IP services and securityIntermediate41 min read

What Is NAT overload? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

NAT overload lets multiple computers in your home or office connect to the internet using just one public IP address. It works by giving each device a different port number for its traffic so the router can keep track of who sent what. This is what makes it possible for everyone in a household to browse the web at the same time without needing multiple internet subscriptions.

Common Commands & Configuration

ip nat inside source list 1 interface GigabitEthernet0/0 overload

Configures NAT overload on a Cisco router to translate traffic matching ACL 1 to the IP address of the outside interface GigabitEthernet0/0, using port multiplexing.

CCNA exam: Tests understanding that the 'overload' keyword enables PAT. Without it, it would be one-to-one dynamic NAT which would require multiple public IPs.

access-list 1 permit 192.168.1.0 0.0.0.255

Standard ACL that matches traffic from the 192.168.1.0/24 network to be translated by the NAT overload configuration.

Network+ exam: Often given in a troubleshooting scenario where the ACL is misconfigured, causing only part of the network to have internet access.

show ip nat translations

Displays the current NAT translation table, showing inside local, inside global, outside local, and outside global addresses and ports.

CCNA and Security+: Used to verify active translations and to identify if translation is occurring. Missing entries indicate a configuration error.

clear ip nat translation *

Clears all dynamic NAT translations from the translation table, forcing new translations to be created for subsequent traffic.

Troubleshooting technique if translations are stuck or if port exhaustion is suspected. Resets all sessions abruptly.

ip nat inside source list 100 pool MYPOOL overload

Configures NAT overload using a defined pool of public IP addresses named MYPOOL, where the ACL 100 defines which private addresses are eligible.

CCNA: Tests the concept of using multiple public IPs for PAT to scale beyond 65,535 ports. Understand pool configuration syntax.

ip nat inside source static tcp 192.168.1.10 80 203.0.113.5 8080 extendable

Creates a static NAT overload entry for inbound mapping of public IP port 8080 to internal host port 80, using the extendable keyword to allow dynamic PAT also.

Security+: This allows inbound access to a specific service while still using PAT for other traffic. The 'extendable' keyword is important for mixing static and dynamic NAT.

show running-config | include ip nat inside source

Filters the running configuration to show only NAT source translation commands, useful for verifying that overload is enabled.

Network+ and AZ-104 (equivalent in Azure CLI): Quick verification command. In Azure, equivalent would be 'az nat gateway show'.

NAT overload appears directly in 23exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

NAT overload appears heavily across multiple certification exams because it is a foundational networking concept. In the CompTIA Network+ (N10-008) exam, NAT overload falls under Objective 1.3 'Explain the concepts and characteristics of routing and switching' and Objective 1.5 'Compare and contrast common network configuration concepts.' Expect multiple-choice questions that ask you to identify the purpose of NAT, the difference between static NAT and PAT, or the number of public IPs needed for a given private network.

For the CCNA (200-301), NAT overload is a core topic in the 'IP Connectivity' and 'IP Services' sections. You must be able to configure NAT overload on Cisco IOS routers, verify NAT translations with 'show ip nat translations', and troubleshoot NAT issues. The exam may present a topology and ask you to determine why certain hosts cannot reach the internet. You need to understand inside local, inside global, outside local, and outside global address terminology clearly.

In CompTIA Security+ (SY0-601), NAT overload appears under Objective 3.3 'Given a scenario, implement secure network architectures and design.' While Security+ does not test configuration commands, it tests your understanding of how NAT overload provides Network Address Translation as a security control. Questions may compare NAT overload to static NAT or ask about the security benefits of hiding internal addresses.

The AWS Solutions Architect Associate (SAA-C03) exam tests NAT overload in the context of AWS NAT Gateways and NAT Instances. You must know that a NAT Gateway allows private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. The exam often asks which configuration is more highly available (NAT Gateway vs. NAT Instance) or how to route traffic through a NAT device.

The Azure AZ-104 exam covers NAT overload under 'Configure and manage virtual networking', specifically Azure NAT Gateway. You should know how to associate a NAT Gateway with a subnet, and understand that it uses port address translation to allow multiple VMs to share a single public IP.

The Google ACE exam covers Cloud NAT, which is Google's implementation of NAT overload. Questions may involve configuring Cloud NAT to allow private GKE nodes to access the internet without public IPs.

For CompTIA A+ (220-1101), NAT overload is light supporting knowledge. You should know that home routers use NAT to share a single ISP address among multiple devices, and that NAT can cause issues with some applications like online gaming or VPN connections.

Simple Meaning

Imagine your apartment building has only one street address. Every package that arrives is dropped at the front desk, and the front desk has to figure out which resident gets each package. The front desk does this by writing a note on each package that says 'Apartment 3B' or 'Apartment 5A.' Without those notes, all the packages would be piled together and nobody would know what belongs to whom.

NAT overload works exactly like that front desk. Your home router has one public IP address, that is the street address for your whole network. Every time your laptop, phone, gaming console, or smart TV wants to connect to a website or app, the router grabs that request, writes a unique note on it (the port number), and sends it out over the one public IP address. When the website sends data back, it comes to the same public IP address, and the router checks the note to see which device should get that data.

This is incredibly useful because the internet is running out of unique addresses. Without NAT overload, every device would need its own public IP address, which would be expensive and wasteful. With NAT overload, thousands of devices can share a single public address as long as the router can tell them apart by the port numbers.

The key detail is that NAT overload does not just translate addresses, it also translates port numbers. That is why it is sometimes called 'Port Address Translation' or PAT. The router keeps a table, like a log book, that maps each private IP address and its private port to the public IP address and a unique public port. This table is updated constantly as connections open and close.

One important limitation is that NAT overload changes the original source port and source IP address of each packet. That means if you run a server from your home network that needs to accept incoming connections from the internet, you have to set up special rules called port forwarding. Without those rules, the router will have no idea which device should receive an unsolicited incoming connection, because the incoming packet does not have a matching entry in the NAT table.

Full Technical Definition

NAT overload, also known as Port Address Translation (PAT) or NAT with port address translation, is a specific form of Network Address Translation defined in RFC 2663 and RFC 3022. It is the most common implementation of NAT found in consumer routers and enterprise edge devices. The core mechanism involves translating both the source IP address and the source port number of outgoing packets, allowing multiple internal hosts to simultaneously share a single external IP address.

In standard NAT (sometimes called dynamic NAT), a router maps one private IP address to one public IP address from a pool. If the pool has five public addresses, only five internal hosts can be online at the same time. NAT overload eliminates this limitation by using the transport layer port field as an additional identifier. Since port numbers range from 1 to 65535, and many ports are reserved for specific services, a single public IP address can theoretically support tens of thousands of simultaneous connections from different internal hosts.

When an internal host sends a packet to an external destination, the NAT overload process begins. The router receives the packet with a source IP from the private address space (such as 192.168.1.10) and a source port (such as 12345). The router selects a public IP address from its configured pool-in most home networks, this is the single public IP assigned by the ISP. It then selects an available public source port number, often from a range above 1024 to avoid well-known ports. The router rewrites the packet header: it replaces the source IP with the public IP and the source port with the newly chosen public port. It then records this mapping in an entry in the NAT translation table. The entry includes the original source IP and port, the translated source IP and port, the destination IP and port, and a timestamp.

When the response packet returns from the external destination, the router looks at the destination IP and port in the incoming packet. It searches the NAT table for a matching entry where the public IP and public port correspond to a mapping. If a match is found, the router reverses the translation: it rewrites the destination IP back to the original private IP and the destination port back to the original private port. The packet is then forwarded to the correct internal host.

NAT overload operates at the network layer (Layer 3) and transport layer (Layer 4) of the OSI model. It modifies IP headers and TCP/UDP headers. Protocols that embed IP addresses or port numbers inside the payload, such as FTP, SIP, or H.323, can break under NAT overload because the router does not translate the payload. To handle these, Application Layer Gateways (ALGs) are often used in conjunction with NAT to inspect and modify the payload content appropriately.

The NAT table size is a critical resource. Each active connection occupies one entry. Consumer routers typically support a few thousand entries, while enterprise firewalls can handle hundreds of thousands. When the table is full, new connections are dropped until some entries expire. Timeout values vary: TCP connections typically timeout after 24 hours of inactivity or 2–4 minutes for half-open connections; UDP sessions have shorter timeouts, often 30–60 seconds.

NAT overload is not stateless. It requires the router to maintain state information for every active session. This introduces a single point of failure, complicates high-availability designs, and can degrade performance under heavy load due to table lookup overhead. Because NAT overload modifies packets, it breaks end-to-end transparency as originally envisioned for the Internet Protocol. Some advanced protocols, like IPsec, may require special configuration or encapsulation to function correctly through NAT overload.

For IPv6, NAT overload is generally unnecessary because IPv6 provides enough public addresses for every device. However, some organizations still use NAT overload with IPv6 for security or policy reasons, though this is controversial and often discouraged in IPv6 best practices.

Real-Life Example

Think about a large office building with a single main switchboard phone number. When an employee calls a client, the call goes through the switchboard, and the switchboard operator puts the call through. The client sees only the main switchboard number on their caller ID. When the client calls back, they dial the main number, and the operator asks for the extension, but the client might not know the extension because they were just returning a missed call. That is exactly the problem NAT overload solves by tracking which internal extension made each call.

Now let’s expand the analogy to a busy pizza restaurant with one phone line and multiple delivery drivers. Every time a customer calls to order, the receptionist answers and yells out to whichever driver is available. The driver goes out, delivers the pizza, and the customer pays. But the customer does not have the driver's personal phone number, they only have the restaurant's number. If the customer wants to call back to complain about the delivery, they call the restaurant number, and the receptionist has to figure out which driver handled that order. The receptionist might ask for the delivery address or the time of delivery to match it up.

In this scenario, the restaurant's single phone number is your public IP address. Each driver is a device on your network. The receptionist is the router performing NAT overload. The delivery address or the time stamp is the port number, it is the detail that helps the receptionist match the callback to the correct driver.

If the restaurant had no receptionist, each driver would need their own phone number. That is like every device needing its own public IP address, expensive and impractical. The receptionist system works because the restaurant can get by with one number, as long as the receptionist is good at keeping notes. But if the receptionist gets confused and gives a callback to the wrong driver, that driver might show up at the wrong house, analogous to a NAT table corruption or port conflict.

