The result is that, in theory, a single globally unique IP address can front for hundreds, thousands or even millions, of privately addressed hosts. In practice, however, there are drawbacks. For one thing, many Internet protocols and applications depend on the network being truly end-to-end, with packets forwarded entirely unmodified from the source to the destination. The IP security architecture, for example, can't work across a NAT device because the original headers, with original IP source addresses, are digitally signed. Change the source address, and the digital signature is no longer valid.
NAT raises administrative challenges as well. Although NAT is a niice solution for an organization, branch or even a department that can't get enough globally unique Internet addresses, it becomes a huge problem when reorganizations, mergers or acquisitions require the consolidation of two or more private networks. Even when organizational charts are stable, NAT systems can inadvertently be nested, causing routing nightmares.
Beyond the Device
While hosts inside a private network usually connect easily with servers on the outside, hosts on the Internet can't always easily connect to servers within the network. As far as external hosts are concerned, they're communicating directly with a single host -- the NAT device itself. The private network is effectively invisible to the outside world, which thinks all traffic from that network is actually traffic originating and terminating at the NAT device.
Network Address Port Translation (NAPT) helps alleviate this problem by translating not just the IP address but also the transport layer port. Thus, an inbound packet addressed to Port 80 (usually used for HTTP packets) on the NAPT device could be translated and passed along to the private network's Web server. Without port translation, the NAT device has no way of knowing which host in the private network to pass such packets to.
NAT is often positioned as a security solution. After all, the private network seems to be hidden from view. However, if an attacker can gain control of the NAT device, the entire network is vulnerable. NAT shouldn't be considered a replacement for a firewall, though simple devices implementing NAT can be useful for protecting small office and home office networks.
Although NAT fans proclaim it as the long-term solution to the IPv4 address shortage, it remains a short-term fix. Ignoring architectural and deployment problems, the IPv4 address space itself is still finite and would soon be overwhelmed if all networks were hidden behind NAT devices.