Quick answer: NAT (Network Address Translation) translates private IP addresses to public ones for internet access. PAT (Port Address Translation) extends this by multiplexing many private addresses to a single public IP using unique port numbers. On the CCNA exam, the biggest trap is confusing inside local (the private IP seen inside your network) with inside global (the public IP seen on the internet). Master these four terms, and you'll ace NAT questions.
Why NAT and PAT Matter for the CCNA Exam
The CCNA exam tests your ability to configure and troubleshoot NAT and PAT on Cisco IOS routers. These technologies are essential for conserving public IPv4 addresses and securing internal networks. You'll encounter multiple-choice questions, drag-and-drop scenarios, and simulation labs where you must apply NAT/PAT to real-world topologies.
NAT and PAT are not just theory—they are daily tools for network engineers. Understanding them deeply means you can design scalable networks and pass the exam on your first attempt. The key is to separate the terminology from the configuration.
Static NAT: One-to-One Mapping
Static NAT creates a permanent mapping between a private IP address and a public IP address. It's used when an internal device must always be reachable from the internet, such as a web server or email server.
Configuration example on a Cisco router:
ip nat inside source static 192.168.1.10 203.0.113.10
ip nat inside source static— defines a static translation from inside to outside192.168.1.10— the inside local (private) address203.0.113.10— the inside global (public) address
You must also apply NAT on the interfaces:
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
ip nat outside
Exam tip: Static NAT requires both an inside and outside interface. Forgetting ip nat inside or ip nat outside is a common mistake.
Dynamic NAT: Pool-Based Translation
Dynamic NAT maps private addresses to public addresses from a pool on a first-come, first-served basis. When the pool is exhausted, additional internal hosts cannot reach the internet.
Configuration example:
ip nat pool MYPOOL 203.0.113.20 203.0.113.30 netmask 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool MYPOOL
ip nat pool— defines the public IP rangeaccess-list 1— identifies which private addresses are eligible for translationip nat inside source list 1 pool MYPOOL— ties the ACL to the pool
Limitation: Dynamic NAT does not scale. If you have 100 internal hosts but only 10 public IPs, only 10 can be online simultaneously. This is where PAT becomes critical.
PAT (NAT Overload): Many-to-One Translation
PAT, also called NAT overload, maps multiple private IP addresses to a single public IP address by differentiating traffic with unique source port numbers. This is the most common form of NAT used in home and enterprise networks.
Configuration example:
ip nat pool MYPOOL 203.0.113.20 203.0.113.20 netmask 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool MYPOOL overload
The keyword overload enables PAT. Alternatively, you can use the router's outside interface IP directly:
ip nat inside source list 1 interface GigabitEthernet0/1 overload
How PAT works:
- Host A (192.168.1.10:12345) → Router → 203.0.113.1:12345
- Host B (192.168.1.11:12345) → Router → 203.0.113.1:54321 (port changed)
- The router maintains a translation table to map return traffic back to the correct host.
Exam tip: PAT is the default for most networks. The overload keyword is mandatory—without it, you get dynamic NAT, not PAT.
The Big Exam Trap: Inside/Outside Local/Global Terminology
This is the most confusing topic for CCNA candidates. Memorize this table:
| Term | Definition | Example |
|---|---|---|
| Inside Local | The IP address of an inside host as seen from inside the network | 192.168.1.10 |
| Inside Global | The IP address of an inside host as seen from outside the network | 203.0.113.10 |
| Outside Local | The IP address of an outside host as seen from inside the network | 10.0.0.1 |
| Outside Global | The IP address of an outside host as seen from outside the network | 198.51.100.2 |
Mnemonic: "Local = my network, Global = internet view. Inside = my devices, Outside = remote devices."
Common exam question: "What is the inside local address for host A?" Answer: 192.168.1.10 (the private address). "What is the inside global address?" Answer: 203.0.113.10 (the translated public address).
Verification and Troubleshooting Commands
Use these Cisco IOS commands to verify NAT/PAT operations:
show ip nat translations
show ip nat statistics
debug ip nat
clear ip nat translation *
show ip nat translations displays the current translation table. For PAT, you'll see multiple entries with different ports. show ip nat statistics shows hit counts and pool utilization.