The pizza restaurant analogy also highlights a limitation: if a new customer calls the restaurant without having ordered before, the receptionist has no idea which driver should handle that call because no driver has been assigned to that incoming request yet. That is exactly why incoming connections from the internet fail without port forwarding, the router has no entry in the NAT table for that unsolicited traffic.

Why This Term Matters

NAT overload is one of the most critical technologies that makes the modern consumer internet work. Without it, ISPs would need to assign a public IP address to every smartphone, laptop, tablet, smart TV, thermostat, and gaming console in every household. The IPv4 address space, which contains only about 4.3 billion addresses, ran out years ago. NAT overload allows billions of devices to share a much smaller pool of public addresses, effectively extending the life of IPv4 until global adoption of IPv6 becomes universal.

For IT professionals, understanding NAT overload is essential for network troubleshooting, firewall configuration, and security analysis. When a user reports that they cannot access an external service, the problem is often related to how their router handles NAT overload, perhaps the NAT table is full, or a specific application is not compatible with the port translation. Knowing how NAT overload works helps a technician identify whether the issue is on the client side, the network edge, or the server side.

In enterprise environments, NAT overload is part of the broader category of source NAT used in firewalls and routers. Security professionals rely on NAT overload to hide internal IP addresses from external networks, adding a layer of obscurity. While this is not true security, it does not prevent attacks, it makes it harder for an external attacker to map the internal network structure. Many compliance frameworks also require address translation as part of network segmentation controls.

NAT overload also has implications for application compatibility. Voice over IP (VoIP), video conferencing, online gaming, peer-to-peer file sharing, and VPNs all interact with NAT overload in specific ways. Understanding these interactions is the difference between a network that works and one that mysteriously fails for certain applications.

How It Appears in Exam Questions

Multiple-choice definition questions: These are the most straightforward. The exam presents four definitions and asks you to select the one that describes NAT overload. The distractors might describe static NAT, dynamic NAT, or a completely unrelated concept. The key is to remember that NAT overload involves port translation, which is what differentiates it from simple one-to-one NAT.

Scenario-based design questions: You are given a network topology diagram with a router, several internal hosts in a private IP range, and a single public IP on the external interface. The question asks what NAT method would allow all internal hosts to reach the internet. The correct answer is NAT overload. A variation might ask how many public IPs are needed for 50 internal hosts, the answer is one, if using NAT overload.

Troubleshooting questions: A user reports that they can browse the web but cannot play an online multiplayer game. The game console has a 'strict NAT type' message. The question asks what the likely cause is. The answer could be that the router's NAT overload table is not handling the game's UDP traffic correctly, or that port forwarding is needed. Another troubleshooting scenario: a small business has a single public IP and 30 employees. One employee is transferring a large file via FTP and others complain that internet access is slow. The question might ask what is happening, the answer could be that the FTP transfer is consuming many NAT table entries or that the NAT overload is running out of ports.

Configuration verification questions: In CCNA-style questions, you might be shown the output of 'show ip nat translations' with multiple entries showing the same inside global IP address but different ports. The question asks which NAT type is in use. The answer is NAT overload. Or you might be asked to identify the missing command in a configuration snippet, for example, 'ip nat inside source list 1 interface GigabitEthernet0/0 overload', and the word 'overload' is the critical keyword.

Comparison questions: The exam asks for a difference between static NAT and NAT overload. Static NAT maps one private IP to one public IP permanently, while NAT overload maps many private IPs to one public IP using port numbers. Or between NAT overload and dynamic NAT, dynamic NAT uses a pool of public IPs but still maps one-to-one, while NAT overload uses one IP with ports.

Cloud-specific scenario questions: In AWS or Azure exams, you might be asked to choose between a NAT Gateway and an Internet Gateway. The trick is that an Internet Gateway allows both inbound and outbound traffic, while a NAT Gateway (NAT overload) only allows outbound traffic initiated from the private subnet. Another common question: a company wants to minimize costs while allowing instances in private subnets to download patches from the internet. You would choose a NAT Gateway over a NAT Instance because NAT Gateway is a managed service and more cost-effective for intermittent traffic.

Practise NAT overload Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small accounting firm has 20 employees, each with a desktop computer. The office network uses the private IP range 192.168.1.0/24. The internet connection provides only one public IP address: 203.0.113.50. The office router is configured with NAT overload.

When employee Alice opens her browser and navigates to www.example.com, her computer sends a packet with source IP 192.168.1.10 and source port 33000. The router receives this packet, changes the source IP to 203.0.113.50 and changes the source port to 40001. It records this mapping in the NAT table: inside local 192.168.1.10:33000 to inside global 203.0.113.50:40001.

At nearly the same time, employee Bob opens a different website. His computer sends a packet from 192.168.1.20:33002. The router translates it to 203.0.113.50:40002 and adds another entry.

Meanwhile, employee Carol is using an online accounting application that opens five simultaneous connections. The router creates five entries, each with a different public port, all mapped to Carol's IP 192.168.1.30.

When the responses arrive at the router, the router checks the destination port. A packet destined for 203.0.113.50:40001 is translated back to 192.168.1.10:33000 and forwarded to Alice. A packet for 203.0.113.50:40002 goes to Bob. The five packets for ports 40003–40007 all go to Carol's computer, and Carol's computer can handle them because each connection has a different port and destination.

