Network address translation (NAT) is a function, typically in a router or firewall, by which an internal IP address is translated to an external IP address. The terms internal and external are generic, ambiguous and more specifically defined by the application. For example, the most common NAT application is to facilitate communication from hosts on private networks to hosts on the public Internet. In such a case, the internal addresses are private addresses, and the external addresses are public addresses.

Another common NAT application is for some VPN clients. The internal address in VPN clients is the physical address, and the external address is the virtual address. This physical address does not have to be a private address, as the subscriber can pay for a public address from the broadband service provider. Regardless of the nature of the physical address, the physical address cannot be used to communicate back to the enterprise network through a VPN tunnel. After the tunnel is established, the enterprise VPN gateway assigns a virtual address to the VPN client application on the enterprise host. This virtual address is part of the enterprise IP address space, and it must be used to communicate back to the enterprise network.

The application of the virtual address varies among VPN clients. Some VPN clients integrate with the operating system so that packets from IP applications on the enterprise host are sourced from the virtual IP address. Examples of IP applications include FTP or telnet. The IP applications inherently use the virtual IP address. With other VPN clients, the IP applications do not use the virtual IP address. Instead, IP applications on the enterprise host inherently use the physical IP address, and the VPN client performs a NAT to the virtual IP address. This NAT is the same as the translation done with a router or firewall.