Before you start NAT configuration you must decide whether you need it at all. If you need traffic redirection, for example a Web server in your DMZ, routers may serve your needs. By default, Application-level Gateway uses its own IP address (bound to the corresponding adapter) to all connections leaving it in any direction, unless the Use client address as source router option is set, in which case the original client IP address is used. Consequently, NAT may not be absolutely necessary.

Unlike in firewall-less network configurations, where NAT is a universal setting for all clients communicating with any protocol, in Application-level Gateway different traffic can be NATed differently because NAT configurations are linked to services. It can happen that while outgoing HTTP traffic is SNATed to a single public IP address, SQL traffic from the same network is not SNATed at all, and finally FTP download traffic is SNATed to a separate NAT pool.