Addressing and routingIP services and securityIntermediate23 min read

What Is PAT in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

PAT is a way for many devices on a home or office network to share one internet connection. It changes the port numbers of outgoing traffic so the router knows which device sent each request. This helps you browse the web, stream videos, and play online games without needing a unique public IP for every device. It works behind the scenes every time you connect to the internet.

Commonly Confused With

Static NAT maps one private IP to one public IP permanently. PAT maps many private IPs to one public IP using port numbers. Static NAT is used when an internal server needs a fixed public address, like a web server, while PAT is for general outbound internet access for many devices.

If you have a web server at 192.168.1.10 that must be reachable from the internet, you configure static NAT to map it to a public IP. For your 20 employee computers that only browse the internet, you use PAT.

Dynamic NAT maps private IPs to public IPs from a pool on a first-come, first-served basis, but still one-to-one. PAT is a special form of dynamic NAT that allows many-to-one mapping by using port numbers. Dynamic NAT requires a pool of public IPs equal to or larger than the number of internal hosts, while PAT needs only one public IP.

If you have 10 public IPs and 10 internal devices, dynamic NAT gives each device a unique public IP temporarily. PAT would give all 10 devices the same public IP with different ports.

Port forwarding is a manual configuration that tells the router to send inbound traffic on a specific port to a specific internal IP. PAT automatically handles outbound traffic with dynamic port assignment. Port forwarding is used to allow external access to an internal server, while PAT is for sharing the internet connection.

You set port forwarding on port 80 to send web traffic to your internal web server at 192.168.1.10. That is port forwarding. Meanwhile, all your devices use PAT to access the internet outbound without any manual configuration.

Must Know for Exams

PAT appears frequently in multiple major IT certification exams. For CompTIA Network+, PAT is covered under Objective 1.4 (Given a scenario, configure the appropriate IP addressing components) and Objective 2.1 (Compare and contrast various devices, their features, and their placement). Network+ exam questions often ask you to identify PAT from a description or scenario, differentiate it from static NAT, or select the correct configuration command for a home router. You might see a question like, 'A small business has 20 computers but only one public IP address. Which technology allows all 20 computers to access the internet simultaneously?' The correct answer is PAT. Another common question type presents a network diagram and asks you to explain why a packet's source port is changed at the router.

For Cisco CCNA, PAT is a core topic under the Network Access section, specifically within NAT configuration and troubleshooting. The CCNA exam (200-301) expects you to configure PAT on a Cisco router using the 'ip nat inside source list' command with the overload keyword. You must understand how to define inside and outside interfaces, create an access list to identify eligible internal networks, and apply the overload directive. Simulation questions may require you to write the correct configuration or troubleshoot a scenario where PAT is not working because an ACL is too restrictive or because the NAT pool is exhausted. CCNA also covers PAT operation in the context of IPv4 address conservation and IPv6 transition technologies.

Other exams like AWS Certified Solutions Architect and Azure Administrator include PAT as a supporting concept. When you configure NAT gateways or NAT instances in the cloud, you are essentially implementing PAT at the cloud provider level. Questions may ask about high availability for PAT services or how to ensure that outbound traffic from private subnets can reach the internet without exposing internal IP addresses. The CompTIA Security+ exam touches on PAT when discussing network segmentation and address hiding as part of defense in depth. For the Cisco CCNP, you may encounter more advanced PAT topics like NAT with multiple public IPs, NAT hairpinning, and troubleshooting PAT with debug commands.

Simple Meaning

Imagine your home has a single mailbox address that everyone shares. When the mail carrier brings letters, your family needs a way to know which letter belongs to whom. PAT works like giving each family member a unique apartment number within that shared address. When you send a request to a website, PAT writes your device's return 'apartment number' (a port number) on the envelope before it leaves your network. When the website replies, it sends the response back to your apartment number, and PAT makes sure the letter reaches your device, not your sibling's device.

This whole process happens invisibly. Your computer, phone, and smart TV all get private IP addresses like 192.168.1.10, but to the outside internet, your entire house appears as just one public IP address. PAT is the reason you can have a dozen devices streaming Netflix, checking email, and making video calls all at the same time. Without PAT, the internet would have run out of addresses years ago because every device would need its own unique public IP.

Technically, PAT is a specific type of Network Address Translation (NAT). It is sometimes called NAT overload or IP masquerading. The key idea is that PAT keeps a table of active connections, logging each device's private IP and the port number it used for the request. When the response comes back, PAT checks the destination port in the returning packet, looks up its table, and forwards the data to the correct internal device. This table is small and temporary; it creates an entry when a connection starts and removes it when the session ends.

