September 5, 2019 By Frank Chodacki 6 min read

Explaining some basic network concepts.

I’m excited to be back to explain some basic network concepts that are pretty ubiquitous and universally used—”NAT” and “firewall.”

I use the analogy of communication between apartment buildings and outside companies to go over network address translation (NAT), stateless firewalls, stateful firewalls, and application firewalls. I hope you enjoy!

Learn more

Video Transcript

NAT and Firewall

Hi, my name’s Frank Chodacki. I’m part of the IBM Cloud team, and I’m here to explain some basic network concepts that are pretty ubiquitous or universally used, and the terms are “NAT” and “firewall.”


Let’s start off with NAT. NAT stands for “network address translation.” It’s described in an IETF RFC 1918.

And what NATing really does is allows us to translate internet addresses to private address space. Private address space is really there because there’s only a finite number of internet TCP IP addresses.

The apartment analogy

So, to cover this topic, I always find it’s better to use analogies, and we are going to use the apartment analogy to describe what an internal network or TCP IP range is versus an external TCP IP range.

So over here we have our apartment buildings—we have Apartment Building 1; we have Apartment Building 2. And within those apartment buildings, we have Apartment 1, 2, 3, 4, etc., etc.

And over in Apartment Building 2—well, lo and behold—we have the same apartment numbers, okay.

The only thing that really differentiates Apartment 1 in Building 2 and Apartment 1 in Building 1 is their street address. So, much like an internet TCP IP address, the street address is uniquely addressable across the world. So, we have Apartment 1 is let’s say 123 1st Street. And Apartment 2 is 157 2nd Street.

So, those addresses—the street addresses—uniquely addressable across the world whereas the apartments themselves, the apartment numbers, are not unique. So that really describes the difference between an internal 1918 TCP IP address and an external address.

Well, how do you get between those two things?

You get there by something called NAT—network address translation. NAT is typically used to translate an IP address from one range or multiple IP addresses from one range to an IP address on some other range. 

It’s commonly used between private internal networks and an internet IP address because those are finite, and, subsequently, they can be very expensive to purchase or to use.

So, in the case of Apartment 1 we have a device that does our NATing.

And the second part of this topic is firewalls. A NAT device typically goes along with the firewall function and is usually employed in some kind of a routing device. A routing device connects two or more computer networks.

So, we’re just gonna put our firewall down here and in both are apartments here, so NAT and firewall.

Sending via NAT

So, let’s say someone in Apartment 2 wants to communicate or send a letter, a mail—remember those mail? Over to and he wants to send it out over, you know, from his street address to the Company 1 street address—or, let’s just say, from his internal IP address to a public IP address or an internet IP address.

What he would do is send that out to the NATing device which is akin to—let’s say you have a home router or routing device; that’s the first device you’re traffic’s going to hit.

The NAT, network address translation, part of that is going to convert that internal address to a real internet address—which is what? It’s this 123 1st Street. 

That traffic is gonna traverse from 123 1st Street, so it’s like sending mail with the return address being 123 1st Street over to

As soon as sends a response it’s going to not send it to Apartment 2—it’s actually going to send it to 123 1st Street.

It’s going to send a response back, and what’s going to happen is the NATing device actually keeps track of what’s going out and the corresponding response. And it knows that the response to 123 1st Street—let’s say it’s the person’s name, they put their name on the letter going out—it knows it converts that to an internal address which happens to be Apartment 2, it knows that person lives in Apartment 2.

 Here’s the key: Company 1 doesn’t know that that person lives Apartment 2. All it knows is 123 1st Street—essentially obscuring the final address of that person. So, by that, it’s kind of a security device because it protects that person; it’s akin to a security device.


Now, that by itself is typically not enough. On the same device, we’ll have a firewall function. What’s a firewall function? A firewall function is known as a security device, service appliance that actually monitors the network communication between some source and some destination, typically deployed across two different networks. That’s not always the case, but in this analogy, we’re gonna just say the firewall is there between the internal network and the external network, and notice we have it deployed on our NAT device.

Stateless firewall

So, in a typical firewall, we’ll have something called a stateless firewall.

And all a stateless firewall is, it’s just like a lock on the door. So, we put a lock over here, and we put a lock over here, well, all that says is: “I’m a person that wishes to get into the apartment I have a key and I’ll open the door and go in.”

Well, it’s not a bad way to go, and it keeps most people out of the apartment building that don’t live there, but somebody can tailgate and they can go in behind that behind the traffic—maybe figure out the key, there’s a couple different ways. It’s a decent firewall but as things get more sophisticated, it’s not enough.

Stateful firewall

So, the next type of firewall that came up was called stateful.

So, stateful firewall does this—now we’ve hired a security guard—here’s our security guard, he’s a cool dude.

He’s sitting at that the front desk. So, as traffic tries to enter the apartment building, maybe they have a key, he looks at the person and say’s “Where are you going?” – “I’m going to Apartment 4.”

Okay, so now the traffic’s allowed to Apartment 4. Doesn’t ask what the person’s doing there or anything else, just allows the traffic.

So, really, a stateful firewall understands the source and destination of the traffic, and it actually monitors the conversation between that source and destination. And does a little bit more being a traffic cop between those two sources and destinations.

Application firewall

So, the last thing we’re gonna look at is something called an application firewall.

Application firewall is something that looks deeper the conversation. So now we have our traffic cop over here, and what he’s doing is, now rather than just asking what apartment you’re going to, he’s going to ask what your purpose is.

It actually looks deeper into the conversation; if we’re talking about web service traffic, and makes sure that’s really web-type traffic that’s being communicated from the source and destination, not just some other type of traffic that could be some kind of malicious traffic.

So, in other words, it’s analogous to—okay, I have a person trying to get to Apartment 2, and that person says that they’re there to deliver a pizza, when really you know they’re trying to do door-to-door sales. So, the security guard, in this case, would figure that out and not allow the person access to their apartment.

And those are the basics of NATing and firewall.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters