This is what I was trying to say but couldn't got together correctly :) A great explanation. – The_aLiEn – 2012-07-27T17:52:57.723

1@David Schwartz : it works! I tried it from a different network. thanks:) . In the previous scenario is the connection terminated during tcp handshake itself? one more doubt - in point 3 you said, "The router NATs the destination to the LAN machine, but the source address is unmodified (still the LAN machine that originated the request)." When the packet has reached the router, isn't it the routers responsibility to change the source address at layer three to the public ip address (since this is the function of NAT)? – Ashwin – 2012-07-27T18:14:13.600

1@Ashwin: 1) The TCP handshake will never complete because the source machine will never receive the reply it is expecting. 2) Port forwarding doesn't involve changing the source address, just the destination. When you port forward to a server, the server still sees the unmodified origin IP address for the connections forwarded to it. – David Schwartz – 2012-07-27T19:37:11.073

@DavidSchwartz : I think I am still confused. I am trying to access 74.125.236.165 (public ip of google) from one of the devices (forget the server). In this device, during layer 3 encapsulation, the source ip is 192.168.1.5. This is forwarded to the router (which is the default gateway). The router has to hide this private source address. So it functions as a NAT. Doesn't it change this source ip to the public ip of the router? (hiding many private ip's behind on single public ip) – Ashwin – 2012-07-28T07:43:59.730

@Ashwin: Yes, of course. But we were talking about port forwarding (inside destination), not masquerading (outside destination). Masquerading changes the source but not the destination. Port forwarding changes the destination and not the source. – David Schwartz – 2012-07-28T18:49:40.580

@DavidSchwartz : "Port forwarding (rewriting the destination address) only works from the outside to the inside, not from the inside to the inside" - can u explain this part in the above scenario? – Ashwin – 2012-12-23T06:19:53.693

@Ashwin: For machines from the outside, the server's route to the source IP address already takes the packet back to the router, so the router has an opportunity to NAT the replies. This is not so for machines on the inside. The server's route to inside machines doesn't go through the router, so there's no opportunity for the router to NAT the replies. – David Schwartz – 2013-01-20T16:30:18.287

@DavidSchwartz OKay. So you're on a lan laptop and you want to, for example, SSH to a server you have on your LAN as well. So you try to SSH to your forwarded port saaayy 14522 for 192.168.1.154:22 (port number only being cosmetically named to avoid being the standard port) SO! you hit your public IP (outside interface of the router) on port 14522. Shouldn't it, coming from internal get NATd to a public IP with a source port of whatever, then the get hit on the outside interface at port 14522, forward that packet to the internal IP, and then the interal IP respond back to the public IP on the – PsychoData – 2013-09-24T03:47:53.820

source port. The router gets its response (on another generated port sourced from the server but destined for one more than the source port from the laptops outgoing connection) and then forwards the traffic to the laptop when it gets the response. Then the connection just goes on like normal? Or an I misunderstanding part of how NAT works? – PsychoData – 2013-09-24T03:50:07.817

@PsychoData What you're missing is that the server will send the reply packet (with a private source IP address, since that's all it has) directly to the destination, since it's local. That gives the router no opportunity to change the source address to the public IP address. The router would need to rewrite the source IP address (of the packets going to the server) from the source's local IP address to the router's own IP address, which is a form of dual NAT, not mere port forwarding. – David Schwartz – 2013-09-24T03:52:15.997

@DavidSchwartz but woudnt it do that and be responding to its own public IP? – PsychoData – 2013-09-24T04:37:57.877

@PsychoData The server has no idea what its public IP is. It only has a private IP address assigned to it. – David Schwartz – 2013-09-24T14:03:14.733

@DavidSchwartz right, but wouldn't the request going to the outside interface get NATd and then have a public IP? and then the server (private address though it has) responds to that public IP generated by NAT. This way wouldn't neither know that it was talking to a computer on the same network, but rather to that public IP address from the NAT? – PsychoData – 2013-09-24T17:30:39.530

I'm a bit confused about this because I seem to be doing this exact thing while I'm at my house. But it's working. I'm connecting to a dyndns domain which sends me back to my public IP address and then I connect to my server through the DynDNS domain, which then, I assume, connects back to my same public IP address where my laptop is. Eg. on my laptop I SSH to Psycho@psychodata.no-ip.org:14522 which updates through an update client on the server to my home internet's public IP. Works flawlessly. Isn't this the same thing just with an extra step? – PsychoData – 2013-09-24T17:36:32.227

@PsychoData Yes. Which means your router supports dual NAT, not just port forwarding. If you look at the connections on the server, you'll see the source IP address has been changed to the router's IP address. – David Schwartz – 2013-09-24T23:10:01.107

@DavidSchwartz I dont understand. I cant find anything about "dual NAT" anywhere. I can find stuff about "double" NAT or NAT behind NAT, but not "Dual" Yes, as you said, I see the are from the routers public IP address. But this just seems like my router is working like I would expect ad his isnt. PS. I have a linksys WRT54G plain firmware. – PsychoData – 2013-09-25T04:10:48.147

It just seems weird that the router doesn't nat to the public IP on the way out for the request, and NAT the response coming back, and just forward the ports when something hits on the forwarded ports.

So, SSH to dyndns.address.com:14522, request goes out, gets NATed to public IP, hits router's outer interface on forwarded port, gets forwarded to server, response from server gets NATed, response hits source port from request, source port response goes to the request-er. Connection works as expected? – PsychoData – 2013-09-25T04:11:58.997

@PsychoData Port forwarding does not involve rewriting the source IP address of connections. If your router is rewriting the source IP address of connections and the destination address, then it's doing dual NAT, NAT both before and after routing. – David Schwartz – 2013-09-25T17:53:36.430

I'm saying that shouldn't the router NAT on the way out before it tries any port forwarding? NAT to a public IP, then hit the routers outside interface on the port and get forwarded, same thing on the way back, but with the standard generated source port reply of course – PsychoData – 2013-09-25T18:44:37.387

@PsychoData One can certainly argue that it should, but many routers don't support dual NAT, nor will they NAT connections that both originate and terminate on the LAN side. – David Schwartz – 2013-09-28T02:18:31.707

@DavidSchwartz Where can I read more about NAT vs dual NAT? I'm just confused because I can't find anything about it anywhere. – PsychoData – 2013-09-28T03:29:30.490

@PsychoData RFC 5382 is a good place to start.

I am directly able to access 8080 using 192.168.1.7 (my server's ip). – Ashwin – 2012-07-27T17:25:55.263

see my comment for Srin's first answer. – Ashwin – 2012-07-27T17:30:46.493

This is related to routing then. You can't NAT the 118.x.x.x traffic from the lan interface. http://118.XXX.XXX.XXX:8080/myapp traffic have to arrive from wan interface of the router in order to be NATed and forwarded to your server. Have you tested your server from outside? – The_aLiEn – 2012-07-27T17:40:25.850