Full Technical Definition

Port Address Translation (PAT) is a dynamic form of Network Address Translation (NAT) that allows multiple devices on a local area network (LAN) with private IPv4 addresses to share a single public IPv4 address when communicating with external networks, most commonly the internet. PAT operates at the network layer (Layer 3) of the OSI model but works closely with the transport layer (Layer 4) by modifying TCP/UDP port numbers. When a device inside the network initiates an outbound connection, PAT replaces the source IP address with the router's public IP address and assigns a unique source port number from a pool of high-numbered ports (typically 1024–65535). This modified packet is then sent to the destination. The router maintains a NAT translation table that maps each original private IP and port combination to the translated public IP and new port number.

When the response arrives from the external server, the router examines the destination port in the arriving packet, looks up the corresponding entry in the NAT table, and reverses the translation. It replaces the destination IP with the original private IP and the destination port with the original port number before forwarding the packet to the correct internal host. This process is transparent to both the internal host and the external server. PAT is defined in RFC 2663 and RFC 3022, and it is widely implemented in consumer routers, enterprise firewalls, and carrier-grade NAT solutions.

PAT is essential for IPv4 address conservation because it can theoretically support up to 65,535 simultaneous connections per public IP address, limited by the number of available port numbers. In practice, routers often support fewer simultaneous translations due to memory and processing constraints. PAT works with TCP, UDP, and ICMP (with transaction IDs used instead of ports). However, PAT can cause issues with protocols that embed IP address information in the payload, such as FTP, SIP, or IPsec. For these protocols, additional application-layer gateways (ALGs) are required to rewrite the payload content. PAT is also a key component in IPv4-to-IPv6 transition strategies, though it does not solve the fundamental address exhaustion problem.

In enterprise environments, PAT is often configured on the router or firewall that acts as the gateway for internal networks. Configuration typically involves setting an access control list (ACL) to define which internal networks are eligible for PAT and then applying the PAT rule to the external interface. Network professionals must monitor NAT table utilization because a full table can cause new outbound connections to fail. PAT is also commonly used with redundant public IP addresses, where multiple public IPs are pooled to distribute the translation load. Security professionals often note that PAT provides a basic level of obfuscation because internal IP addresses are hidden from the outside, but it should not be considered a security feature since stateful firewalls provide actual access control.

Real-Life Example

Think of a large office building that has a single reception desk with one phone number. Every employee in the building has their own desk phone with an internal extension, like 101 or 204. When an employee wants to make an outside call, they dial 9 first, then the number. The receptionist answers the call and says, 'Hello, you are connected to extension 101.' The employee talks to the customer, and when the customer calls back, they dial the main building number. The receptionist answers and asks which extension they want to reach. The customer says 'extension 101,' and the receptionist transfers the call to that desk. The customer never knows that the employee's direct line is extension 101; they only know the single main number.

In this analogy, the main phone number is your public IP address. Each employee's desk is a device on your home network with a private IP like 192.168.1.101. The receptionist is the PAT function on your router. When you dial out, you use a temporary port number that works like a disposable extension number. When the reply comes back, the receptionist (PAT) knows exactly which desk (device) should get the call because it recorded the mapping when the call was placed.

Now imagine 50 employees all calling different customers at the same time. The one receptionist keeps a list: extension 101 used port 5001 for customer A, extension 102 used port 5002 for customer B, and so on. When customer A calls back on port 5001, the receptionist knows it is for extension 101. If two employees called the same customer, the receptionist assigns different ports so there is no confusion. That is exactly how PAT handles multiple simultaneous connections from many devices using the same public IP address. The system scales well because ports are reusable once a call ends.

Why This Term Matters

PAT is one of the most important concepts in modern networking because it directly addresses the IPv4 address exhaustion problem. Without PAT, the internet would have run out of available IP addresses years ago. Every smartphone, laptop, smart TV, thermostat, and gaming console would need its own unique public IP address, which is simply not possible given the limited supply of IPv4 addresses. PAT allows billions of devices to share the limited pool of public IPv4 addresses, enabling the massive growth of the internet and the explosion of connected devices we see today.

In practical IT environments, PAT is the default configuration on virtually every home router and wireless access point. When you plug a new device into your network, it automatically gets a private IP from the DHCP server, and PAT handles all outbound connectivity. For IT professionals, understanding PAT is essential for troubleshooting connectivity issues, configuring port forwarding for home servers or gaming consoles, and setting up VPNs that must traverse PAT boundaries. When a user reports that they cannot connect to a remote server or that an application fails after a few minutes, the problem often lies with PAT timeout settings or NAT table exhaustion.

PAT also has implications for security policies. Because PAT hides internal IP addresses from external networks, it provides a layer of obscurity that makes it harder for external attackers to map the internal network. This is not a substitute for a firewall, but it does reduce the attack surface. For compliance audits, many organizations must document their PAT configurations and ensure that translations are logged for forensic analysis. Understanding PAT is also critical for network design decisions, such as whether to deploy carrier-grade NAT for customers or to purchase public IP address blocks for direct addressing.

How It Appears in Exam Questions

PAT appears in several distinct question patterns across IT certification exams. The most common pattern is the scenario-based question where you must identify which technology is being described. For example: 'A network administrator wants to allow 50 employees to access the internet using a single public IP address. Which solution should be implemented?' The correct answer is PAT. The distractors might include static NAT, DHCP, or DNS. To avoid traps, remember that PAT is specifically about mapping many private addresses to one public address using port numbers, while static NAT is one-to-one mapping.

Another pattern is the configuration question, especially on CCNA. You might be given a partial router configuration and asked to identify what is missing or what command achieves PAT. For instance: 'Which command enables PAT on a Cisco router?' The answer is 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. A variation shows a scenario where PAT is not working, and you must examine the running configuration to spot an error, such as the missing overload keyword or mismatched ACL entries. You may also see a question that asks about the number of simultaneous translations supported, with the expected answer being around 65,535 per public IP address, though you should also know that practical limits are lower due to memory.

Troubleshooting questions are also common. A typical question might describe a user who cannot access an external website after several minutes of usage, but other websites work fine. This could indicate that the PAT translation table has become full, that a specific port is not being released due to timeout settings, or that an application-layer gateway is needed for a protocol like FTP. You may also be asked to interpret the output of 'show ip nat translations' on a Cisco router, identifying which entries are PAT translations versus static NAT entries. Another tricky question type involves PAT and overlapping IP addresses, where a client gets a wrong response because two internal hosts used the same port number in their original request, causing a collision that PAT resolved by assigning different translated ports.

Practise PAT Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small veterinary clinic has a single internet connection with one public IP address provided by their ISP. The clinic has 8 computers for reception, examination rooms, and billing, plus two wireless printers and the owner's laptop. All these devices need internet access to send emails, check online lab results, and process credit card payments. The clinic's router is configured with PAT. When the receptionist opens a web browser to check email, her computer (192.168.1.10) sends a request to the email server (203.0.113.5). The router takes this packet, changes the source IP from 192.168.1.10 to the public IP 198.51.100.1, and assigns a source port of, say, 55000. It records this mapping in its NAT table: inside address 192.168.1.10:443 (the original source port) becomes outside address 198.51.100.1:55000.

At the same time, a veterinarian in the examination room is accessing a lab results portal from a tablet (192.168.1.20). That request gets the same public IP but a different port, 55001. When the lab portal responds, it sends packets to 198.51.100.1:55001. The router looks up port 55001 in its table, finds the mapping to 192.168.1.20, and forwards the packet accordingly. The two devices never interfere with each other even though they use the same public IP.

Later, the billing computer needs to process a credit card transaction. This request uses a third port number, 55002. Without PAT, the clinic would have needed to purchase 11 separate public IP addresses from their ISP, which would be expensive and wasteful. PAT allows all devices to share the single public IP efficiently. The only limitation is that if all 11 devices try to make hundreds of connections simultaneously, they could exhaust the available port numbers, causing new connections to fail until some of the older ones time out and free up port numbers. This is a real risk in busy networks.

Common Mistakes

Thinking PAT provides actual security by hiding internal IP addresses

PAT only changes addresses and ports; it does not inspect or filter traffic. An attacker can still exploit open ports or vulnerabilities. Security requires a firewall or ACL, not just PAT.

Treat PAT as address conservation, not a security feature. Always combine PAT with a stateful firewall and proper access control policies.

Confusing PAT with static NAT or one-to-one NAT

Static NAT maps one private IP to one public IP permanently. PAT maps many private IPs to a single public IP using different ports. They are different technologies with different use cases.

Remember that PAT uses the overload keyword (Cisco) and is dynamic. Static NAT is for servers that need a fixed public address.

