NAT involves the translation of source and/or destination IP addresses in the header of an IP packet as it traverses a NAT router. The NAT router simply changes the IP address in the header of the packet according to the configured NAT rules.
Now NAT and routing are two different operations, but when they are both occuring in a network, it can be confusing as to what the role of each is. To help us, let’s take a look at the following diagram:
Notice here that there is a PC connected to an internal enterprise network, which is connected to the NAT router. The NAT router is in turn, connected to the Internet. The PC wants to communicate with the Web Server. Now remember, that routing is applied based on the destination IP found in the header of the IP packet.
The PC will send a packet to the web server using the web server’s IP address as the destination IP. Routing will take place in the LAN based on the destination IP, and will thus be routed to the NAT router. The NAT router will translate the source IP address (that of the PC) to an public IP address. Note that the destination IP has not been changed. The NAT router sends the packet to the next hop router, through the internet, and is routed until it reaches the web server.
Notice that the destination IP did not change for the full extent of the journey from PC to web server. The source IP did change, due to NAT.
Now on the return trip, the destination IP address will be that of the NAT’ed address of the PC, that is, the public address to which the PC’s private address was translated. Routing within the Internet will bring that packet to the NAT router. Once it reaches the NAT router, this address is translated to the private address of the PC. Based on this new destination address, the routing continues as the NAT router sends it into the enterprise network, until it reaches the PC.
So you can see that the routing procedure takes place “on either side of the NAT router” and always uses the destination address of the IP packet. If that destination address doesn’t change (from PC to Server), the routing simply continues. If it does change (Server to PC), then the new destination address is used to continue the routing process.
This is an excellent question, and it depends upon what is known as NAT order of operations. When a packet comes into a NAT router, what is applied first? The translation? ACL filtering? routing? An excellent document that clearly states which operations are applied when for NAT is the following:
Here you can see for each direction (outside to inside, and visa versa) what takes place. For both directions, input access lists are applied before translation, while output access lists are applied after translation. Take a look at the document for more details.
I hope this has been helpful!