September 5, 2019 By Frank Chodacki 6 min read

Explaining some basic network concepts.

I’m excited to be back to explain some basic network concepts that are pretty ubiquitous and universally used—”NAT” and “firewall.”

I use the analogy of communication between apartment buildings and outside companies to go over network address translation (NAT), stateless firewalls, stateful firewalls, and application firewalls. I hope you enjoy!

Learn more

Video Transcript

NAT and Firewall

Hi, my name’s Frank Chodacki. I’m part of the IBM Cloud team, and I’m here to explain some basic network concepts that are pretty ubiquitous or universally used, and the terms are “NAT” and “firewall.”


Let’s start off with NAT. NAT stands for “network address translation.” It’s described in an IETF RFC 1918.

And what NATing really does is allows us to translate internet addresses to private address space. Private address space is really there because there’s only a finite number of internet TCP IP addresses.

The apartment analogy

So, to cover this topic, I always find it’s better to use analogies, and we are going to use the apartment analogy to describe what an internal network or TCP IP range is versus an external TCP IP range.

So over here we have our apartment buildings—we have Apartment Building 1; we have Apartment Building 2. And within those apartment buildings, we have Apartment 1, 2, 3, 4, etc., etc.

And over in Apartment Building 2—well, lo and behold—we have the same apartment numbers, okay.

The only thing that really differentiates Apartment 1 in Building 2 and Apartment 1 in Building 1 is their street address. So, much like an internet TCP IP address, the street address is uniquely addressable across the world. So, we have Apartment 1 is let’s say 123 1st Street. And Apartment 2 is 157 2nd Street.

So, those addresses—the street addresses—uniquely addressable across the world whereas the apartments themselves, the apartment numbers, are not unique. So that really describes the difference between an internal 1918 TCP IP address and an external address.

Well, how do you get between those two things?

You get there by something called NAT—network address translation. NAT is typically used to translate an IP address from one range or multiple IP addresses from one range to an IP address on some other range. 

It’s commonly used between private internal networks and an internet IP address because those are finite, and, subsequently, they can be very expensive to purchase or to use.

So, in the case of Apartment 1 we have a device that does our NATing.

And the second part of this topic is firewalls. A NAT device typically goes along with the firewall function and is usually employed in some kind of a routing device. A routing device connects two or more computer networks.

So, we’re just gonna put our firewall down here and in both are apartments here, so NAT and firewall.

Sending via NAT

So, let’s say someone in Apartment 2 wants to communicate or send a letter, a mail—remember those mail? Over to and he wants to send it out over, you know, from his street address to the Company 1 street address—or, let’s just say, from his internal IP address to a public IP address or an internet IP address.

What he would do is send that out to the NATing device which is akin to—let’s say you have a home router or routing device; that’s the first device you’re traffic’s going to hit.

The NAT, network address translation, part of that is going to convert that internal address to a real internet address—which is what? It’s this 123 1st Street. 

That traffic is gonna traverse from 123 1st Street, so it’s like sending mail with the return address being 123 1st Street over to

As soon as sends a response it’s going to not send it to Apartment 2—it’s actually going to send it to 123 1st Street.

It’s going to send a response back, and what’s going to happen is the NATing device actually keeps track of what’s going out and the corresponding response. And it knows that the response to 123 1st Street—let’s say it’s the person’s name, they put their name on the letter going out—it knows it converts that to an internal address which happens to be Apartment 2, it knows that person lives in Apartment 2.

 Here’s the key: Company 1 doesn’t know that that person lives Apartment 2. All it knows is 123 1st Street—essentially obscuring the final address of that person. So, by that, it’s kind of a security device because it protects that person; it’s akin to a security device.


Now, that by itself is typically not enough. On the same device, we’ll have a firewall function. What’s a firewall function? A firewall function is known as a security device, service appliance that actually monitors the network communication between some source and some destination, typically deployed across two different networks. That’s not always the case, but in this analogy, we’re gonna just say the firewall is there between the internal network and the external network, and notice we have it deployed on our NAT device.

Stateless firewall

So, in a typical firewall, we’ll have something called a stateless firewall.

And all a stateless firewall is, it’s just like a lock on the door. So, we put a lock over here, and we put a lock over here, well, all that says is: “I’m a person that wishes to get into the apartment I have a key and I’ll open the door and go in.”

Well, it’s not a bad way to go, and it keeps most people out of the apartment building that don’t live there, but somebody can tailgate and they can go in behind that behind the traffic—maybe figure out the key, there’s a couple different ways. It’s a decent firewall but as things get more sophisticated, it’s not enough.

Stateful firewall

So, the next type of firewall that came up was called stateful.

So, stateful firewall does this—now we’ve hired a security guard—here’s our security guard, he’s a cool dude.

He’s sitting at that the front desk. So, as traffic tries to enter the apartment building, maybe they have a key, he looks at the person and say’s “Where are you going?” – “I’m going to Apartment 4.”

Okay, so now the traffic’s allowed to Apartment 4. Doesn’t ask what the person’s doing there or anything else, just allows the traffic.

So, really, a stateful firewall understands the source and destination of the traffic, and it actually monitors the conversation between that source and destination. And does a little bit more being a traffic cop between those two sources and destinations.

Application firewall

So, the last thing we’re gonna look at is something called an application firewall.

Application firewall is something that looks deeper the conversation. So now we have our traffic cop over here, and what he’s doing is, now rather than just asking what apartment you’re going to, he’s going to ask what your purpose is.

It actually looks deeper into the conversation; if we’re talking about web service traffic, and makes sure that’s really web-type traffic that’s being communicated from the source and destination, not just some other type of traffic that could be some kind of malicious traffic.

So, in other words, it’s analogous to—okay, I have a person trying to get to Apartment 2, and that person says that they’re there to deliver a pizza, when really you know they’re trying to do door-to-door sales. So, the security guard, in this case, would figure that out and not allow the person access to their apartment.

And those are the basics of NATing and firewall.

Was this article helpful?

More from Cloud

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters