IntermediateNetwork Configuration 8 min read

How to Configure NAT on Cisco Routers (Static, Dynamic, PAT)

Master Cisco NAT configuration with real IOS commands for CCNA success.

Network Address Translation (NAT) is a critical skill for any network engineer and a core topic in the CCNA exam. This guide walks you through configuring Static NAT, Dynamic NAT, and PAT (overloading) on a Cisco IOS router using real-world CLI commands. You will learn how to define inside and outside interfaces, create access lists for translation, and verify your configurations with show commands. By the end, you will be able to implement NAT in a lab or production environment and troubleshoot common issues like translation failures and pool exhaustion.

1

Define Inside and Outside Interfaces

The first step in any NAT configuration is identifying which router interfaces are 'inside' (your private network) and which are 'outside' (the public network). Use the 'ip nat inside' and 'ip nat outside' commands under interface configuration mode. This tells the router which direction to translate packets.

Cisco IOS
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip address 203.0.113.1 255.255.255.0
Router(config-if)# ip nat outside

Always verify interface status with 'show ip interface brief' before proceeding.

Do not apply 'ip nat inside' or 'ip nat outside' to loopback interfaces; they are not used for NAT translation.

2

Configure Static NAT for a Single Server

Static NAT provides a one-to-one mapping between a private IP and a public IP. This is commonly used for servers that need to be accessible from the internet, such as a web or mail server. Use the 'ip nat inside source static' command to create the mapping.

Cisco IOS
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10

For port-specific static NAT (e.g., mapping port 80), use 'ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80'.

3

Configure Dynamic NAT with a Pool

Dynamic NAT maps private IPs to a pool of public IPs on a first-come, first-served basis. First, define a standard access list to match the inside hosts. Then, create a NAT pool with the range of public IPs. Finally, link them with the 'ip nat inside source list' command.

Cisco IOS
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat pool MY_POOL 203.0.113.20 203.0.113.30 netmask 255.255.255.0
Router(config)# ip nat inside source list 1 pool MY_POOL

Use 'show ip nat translations' to see active translations and 'show ip nat statistics' to monitor pool usage.

If the pool is exhausted, new hosts will not be able to access the internet. Monitor pool utilization carefully.

4

Configure PAT (Port Address Translation / Overloading)

PAT, also known as NAT overload, allows multiple private IPs to share a single public IP by using unique source port numbers. This is the most common NAT type for home and small business routers. Add the 'overload' keyword to the dynamic NAT command to enable PAT.

Cisco IOS
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

Using the outside interface IP (as shown) is simpler than defining a pool. This is the standard configuration for internet access.

5

Verify NAT Configuration and Translations

After configuring NAT, always verify that translations are working correctly. Use 'show ip nat translations' to view active mappings and 'show ip nat statistics' to see hit counts and pool usage. You can also use 'debug ip nat' for real-time translation events, but use it sparingly in production.

Cisco IOS
Router# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       ---                ---

Router# show ip nat statistics
Total active translations: 5 (1 static, 4 dynamic, 0 extended)
Pool MY_POOL: 11 addresses, 4 allocated, 7 free
Hits: 142  Misses: 3

Clear translations with 'clear ip nat translation *' if you need to reset the state during troubleshooting.

Debug commands ('debug ip nat') can overwhelm a router under heavy traffic. Use only in a lab or during maintenance windows.

6

Troubleshoot Common NAT Issues

Common NAT problems include translation failures, pool exhaustion, and ACL misconfigurations. Check that the ACL matches the correct source network. Verify that the outside interface has a route back to the translated IPs. Use 'ping' with extended options to test from inside hosts. Also confirm that the router's routing table has a default route pointing to the ISP.

Cisco IOS
Router# show access-list 1
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (10 matches)

Router# show ip route
Gateway of last resort is 203.0.113.254 to network 0.0.0.0
S*   0.0.0.0/0 [1/0] via 203.0.113.254

If NAT is not working, check that 'ip routing' is enabled and that the inside hosts have the router as their default gateway.

Key tips

  • Always use 'ip nat inside' and 'ip nat outside' on the correct interfaces; mislabeling them is the most common NAT mistake.

  • For PAT, use the 'overload' keyword with an interface rather than a pool to simplify configuration and conserve public IPs.

  • Use 'show ip nat statistics' to quickly check if your NAT pool is exhausted or if translations are being created.

  • When troubleshooting, start with 'show ip nat translations' and then verify the ACL with 'show access-list' to see if packets are being matched.

  • In a lab environment, use 'debug ip nat detailed' to see the exact translation decisions the router is making.

  • Remember that NAT changes the IP header, so protocols that embed IP addresses in the payload (like FTP or SIP) may require additional ALG configuration.

Frequently asked questions

What is the difference between Static NAT and Dynamic NAT?

Static NAT creates a permanent one-to-one mapping between a private IP and a public IP, ideal for servers. Dynamic NAT maps private IPs to a pool of public IPs on demand, but once a mapping is made, it remains until the session ends. PAT (overloading) is a form of dynamic NAT that allows many private IPs to share a single public IP by using unique ports.

Why would I use PAT instead of Dynamic NAT?

PAT is more efficient because it allows hundreds of private hosts to share a single public IP address. Dynamic NAT requires a public IP for each concurrent session, which is wasteful and expensive. PAT is the standard for home and small business internet connections.

How do I clear all NAT translations on a Cisco router?

Use the command 'clear ip nat translation *' to remove all dynamic translations. Static NAT entries are not affected by this command. To clear a specific translation, use 'clear ip nat translation inside global <ip> local <ip>'.

What is the purpose of the 'ip nat inside source list' command?

This command links an access list (which defines which inside hosts are eligible for translation) to a NAT pool or interface. The router uses the ACL to determine which traffic should be translated and then applies the pool or overload mapping.

Can I use NAT with IPv6?

NAT is not typically used with IPv6 because IPv6 provides enough public addresses for every device. However, Cisco IOS supports NAT66 (NAT for IPv6) for specific transition scenarios. In modern networks, IPv6 uses direct addressing without translation.

Related glossary terms

Browse full glossary →

Practice with real exam questions

Apply what you just learned with exam-style practice questions.

Related guides