NAT stands for Network Address Translation. What it means is that when an internal user tries to go out to the Internet we intercept the session request at the firewall and set up a session externally to the requested server from the firewall instead of from the user and we use the firewalls external address instead of the Users internal address. If successful we then acknowledge the users session request and start the session. The user's session is actually only to the firewall and does not go external.

In the firewall we keep a state table and map for each session so that we can switch users requests forward and backward across the firewall. This allows us to ensure that nothing gets into the internal network that was not first requested from internally and we do not allow external sessions to be initiated at all.
An added benefit of NAT is that all your users will get mapped to a single external address and you can use any address scheme and number internally without having to use up scarce Internet IP address space.