Believing PAT works with all applications without issues

Some applications embed IP information in the data payload, like FTP or SIP. PAT cannot modify payloads unless an ALG is present, causing those applications to fail.

Understand which protocols require ALGs. Use passive FTP or configure ALG support on the router. For SIP, use a session border controller or disable ALG if it causes issues.

Assuming PAT supports unlimited connections

PAT is limited by the number of available port numbers (65,535) per public IP. In reality, routers also have memory limits. Exhaustion causes new connections to drop.

Monitor NAT table usage with commands like 'show ip nat statistics'. If usage is high, consider adding more public IPs to the NAT pool or increasing timeout values.

Thinking PAT changes destination addresses or ports

PAT only modifies the source IP and source port of outbound packets. The destination remains untouched. For inbound responses, PAT modifies the destination IP and port to match the internal host.

Focus on the direction: outbound source changes, inbound destination changes. The destination of the original outbound packet stays the same.

Exam Trap — Don't Get Fooled

{"trap":"A question states that a router is configured with PAT and a user can browse the web normally, but cannot connect to an FTP server. The trap is that the learner thinks the problem is the firewall blocking FTP, but the real issue is that PAT cannot translate the FTP control channel because FTP embeds IP addresses in the payload.","why_learners_choose_it":"Learners often default to blaming firewalls or ACLs because those are more obvious security mechanisms.

They may not recognize that PAT has application-layer limitations.","how_to_avoid_it":"Memorize the list of protocols that break with PAT: FTP, SIP, H.323, IPsec (with NAT-T disabled), and some online games.

When you see PAT + FTP failure, always consider ALG requirements first. The fix is often to enable the FTP ALG on the router or switch to passive FTP mode."

Step-by-Step Breakdown

1

Internal device initiates outbound connection

A computer on the LAN, with private IP 192.168.1.10, sends a packet to a web server at 203.0.113.5 on destination port 80. The source IP is 192.168.1.10, and the source port is a random high port, say 54321.

2

Router receives the packet on its inside interface

The router's inside interface (usually a LAN port or VLAN) receives the packet. The router checks whether this traffic matches the criteria defined for PAT, typically an access control list that identifies allowable source networks.

3

Router creates a NAT translation entry

The router checks its NAT table for an existing entry. Since this is a new connection, it creates a new entry mapping the private IP and port (192.168.1.10:54321) to the public IP (198.51.100.1) and a new source port (e.g., 55000). This entry is stored for the duration of the session.

4

Router modifies the packet header

The router rewrites the source IP address from 192.168.1.10 to 198.51.100.1 and the source port from 54321 to 55000. The destination IP and port remain unchanged. The router also recalculates the IP and TCP/UDP checksums to reflect the changes.

5

Packet is forwarded to the external network

The modified packet is sent out through the router's outside interface (usually a WAN port) toward the internet. To the web server, the packet appears to come from 198.51.100.1:55000.

6

Web server sends a reply

The web server responds with a packet destined to 198.51.100.1:55000. The reply arrives at the router's outside interface.

7

Router looks up the NAT table

The router examines the destination IP and port of the incoming reply (198.51.100.1:55000). It searches its NAT table and finds the entry that maps this to 192.168.1.10:54321.

8

Router reverses the translation and forwards to internal device

The router rewrites the destination IP to 192.168.1.10 and the destination port to 54321, recalculates checksums, and forwards the packet to the internal computer. The computer sees the reply as if it came directly from the web server.

Practical Mini-Lesson

Understanding PAT in practice requires knowing both its configuration and its limitations. In a typical home network, PAT is enabled by default on the router's WAN interface. You usually do not need to configure anything because the router automatically performs PAT for all outbound traffic from the LAN. However, in enterprise or small business environments, you may need to manually configure PAT on a Cisco router or a firewall. The standard configuration begins by defining which interfaces are inside (LAN) and which are outside (WAN). On a Cisco router, you use the commands 'ip nat inside' on the LAN interface and 'ip nat outside' on the WAN interface. Then you create an access list that matches the private IP range you want to translate, for example 'access-list 1 permit 192.168.1.0 0.0.0.255'. Finally, you apply the PAT command: 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The keyword 'overload' is what turns a simple dynamic NAT into PAT, because it allows multiple inside addresses to map to the same outside address by overloading port numbers.