This all happens in milliseconds. The employees never notice that they are sharing a single public IP. But if one employee decides to run a file-sharing server that expects incoming connections on port 6881, that server will not work because no connection request from the internet will have an existing NAT table entry. The router will drop the incoming packet. To fix this, the firm's IT administrator would need to configure port forwarding on the router to manually map port 6881 to that employee's private IP address.

Common Mistakes

Thinking that NAT overload is the same as a firewall that blocks incoming connections.

NAT overload does not block traffic by policy; it simply has no way to forward unsolicited incoming packets because no mapping exists in the NAT table. A firewall actively drops traffic based on rules. The result (no incoming connection) looks similar, but the mechanism is different.

Understand that NAT overload is about address translation, not access control. Firewalls enforce security policies, while NAT overload just does translation. If you want to block incoming traffic, use a firewall; if you want to allow it through NAT, use port forwarding.

Believing that NAT overload provides true security by hiding internal IP addresses.

While NAT overload does hide internal IP addresses from external hosts, this is not a security control. If an attacker gains access to an internal host through a vulnerability, NAT overload does not prevent lateral movement or data exfiltration. True security requires firewalls, intrusion prevention systems, and proper access controls.

Treat NAT overload as a convenience that conserves IP addresses, not as a security mechanism. Always layer additional security controls on top of NAT.

Assuming NAT overload is compatible with all applications and protocols.

Applications that embed IP addresses or port numbers in the payload, such as FTP active mode, SIP, and some streaming protocols, will fail under NAT overload unless an ALG is configured. Also, protocols like IPsec with AH mode are broken by NAT because the integrity check covers the source IP, which gets changed.

When deploying NAT overload, test all critical applications. For incompatible protocols, consider using static NAT, ALGs, or a VPN that encapsulates the traffic before it hits the NAT.

Confusing NAT overload with static NAT and thinking both require port forwarding.

NAT overload does not require port forwarding for outbound connections; it automatically creates mappings. Port forwarding is only needed for inbound connections to a specific internal server. Static NAT (one-to-one mapping) does allow inbound connections without port forwarding, because the mapping is permanent and bidirectional.

Remember: outbound connections with NAT overload work automatically. Inbound connections require manual port forwarding. Static NAT allows inbound connections without port forwarding because the mapping is permanent.

Thinking that the NAT table stores only IP addresses and not port numbers.

A NAT overload table must include both the translated IP and the translated port number for each entry. Without the port number, the router could not distinguish which internal host sent a particular packet when multiple hosts share the same public IP.

When visualizing the NAT table, always include the port number as part of the key. The combination {public IP, public port} uniquely identifies each session.

Believing that NAT overload can be used with IPv6 in the same way as with IPv4.

IPv6 was designed to provide enough global addresses for every device, eliminating the need for NAT. Using NAT overload with IPv6 defeats many of the advantages of IPv6, such as end-to-end connectivity and simpler network configurations. Best practices strongly discourage NAT overload for IPv6.

Use native IPv6 addressing without NAT for IPv6 networks. Reserve NAT overload only for IPv4 networks or during IPv6 transition mechanisms.

Exam Trap — Don't Get Fooled

{"trap":"The exam might ask: 'A network with 100 hosts uses a router with NAT overload configured with a single public IP. How many simultaneous internet connections can be supported?' A learner might answer '100' because they think each host is limited to one connection."

,"why_learners_choose_it":"Learners often confuse the number of hosts with the number of connections. They think NAT overload maps one host to one port, but actually each host can have many simultaneous connections, each mapped to a different port.","how_to_avoid_it":"Remember that NAT overload uses port numbers, not just IP addresses, to distinguish connections.

A single host can open hundreds of connections simultaneously (e.g., a browser with many tabs). The limit is the number of available port numbers (65535 minus reserved ports), not the number of hosts.

So with one public IP, you can theoretically support tens of thousands of simultaneous connections from many hosts."

Commonly Confused With

NAT overloadvsStatic NAT

Static NAT creates a permanent one-to-one mapping between a private IP and a public IP. Unlike NAT overload, it does not use port numbers to multiplex connections. A device behind static NAT can receive incoming connections without port forwarding, while NAT overload requires port forwarding for inbound traffic.

Your company's email server has a private IP 10.0.0.5 and a static NAT mapping to public IP 203.0.113.10. External email servers can connect to it directly. With NAT overload, that same server would be unreachable from outside unless you configure port forwarding.

NAT overloadvsDynamic NAT

Dynamic NAT uses a pool of public IP addresses and maps each private IP to one public IP from that pool on a first-come, first-served basis. Once all public IPs are used, no new internal hosts can connect. NAT overload, in contrast, can support many hosts using a single public IP by multiplexing via ports.

Your office has a pool of 5 public IPs. With dynamic NAT, only 5 internal hosts can be online at once. With NAT overload, even with only 1 public IP, 50 hosts can be online because they share that single IP using different ports.

NAT overloadvsPort Forwarding

Port forwarding is a configuration that tells the router to send all incoming traffic on a specific port to a specific internal IP address. It is complementary to NAT overload: NAT overload handles outbound traffic automatically, while port forwarding handles inbound traffic that would otherwise be dropped because no NAT mapping exists.

