Think of a computer as an apartment building, where every service is an apartment. The house has an address (white IP) and apartment numbers (ports). Sending a letter to such a house is very simple, just indicate the address and apartment.
Now let's take a microdistrict, fence it with a wall with a checkpoint, make internal (gray) addresses of houses in it, unknown from the outside, and leave known (white) only the address of the microdistrict itself. It is obvious that the address of the microdistrict and the number of the apartment is not enough for the letter to get to the address. There is an option when all letters are sent to one specific house (DMZ), there is redirection (port mapping), when a letter that has arrived in a microdistrict indicating a certain apartment is redirected from the checkpoint to a predetermined house / apartment.
If we write a letter from the microdistrict to the outside, then at the checkpoint (NAT) they remember the address / apartment of the sender and the recipient, and all letters coming to the microdistrict from the address of the recipient are forwarded to the sender of the original letter.

I will add to the answer above that NAT is just a table of correspondence between source and destination addresses and ports. Nat does not provide any protection - it can be "punched" from the outside through any port opened by it, so it does not cancel the presence of a configured firewall.

For a very simple reason - it was written for this :) There are not so many IP addresses in the world (v4, of course), and there are many more devices that need it. Therefore, firstly:
- the provider will give you a maximum of 1 white IP (everything else is for money)
- in the internal network you will have addresses like 192.168
.
.55.66 (there is such an address, this is Yandex :) )
- a router that is connected to the provider replaces the source address in the packet with the white IP issued by the provider and remembers this
- the packet in which the source address is the provider's white IP reaches Yandex, Yandex sends a response, the packet is returned to the router
- the router, remembering what and where it changed, changes the destination address in the received packet to 192.168.1.1 and sends the packet to the device.
There is no way to get access to 192.168.1.1 from an external network, because any router simply cuts off such packets, although sometimes providers violate RFC and arrange "striped" Internet in their local area, when 192.168.1.1 from the same network can access, say, 172.16. 1.1 on another network

The client sends a request to the server through the router (nat is the same) The
router sees the source and destination addresses, and replaces the source address (which is for nat, gray) with its own (white)
Server sends a response to the router's address, because the request was from him. the router again replaces the destination address from its back to gray and sends the PC

There are different types of nats masquerading, semantic nat, and so on, the semantic is the most crap and impenetrable