound packet. When the response comes back, the firewall reverses the translation so the response reaches the original client. Most commonly implemented as PAT (Port Address Translation) where many private clients share a single public IP by being assigned unique source ports.

Cisco IOS PAT config example (overloading the WAN interface):

access-list 10 permit 10.0.0.0 0.255.255.255
ip nat inside source list 10 interface GigabitEthernet0/1 overload
interface GigabitEthernet0/0
 ip nat inside
interface GigabitEthernet0/1
 ip nat outside

Destination NAT — how it works

Destination NAT replaces the destination IP of an inbound packet. Used when you want public users to reach a server that lives behind the firewall on private address space.

Cisco IOS static NAT example (publish internal web server):

ip nat inside source static 10.1.1.50 203.0.113.10
! external users hitting 203.0.113.10:443 get DNAT'd to 10.1.1.50:443

Double NAT (twice NAT, hairpin/U-turn)

Sometimes a single connection needs both. Classic case: an internal user accesses your company website via its public URL (which resolves to the firewall's public IP). The firewall must DNAT the destination (to the internal web server) AND SNAT the source (so the server's return traffic comes back through the firewall, not directly to the internal client). On Palo Alto this is a U-Turn NAT policy; on Cisco ASA it's twice NAT.

Where these appear in exams

CCNA 200-301 — Domain 4 (IP Services): basic NAT and PAT configuration on Cisco IOS routers. See CCNA overview.
CCNP Security — advanced NAT including twice NAT, identity NAT on ASA/FTD.
Palo Alto PCNSE — full NAT policy authoring (source + destination + bi-directional + dual-stack).
Fortinet NSE 4/7 — IP Pool, VIP, Central NAT table configuration.

For hands-on CLI practice on real Cisco hardware: Networkers Home CCNA · Palo Alto PCNSE.