Troubleshooting checklist:
- Are interfaces configured with
ip nat insideandip nat outside? - Is the ACL correct? (Remember: ACLs permit traffic for translation)
- For PAT, is the
overloadkeyword present? - Are routes in place for return traffic?
Comparison: Static NAT vs Dynamic NAT vs PAT
| Feature | Static NAT | Dynamic NAT | PAT |
|---|---|---|---|
| Public IP usage | 1:1 (dedicated) | n:m (pool) | n:1 (shared) |
| Scalability | Low | Medium | High |
| Internet access from inside | Yes | Yes | Yes |
| Inbound access to internal hosts | Yes (fixed mapping) | No (unless manually added) | No (port forwarding needed) |
| Configuration complexity | Low | Medium | Medium |
| CCNA exam frequency | Moderate | Low | High |
10 CCNA NAT PAT Practice Questions
Test your understanding with these exam-style questions. Answers follow.
What is the inside global address of a host with inside local 10.0.0.5 configured with static NAT to 203.0.113.5?
- A) 10.0.0.5
- B) 203.0.113.5
- C) 10.0.0.1
- D) 203.0.113.1
Which command enables PAT using the outside interface?
- A)
ip nat inside source list 1 pool MYPOOL - B)
ip nat inside source list 1 interface GigabitEthernet0/1 overload - C)
ip nat inside source static 10.0.0.1 203.0.113.1 - D)
ip nat outside source list 1 pool MYPOOL
- A)
How many inside local hosts can be translated with PAT using one public IP?
- A) 1
- B) 65535
- C) Unlimited (limited by port numbers)
- D) 254
An inside host at 192.168.1.10 sends a packet to 8.8.8.8. The router translates it to 203.0.113.1:12345. What is the inside global address?
- A) 192.168.1.10
- B) 203.0.113.1:12345
- C) 203.0.113.1
- D) 8.8.8.8
Which keyword is required to convert dynamic NAT into PAT?
- A)
overload - B)
pat - C)
multiplex - D)
port
- A)
What does
show ip nat translationsdisplay?- A) Routing table entries
- B) Current NAT translation table
- C) Interface IP addresses
- D) ACL list
An outside host at 198.51.100.2 sends a packet to 203.0.113.10. The router translates it to 192.168.1.10. What is the outside global address?
- A) 198.51.100.2
- B) 203.0.113.10
- C) 192.168.1.10
- D) 10.0.0.1
Which command clears all dynamic NAT translations?
- A)
clear ip nat translation * - B)
clear ip route * - C)
clear nat all - D)
delete ip nat translation *
- A)
What happens when a dynamic NAT pool is exhausted?
- A) New hosts are dropped
- B) New hosts use PAT automatically
- C) New hosts use static NAT
- D) Router crashes
Which interface configuration is mandatory for NAT to work?
- A)
ip nat insideon one interface,ip nat outsideon another - B)
ip naton all interfaces - C)
ip nat enableon the WAN interface - D)
ip nat globalon the LAN interface
- A)
Answers:
- B (203.0.113.5 is the inside global)
- B (PAT with interface overload)
- C (up to ~65,000 simultaneous translations per public IP)
- C (the public IP without port is the inside global)
- A (overload)
- B (translation table)
- A (198.51.100.2 is the outside global—the real IP of the remote host)
- A (clear ip nat translation *)
- A (new hosts are dropped—no translation available)
- A (inside and outside interfaces must be defined)
Key Takeaway
NAT and PAT are foundational for IP connectivity and security. On the CCNA exam, focus on:
- Terminology: Inside local vs inside global is the most tested concept.
- Configuration: Know the
ip nat inside sourcecommands for static, dynamic, and PAT. - Verification: Use
show ip nat translationsto confirm your config.
The difference between static NAT and PAT is simple: static is permanent one-to-one; PAT is dynamic many-to-one. Master this, and you'll handle any NAT question.
Ready to Test Your Skills?
Practice makes permanent. Courseiva offers hundreds of CCNA NAT PAT practice questions with detailed explanations, simulation labs, and performance tracking. Visit Courseiva.com/ccna-nat-pat to access the full question bank and boost your exam score today.