You want to run a web server on your home computer (192.168.1.100). You configure port forwarding on your router: any incoming traffic on port 80 goes to 192.168.1.100. Without this, NAT overload would drop all incoming traffic on port 80 because there is no dynamic mapping.

NAT overloadvsInternet Gateway (AWS)

An AWS Internet Gateway allows both inbound and outbound traffic between a VPC and the internet. It performs NAT for instances with public IPs. A NAT Gateway in AWS uses PAT (NAT overload) to allow private instances to initiate outbound traffic only. The key difference: Internet Gateway enables bidirectional communication for public instances; NAT Gateway enables unidirectional outbound traffic for private instances.

An EC2 instance with a public IP attached to an Internet Gateway can be reached from the internet. An EC2 instance in a private subnet with a NAT Gateway can only start connections to the internet; it cannot be reached directly from the internet.

NAT overloadvsProxy Server

A proxy server sits between a client and a server and forwards requests on behalf of the client. Unlike NAT overload, a proxy operates at Layer 7 (application layer) and can cache content, filter web requests, and authenticate users. NAT overload operates at Layers 3 and 4 and does not inspect or modify application data.

When you use a web proxy, your browser sends a request to the proxy, and the proxy fetches the web page for you. The destination web server sees the proxy's IP, not yours. With NAT overload, your router changes the source IP and port, but the client and server still communicate directly.

Step-by-Step Breakdown

1

Internal Host Sends Packet

A device on the private network (e.g., 192.168.1.10) sends a packet to an external destination (e.g., 93.184.216.34 port 80). The source IP and port are the private values. The packet is destined for the router's inside interface.

2

Router Receives Packet on Inside Interface

The router's inside interface (configured with 'ip nat inside') receives the packet. The router checks whether the packet matches an access list or route map that triggers NAT. For NAT overload, the router identifies that translation is required because the source IP is private.

3

Router Selects a Public IP Address

The router looks at its NAT configuration for the outside interface (configured with 'ip nat outside'). It uses the configured public IP or the pool of public IPs. In most cases, it uses the IP address of the outside interface itself. This address will replace the original source IP.

4

Router Chooses a Unique Public Source Port

The router selects a port number from a range (usually 1024–65535) that is not currently in use in the NAT table. Each active connection must have a unique public IP + public port combination. If no port is available, the packet is dropped and the host may see a timeout.

5

Router Creates a NAT Table Entry

The router writes an entry in its NAT translation table. The entry contains: inside local (private IP and port), inside global (public IP and public port), outside local (destination IP and port), outside global (same as outside local for standard NAT), and a timestamp.

6

Router Modifies the Packet

The router rewrites the IP header: the source IP address is replaced with the public IP. It also rewrites the TCP or UDP header: the source port is replaced with the public port. The IP and transport layer checksums are recalculated. The packet is then forwarded out the outside interface.

7

External Server Processes Packet and Sends Response

The external server sees the packet as originating from the public IP and public port. It sends its response back to that same public IP and port as the destination. The response packet arrives at the router's outside interface.

8

Router Looks Up Incoming Packet in NAT Table

The router examines the destination IP and port of the incoming response packet. It searches the NAT table for an entry where the inside global (public IP and public port) matches. If a match is found, the router retrieves the corresponding inside local (private IP and private port).

9

Router Reverses Translation and Forwards

The router rewrites the destination IP to the private IP and the destination port to the private port. It recalculates checksums and forwards the packet out the inside interface to the original host. The host sees the packet as if it came directly from the external server.

10

Router Maintains Timeouts and Cleans Up

The NAT table entry remains active until the connection closes or the timeout expires. For TCP, the entry may be removed upon FIN or RST, or after an idle timeout. For UDP, the entry is removed after a configurable timeout (often 30–60 seconds). This frees up the port for future connections.

Practical Mini-Lesson

To truly understand NAT overload, you need to get hands-on with the translation table. On a Cisco router, you can view the current NAT translations with the command 'show ip nat translations'. The output will look something like this:

Pro Inside global Inside local Outside local Outside global tcp 203.0.113.1:40001 192.168.1.10:33000 93.184.216.34:80 93.184.216.34:80 tcp 203.0.113.1:40002 192.168.1.20:33002 93.184.216.34:80 93.184.216.34:80

Notice that both entries have the same inside global IP (203.0.113.1) but different ports (40001 and 40002). The 'Pro' column indicates the protocol (TCP or UDP). The 'Inside local' is the original private IP and port of the host. The 'Outside local' is the destination IP and port as seen from the inside, which for standard NAT is the same as 'Outside global'.

When configuring NAT overload on a Cisco router, the essential command is:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

This tells the router to translate packets that match access list 1 (which permits the private network) using the IP address of interface GigabitEthernet0/0 as the public IP, and to use overload (port address translation). You also need to mark the inside and outside interfaces with 'ip nat inside' and 'ip nat outside' respectively.

One common real-world issue is the NAT table filling up. In a busy office with many users streaming video, making VoIP calls, and browsing, the table can quickly reach its limit, especially on low-end routers. Symptoms include users intermittently unable to load web pages or connect to services, while existing connections continue to work. Checking the table size with 'show ip nat statistics' shows the number of active translations and the maximum allowed.

