With NAT, IP addresses in the internal network are not routable from the external one; the comparison with a firewall is not completely correct, because a firewall filters network traffic which, ordinarily, should be able to flow through it; NAT reshapes traffic that ordinarily shouldn't be able to flow that way, allowing it to flow under some specific rules.

A firewall guards a door that would be otherwise open.
A NAT opens a door where there isn't one.

With a firewall you could allow all traffic from the external network to the internal protected one; with a NAT you couldn't, even if you wished.

They're two totally different things, even if they're often confused; as far as security is concerned, a private-IP network behind a NAT is actually more secure than a public-IP network behind a firewall.

Update to respond to your example

That's exactly what I was talking about; in your case, 192.168.1.50 isn't addressable from the outside, so there's absolutely no way it can be accessed, unless you explicitely forward some external IP/port to it.


By default, a simple NAT would drop or reject any incoming connection to a non-mapped port. That by itself is the first and most important feature of a firewall. So yes, a NAT works as a limited firewall.

But there are two important limitations:

  1. By default, a NAT doesn't block any outgoing connection, so you're vulnerable to any kind of infection that gets inside somehow. The simplest example is a malicious webpage or email attachment. In many cases, these malware include very limited code in the first load, and need some 'assistance' from the outside. If you have a firewall with tight restrictions, it could block that step, stopping or slowing the damage.

    • A NAT's primary function is to facilitate connection, not to block it. Therefore it's usually desirable to offer some way to circumvent the inherent NAT limitation on incoming connections. UPnP, STUN, Teredo, SOCKS, etc. all make possible for a machine in your network to ask for incoming connections. A NAT that doesn't make them possible is seen as overly and needlessly restrictive; so the 'ideal' scenario is one where the NAT allows easy 'hole punching' and a proper firewall allows the administrator to apply policies.