One of the most important practical considerations is NAT table exhaustion. Each PAT entry consumes memory on the router. If you have 200 users each opening hundreds of TCP connections for web browsing, email, and chat, the NAT table can fill up quickly. When the table is full, new outbound connections are dropped, causing users to see 'cannot connect to server' errors. Professional network administrators monitor NAT table utilization using 'show ip nat statistics' or SNMP-based monitoring tools. They also tune NAT timeouts to free entries faster after connections end. For example, the default TCP timeout is often 24 hours, but you can reduce it to 1 hour for idle connections. For UDP, timeouts can be set much shorter, like 5 minutes, because UDP is connectionless.

Another practical challenge is troubleshooting PAT failures. When a user complains that an application does not work from inside the network but works from outside, consider PAT issues. Common symptoms include: the application hangs after a few minutes, file transfers fail, or voice calls drop. These symptoms often point to protocols with embedded IP addresses. The solution is to enable the appropriate ALG on the router. For example, on a Cisco router, 'ip nat service ftp' enables the FTP ALG. On many home routers, ALGs are enabled by default but can cause problems with VPN or VoIP. In those cases, you may need to disable the ALG. Knowing how to identify and fix these issues is a key skill for IT professionals.

Finally, PAT interacts with IPsec VPNs. Standard IPsec does not work through PAT because the VPN traffic is encrypted and PAT cannot modify port numbers inside the encrypted payload. The solution is IPsec NAT Traversal (NAT-T), which wraps the IPsec packets inside UDP to preserve port information. Many VPN clients detect PAT automatically and enable NAT-T. However, if NAT-T is not supported, the VPN will fail. As an IT professional, you should verify that NAT-T is enabled on both the VPN gateway and the client if PAT is present in the path.

Memory Tip

Remember PAT = Port Address Translation = many devices, one IP, different ports. Think of a mailbox with apartment numbers: port numbers are the apartment numbers.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between PAT and NAT?

NAT is the broad term for translating one IP address to another. PAT is a specific type of NAT that translates many private IPs to one public IP by using different port numbers. All PAT is NAT, but not all NAT is PAT.

Can PAT work with IPv6?

PAT is not needed for IPv6 because IPv6 has enough addresses to give every device a unique public address. However, some IPv6 transition technologies like NAT64 use PAT-like translation between IPv6 and IPv4 networks.

How many connections can PAT support?

Theoretically, PAT can support up to 65,535 simultaneous connections per public IP address (one per port). In practice, routers have memory limits that reduce this number, often to a few thousand concurrent translations.

Does PAT affect internet speed?

PAT adds minimal processing overhead because the router must rewrite headers and look up translations. On modern routers, this overhead is negligible for home use. In enterprise environments, hardware acceleration keeps performance high.

What is the overload keyword in Cisco configuration?

The 'overload' keyword in the 'ip nat inside source' command enables PAT. Without this keyword, the router would perform dynamic one-to-one NAT, which would require a public IP for each concurrent translation. Overload allows multiple inside addresses to share one outside address using ports.

Can I disable PAT on my home router?

Most home routers do not allow you to disable PAT because it is essential for sharing the internet connection. If you disable it, only one device would be able to access the internet at a time. If you need to expose a device, use port forwarding instead.

Why does my online game not work with PAT?

Some games embed IP address and port information in game data. PAT cannot modify this embedded data, causing the game server to send responses to the wrong address. The solution is often to enable UPnP on the router, use port forwarding, or check if the game supports NAT traversal.

Summary

Port Address Translation (PAT) is a fundamental networking technology that allows multiple devices on a private network to share a single public IPv4 address by assigning unique port numbers to each connection. It is the reason your home Wi-Fi supports dozens of devices simultaneously without needing a separate public IP for each one. PAT works by rewriting the source IP and source port of outbound packets and maintaining a translation table to reverse the process for inbound replies. It is a specific form of Network Address Translation (NAT) enabled by the 'overload' keyword on routers.

For IT certification exams, PAT appears prominently in CompTIA Network+, Cisco CCNA, and cloud platform exams. You must understand how to configure PAT, identify it in scenarios, and troubleshoot common issues like NAT table exhaustion and ALG requirements for protocols like FTP and SIP. A common exam trap is confusing PAT with static NAT or assuming PAT provides security. Remember that PAT is about address conservation, not access control.

The key exam takeaway is this: PAT enables many-to-one translation using port numbers, while static NAT is one-to-one, and dynamic NAT is many-to-many. When you see a question about sharing one public IP among many internal hosts, the answer is PAT. Understand the configuration commands, the role of the overload keyword, and the practical limitations such as port exhaustion and protocol incompatibility. Mastering these points will help you confidently answer PAT questions in your certification exams.