Another practical consideration is the interaction with VPNs. If you run a VPN client from behind NAT overload, the VPN traffic is encapsulated and the outer header is translated, but the inner encrypted payload remains intact. This works for most VPNs, but some advanced VPN protocols that use IPsec in tunnel mode can fail if the NAT device does not support IPsec passthrough.

For cloud professionals, configuring NAT in AWS is straightforward but requires careful planning. You create a NAT Gateway in a public subnet, allocate an Elastic IP, and then update the route table for each private subnet to point default traffic (0.0.0.0/0) to the NAT Gateway ID. The NAT Gateway automatically performs PAT. The key cost consideration is that you pay for each hour the NAT Gateway is provisioned and for each gigabyte of data processed.

A common mistake in cloud environments is forgetting that a NAT Gateway requires a route to the internet through an Internet Gateway. If the public subnet where the NAT Gateway resides does not have an Internet Gateway attached to its route table, the NAT Gateway will not work. Also, security groups and network ACLs must allow the return traffic from the NAT Gateway to the private instances.

In Azure, the NAT Gateway resource is similar but uses a different naming convention. You create a NAT Gateway, assign a public IP or prefix, and associate it with a subnet. The NAT Gateway then translates the source IP of all outbound traffic from that subnet.

Troubleshooting NAT overload often begins with ping tests. If a private host can ping the router's inside interface but not the outside interface, the issue is likely routing. If it can ping the outside interface but not an external host, you should check the NAT configuration. A useful debugging command on Cisco devices is 'debug ip nat', which shows each packet as it is translated. This command should be used sparingly in production because it can overwhelm the router's CPU.

Finally, remember that NAT overload is a 'patch' for the IPv4 address shortage, not a long-term solution. As you work toward advanced certifications, you will learn about IPv6 deployment as the permanent fix. But for the foreseeable future, NAT overload remains a staple of network configuration.

NAT overload Fundamentals: How Port Address Translation Works

NAT overload, also known as Port Address Translation (PAT), is a form of dynamic Network Address Translation that maps multiple private IP addresses to a single public IP address by differentiating traffic based on transport-layer port numbers. Unlike basic NAT which provides a one-to-one mapping, NAT overload enables hundreds or even thousands of internal hosts to share one public IP. This is achieved by maintaining a translation table that records each session's original source IP and port, along with the assigned public IP and a unique source port.

When a packet leaves the internal network, the NAT device replaces the private source IP with the public IP and changes the source port to a unique value from a pool. Incoming responses are matched by destination IP and port, which the device maps back to the correct internal host. This mechanism is critical for conserving public IPv4 addresses and is widely used in home routers, enterprise firewalls, and cloud networking.

In the AWS context, NAT gateways use overload to allow private EC2 instances to access the internet while remaining unreachable from outside. The CCNA and Network+ exams test understanding of how the translation table is built and how port numbers are reused. A key detail is that PAT does not modify the destination IP or port of outgoing traffic, only the source fields.

This allows internal hosts to connect to external services without conflict, as long as each internal session gets a distinct public port. Without NAT overload, each internal host would require a unique public IP, leading to rapid IPv4 exhaustion. The process involves five key steps: receipt of packet from internal host, translation of source IP and port, forwarding to external network, receipt of response, reverse translation, and delivery to original host.

Understanding this flow is essential for troubleshooting connectivity issues in both on-premises and cloud environments. NAT overload is also a fundamental concept in the Security+ exam, where it is considered a security control because it hides internal IP structure from external networks.

Configuring NAT overload on Cisco IOS Routers for CCNA and Network+

Configuring NAT overload on a Cisco IOS router involves defining which internal networks are eligible for translation, designating the outside interface, and enabling overload with a standard access control list. The process begins with the command 'ip nat inside source list ACL_NUMBER interface INTERFACE_NAME overload'. This tells the router to translate any traffic matching the ACL to the IP address of the specified outside interface, using port overload.

Common configuration steps are: first, create an access list that matches the private IP range, for example 'access-list 1 permit 192.168.1.0 0.0.0.255'. Second, enter interface configuration mode for the internal interface and issue 'ip nat inside'.

Third, configure the external interface with 'ip nat outside'. Finally, apply the 'ip nat inside source list' command globally. It is important to ensure that the outside interface has a valid public IP, either statically or via DHCP.

For exam scenarios, candidates must recognize that the overload keyword is what enables PAT. The alternative without overload would create a one-to-one dynamic NAT, which exhausts the public IP pool quickly. In real-world troubleshooting, misconfigured ACLs are a common cause of NAT failures.

For example, if the ACL does not include the subnet where hosts reside, their traffic will bypass translation and be dropped if the router has no route to the destination. The 'ip nat inside source' command can use a pool of public IPs instead of a single interface IP, but the overload keyword is still required to allow multiplexing. The Network+ and CCNA exams often present a topology where a small business has a single public IP and uses NAT overload to provide internet access to 50 employees.

Understanding the difference between inside local, inside global, outside local, and outside global addresses is tested. Inside local is the private IP of the host, inside global is the translated public IP. NAT overload dynamically assigns inside global ports.

Students should also know how to verify translations with 'show ip nat translations' and clear them with 'clear ip nat translation *'. The configuration must also account for routing: the router must have a default route or specific route pointing to the internet via the outside interface. Without that, translated packets have no egress path.

