NAT stands for Network Address Translation, and describes the (controlled) change of IP address and/or port. It is usually performed when trying to connect computers on a local network to the Internet. NAT was defined in RFC 2663.
As long as both communication partners are located in the same network, data can be transmitted directly via routers. For data exchange with the public network, one needs a public IP address, either permanent or dynamically assigned by the access providers. It is necessary, as a remote server needs to know where to send the reply.
If a participant in the local network request an external resource, the routers in the net recognize this and forward the request to the firewall or router, that connects to the public network. This device has therefore two IP addresses, an internal and an external address.
This router keeps track of who has send the request, and issues the request itself to the public net. The remote server sees a request from the address of this firewall or the intermediate routers, and sends its reply back to it.
As the router receives the answer, he knows to whom he has to pass it, as he had remembered the requesting computer.
internal [192.168.1.1] -> [192.168.1.2] ~ router ~ [abcd] [abcd] -> [wxyz] www.example.org www.example.org [wxyz] -> [abcd] ~ router ~ [192.168.1.2] [192.168.1.2] -> [192.168.1.1] internal
This means, that all computers in a local network appear in the public net at the same address. Only the router, that fuinally connects the local net to the public, knows who had requested what. This simplifies maintenance drastically.
Under the simplifying assumption that internal data is not critical, an local system can trust each other, only the connecting router is visible to the outside and has to be explicitly protected. All computers in the local network stand behind this router and are not directly visible and therefore not directly accessible. Exhaustive filtering for valid ports and remove of unwanted content is also easily possible.
NAT drastically reduces the need of (different) IP addresses. A company with 1000 computers, that shall connect to the net, needs 1000 IP addresses, if each computer can communicate directly with the Internet facilities. All computers would be directly accessible from the outside. All computers would have to be secured.
Using the Network Address Translation, need is reduced to only the 1000 private addresses, for example from the 10.x.x.x block – free, and invisible to the outside world. To connect to the public net, you only need one public IP address.
Between these two extremes every gradation is possible with NAT.