In the AZ-104 exam, similar concepts apply to Azure NAT Gateway, though the configuration is in the Azure portal or via ARM templates. The Google ACE exam tests analogous concepts with Cloud NAT. Thus, mastering Cisco-style NAT overload configuration provides a foundational understanding applicable across multiple platforms.

NAT overload Translation Table States: Inside, Outside, and Port Exhaustion

The NAT overload translation table is dynamic and stores entries for active sessions. Each entry records the inside local IP and port, the inside global IP and port (the public IP and unique port assigned by the NAT device), the outside local IP and port (typically the same as outside global unless destination NAT is applied), and the outside global IP and port (the actual destination). Understanding these states is crucial for troubleshooting.

A typical entry looks like: '192.168.1.10:1025 203.0.113.5:40001 8.8.8.8:80 8.8.8.8:80'. The inside local is the private source, inside global is the public source after translation, and outside global is the destination.

The outside local is often a mirror of outside global in standard outbound PAT. When a host sends a packet, the router creates an entry if one does not exist. The entry is kept alive as long as traffic flows.

Idle timers vary by device but typically range from 60 seconds to 24 hours depending on protocol. For TCP, the timeout is usually longer (e.g., 86400 seconds for established connections), while UDP has a shorter timeout (e.

g., 300 seconds). Port exhaustion occurs when all available source ports on the public IP are used. For a single public IP, there are 65,535 possible ports, but often fewer are usable due to reserved ranges.

When exhausted, new connection attempts fail. Symptoms include timeouts, partial connectivity, and error messages like 'NAT: Out of translations' in logs. In exam scenarios, this is a classic troubleshooting clue.

Another state is the 'extended' translation, where multiple inside locals share the same inside global IP but different ports. If the same internal host uses the same source port for multiple connections, the NAT device may reuse the same inside global port if the destination is different, but collisions are avoided by the unique tuple (inside global IP, inside global port, outside global IP, outside global port). The Security+ exam tests that NAT overload provides a security benefit by preventing direct external access to internal hosts, as no static mapping exists unless explicitly configured.

In the AWS SAA exam, NAT Gateway's high availability is tested: it can scale up to handle traffic, but port exhaustion can occur if the maximum connections per second are exceeded. The AZ-104 exam covers Azure NAT Gateway's automatic scaling but also warns about connection limits. Troubleshooting port exhaustion involves reducing idle timeouts, increasing the number of public IPs in the NAT pool, or optimizing application connection reuse.

For the A+ exam, basic understanding of how home NAT routers use PAT to allow multiple devices is expected. The CCNA exam demands detailed analysis of 'show ip nat translations verbose' output to identify stale entries. A common exam question: 'What happens when a NAT overload table is full and a new packet arrives?'

The answer: the packet is dropped, and an ICMP unreachable may be sent. Understanding these states helps diagnose performance issues in enterprise networks and cloud environments.

NAT overload in AWS, Azure, and Google Cloud: Service Specifics for SAA, AZ-104, and ACE

Cloud providers implement NAT overload as managed services to allow instances in private subnets to initiate outbound connectivity while preventing inbound connections. In AWS, the NAT Gateway is a highly available AWS-managed service that uses PAT to translate private IPs to the Elastic IP assigned to the gateway. It supports traffic for TCP, UDP, and ICMP.

Key features include automatic scaling up to 45 Gbps per Availability Zone, and a connection tracking table that handles up to 1 million simultaneous connections per gateway. The AWS SAA exam tests scenarios where you must choose between a NAT Gateway and a NAT Instance, noting that the gateway is managed and requires no patching, while the instance gives more flexibility. NAT Gateway costs are based on hourly usage and data processing per GB.

For AZ-104, Azure NAT Gateway is a fully managed Resource Manager resource that provides outbound connectivity for virtual networks. It uses a pool of public IP addresses (either single IP or prefix) and performs PAT. It can be associated with multiple subnets within a VNet.

The exam emphasizes that a NAT Gateway can share public IP addresses with other Azure resources like Load Balancers, but careful planning is needed to avoid port conflicts. The gateway automatically scales outbound connections and supports up to 64,000 flows per IP. Azure NAT Gateway also allows connection draining during scale events.

For Google Cloud ACE, Cloud NAT is a regional resource that uses NAT overload to enable private VM instances to access the internet. It supports static and dynamic port allocation, with a configurable minimum and maximum ports per VM. The ACE exam tests understanding of Cloud NAT's integration with Cloud Router and how it handles traffic from GKE clusters.

All three platforms have differences in how they handle port exhaustion. AWS NAT Gateway returns an ICMP 'destination unreachable' when ports are exhausted. Azure NAT Gateway has a default idle timeout of 4 minutes for TCP and 2 minutes for UDP, configurable up to 30 minutes.

Google Cloud NAT allows per-VM port quotas and can be configured to use 'auto' mode that calculates port limits based on VM size. A common exam question across these certifications: 'What is the effect of a NAT Gateway going down on private instances?' Correct answer: those instances lose outbound internet access unless a second gateway in another AZ is used.

Understanding how each provider handles high availability (AWS recommends one NAT Gateway per AZ, Azure offers zone-redundant frontends, Google Cloud NAT is regional) is critical. These services all support logging via Flow Logs (VPC Flow Logs in AWS, NSG Flow Logs in Azure, VPC Flow Logs in GCP) to monitor translation activities. In the context of Security+, cloud NAT acts as a security boundary, hiding internal IPs and providing a single point of egress control.

For the Network+ and CCNA exams, while cloud-specific details are not required, the underlying PAT concepts are identical. Mastering these cloud-specific implementations provides a competitive edge in multi-cloud certification paths.

Troubleshooting Clues

Port exhaustion on NAT overload device

Symptom: Users report that they cannot establish new outbound connections, such as browsing websites, while existing connections work. Router logs may show 'NAT: Out of translations'.

All available source ports on the public IP(s) are in use. Each translation consumes a unique port per session. With a single public IP, the maximum is 65,535 but often less due to reserved ports. The NAT device cannot create new entries, so packets are dropped.

Exam clue: CCNA and AWS SAA exams present a scenario where a small office suddenly cannot reach the internet. The candidate must identify port exhaustion as the cause and suggest adding more public IPs or reducing idle timeouts.

ACL misconfiguration for NAT overload

Symptom: Some internal hosts can access the internet, others cannot. The failed hosts are on a different subnet than the ones that work.

The access list used in the NAT overload command does not include the subnet of the failing hosts. For example, ACL only permits 192.168.1.0/24 but hosts on 192.168.2.0/24 are not matched, so their packets are not translated and may be dropped.

Exam clue: Network+ exam: Given a topology with multiple VLANs, candidate must identify why only one VLAN has internet. Answer: ACL not covering all subnets.

Incorrect inside/outside interface assignment

Symptom: NAT translations are not being created even though configuration looks correct. Traffic does not appear in 'show ip nat translations'.

One or both interfaces may not have the 'ip nat inside' or 'ip nat outside' commands applied. The NAT device must know which side is internal and which is external to translate correctly.

Exam clue: CCNA: A common rookie mistake. Exam may show a config where interfaces are not assigned as inside/outside, and ask why translation fails.

Timeout values too short causing dropped sessions

Symptom: Long-lived connections like SSH or database connections drop after a period of inactivity, requiring reconnection.

NAT overload has idle timers for TCP and UDP. If the timeout is set too low, the translation entry is removed while the session is still active, breaking connectivity. Default TCP timeout may be 24 hours for established, but if the device uses aggressive timers, sessions drop.

Exam clue: Security+ and AZ-104: Scenario where a persistent VPN or SSH session drops after 5 minutes of no traffic. Candidate suggests configuring TCP timeout or using keepalives.

Duplicate public IP on NAT overload pool

Symptom: Intermittent connectivity failures, inconsistent translation behavior, and errors in logs about duplicate address.

If the same public IP is assigned both as a NAT pool address and also statically to another device, conflicts occur. NAT overload may try to use an IP that is already in use elsewhere, causing traffic to be misrouted.

Exam clue: Network+ exam: Troubleshooting a network where a router's WAN IP overlaps with a NAT pool. Correct answer is to remove the conflicting IP from the pool.

NAT gateway capacity exceeded in cloud (AWS NAT Gateway)

Symptom: CloudWatch alarms show high metrics for 'PacketsDropCount' or 'ErrorPortAllocation'. Users experience connection timeouts.

AWS NAT Gateway is limited to 45 Gbps per gateway and 1 million simultaneous connections. Exceeding these limits causes packet drops. Cloud NAT gateways also have per-second burst limits.

Exam clue: AWS SAA: A company sees dropped connections during peak hours. Candidate must recommend adding more NAT Gateways across Availability Zones to scale.

Asymmetric routing due to NAT overload with multiple WAN links

Symptom: Traffic from internal hosts reaches the internet but responses are dropped or delayed. Translations appear but packets are not delivered.

If there are multiple NAT devices (e.g., two routers with different public IPs) and traffic exits via one but the response returns via the other, the return packet's destination IP may not match the expected NAT entry. Each device has its own translation table.

Exam clue: CCNA and AZ-104: Scenario with dual internet connections. Candidate must configure route-based NAT or ensure traffic returns through the same device (e.g., policy-based routing or using same public IP for both).

Memory Tip

Think 'Overload = One IP, Many Ports.' The router overloads a single IP address with multiple connections by stamping each one with a unique port number.

Learn This Topic Fully

This glossary page explains what NAT overload means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.What is the primary purpose of NAT overload (PAT) compared to basic dynamic NAT?

2.A network administrator configures 'ip nat inside source list 1 interface GigabitEthernet0/0' on a Cisco router. The ACL permits 192.168.1.0/24. Internal hosts on that subnet can access the internet, but a new subnet 192.168.2.0/24 cannot. What is the most likely cause?

3.In AWS, a company uses a single NAT Gateway in us-east-1a. During a traffic spike, users report connection timeouts to external websites. CloudWatch shows high 'PacketsDropCount'. What is the most effective solution?

4.A technician runs 'show ip nat translations' and sees an entry with inside global 203.0.113.5:40001 pointing to inside local 192.168.1.10:1025. The destination is 8.8.8.8:80. What does the port 40001 represent?

5.Which scenario correctly describes a symptom of NAT overload port exhaustion?