Network Address Translation (NAT) and Port Address Translation (PAT) are critical technologies for conserving IPv4 addresses and enabling private networks to access the public internet. On the CCNA 200-301 exam (Objective 4.1), you must understand not only how they work but also their key differences, configuration, and troubleshooting. In real-world engineering, you'll deploy NAT/PAT daily—so mastering this topic is essential for both the exam and your career.
Jump to a section
Imagine a small office with 20 employees, each having an internal extension (e.g., 101, 102, … 120). The office has only one external phone line with a single public number: (555) 1234. When an employee wants to call outside, they dial 9 to get the external line. This is like NAT: the internal extension (private IP) is translated to the single public number (public IP) for outgoing calls. But here's the catch—if two employees try to call out at the same time, the second caller gets a busy signal. That's the limitation of basic NAT: only one internal host can use the public IP at a time. To solve this, the company installs a PBX (Private Branch Exchange) system. Now, when an employee dials 9, the PBX not only translates the extension to the public number but also assigns a unique call identifier—like a callback ID—so that multiple employees can have simultaneous calls, each identified by a different ID. This is PAT (also called NAT overload). The PBX maps each internal extension to the public number plus a unique port number (the call ID). When a call comes back from outside, the PBX looks at the call ID to know which extension to route it to. Without the ID, it couldn't tell which employee the incoming call was for. This mirrors exactly how PAT works: it uses different source port numbers to multiplex thousands of internal hosts over a single public IP address.
What is NAT and PAT?
Network Address Translation (NAT) is a method of remapping one IP address space into another by modifying network address information in IP packet headers. In the context of the CCNA, NAT typically refers to translating private (RFC 1918) IP addresses to public IP addresses for internet access. Port Address Translation (PAT) is a specific type of NAT that also translates the source port number, allowing multiple internal hosts to share a single public IP address. Cisco IOS supports both static and dynamic NAT, as well as PAT (often called NAT overload).
Why Do We Need NAT/PAT?
IPv4 exhaustion is the primary driver. Private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) can be used within an organization, but they are not routable on the public internet. NAT/PAT allows these private addresses to communicate with the public internet by translating them to one or more public IP addresses. Additionally, NAT provides a basic level of security by hiding internal IP structures from the outside.
How NAT Works Step by Step
Consider a host with private IP 192.168.1.10 sending a packet to a web server at 8.8.8.8. The packet has source IP 192.168.1.10, source port 12345, destination IP 8.8.8.8, destination port 80. When the packet reaches the router configured with NAT, the router checks its NAT translation table. For static NAT, a fixed mapping exists: 192.168.1.10 maps to 203.0.113.10. The router changes the source IP to 203.0.113.10, recalculates the IP header checksum, and forwards the packet. The web server replies to 203.0.113.10. The router receives the reply, looks up the destination IP in its NAT table, finds the mapping to 192.168.1.10, changes the destination IP back, and forwards the packet to the internal host.
How PAT Works Step by Step
PAT extends NAT by also changing the source port. Using the same example, the router sees the packet from 192.168.1.10:12345 to 8.8.8.8:80. It selects a unique global port number, say 54321, and creates an entry: (192.168.1.10, 12345) -> (203.0.113.1, 54321). The source IP becomes 203.0.113.1 and source port becomes 54321. When the reply comes back to 203.0.113.1:54321, the router looks up the port in its table, finds the mapping, and forwards the packet to 192.168.1.10:12345. By using unique port numbers, PAT can support up to 65,536 simultaneous connections per public IP (though in practice, it's fewer due to reserved ports and timers).
Key States, Timers, and Defaults
Translation timeout: Default 24 hours for NAT entries, but for PAT entries, the default timeout is 86400 seconds (24 hours) for TCP and 300 seconds for UDP. However, the router uses a more aggressive timeout for PAT entries: 60 seconds for TCP if no activity, and 30 seconds for UDP. These timers are configurable with ip nat translation timeout.
Port range: By default, PAT uses ports from 1024 to 65535. You can configure a different range with ip nat port-range.
NAT pool: For dynamic NAT, you define a pool of public IPs. The router assigns an IP from the pool to an internal host for the duration of the translation.
Overload keyword: To enable PAT, you add the overload keyword to the ip nat inside source list command.
IOS CLI Verification Commands
To verify NAT/PAT translations:
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.1:54321 192.168.1.10:12345 8.8.8.8:80 8.8.8.8:80To see active translations with protocols:
Router# show ip nat translations verboseTo clear translations:
Router# clear ip nat translation *To check NAT statistics:
Router# show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces: Serial0/0/0
Inside interfaces: GigabitEthernet0/0
Hits: 100 Misses: 5
Expired translations: 10
Dynamic mappings:
-- Inside Source
[Id] ip nat pool POOL1 203.0.113.1 203.0.113.10 netmask 255.255.255.0
refcount 1
map-id 1
access-list 100Interaction with Related Protocols
NAT interacts with many protocols. For example, FTP uses two connections: control (port 21) and data (port 20). In active FTP, the server initiates a data connection back to the client, which fails if the client is behind NAT. Cisco IOS includes an FTP ALG (Application Layer Gateway) that inspects FTP traffic and dynamically opens pinholes. Similarly, SIP, H.323, and ICMP (especially echo requests) require special handling. The ip nat service command can enable ALGs for specific protocols.
Configuration Example
Basic dynamic NAT with a pool:
!
ip nat pool MYPOOL 203.0.113.1 203.0.113.10 netmask 255.255.255.0
ip nat inside source list 100 pool MYPOOL
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0/0/0
ip address 203.0.113.254 255.255.255.0
ip nat outsideFor PAT (overload), change the ip nat inside source command to:
ip nat inside source list 100 pool MYPOOL overloadOr use the outside interface's IP:
ip nat inside source list 100 interface Serial0/0/0 overloadConfigure Inside and Outside Interfaces
First, identify which interfaces are 'inside' (connected to private network) and which are 'outside' (connected to public network). On each interface, apply the `ip nat inside` or `ip nat outside` command. For example: `interface GigabitEthernet0/0` then `ip nat inside`. This tells the router which direction to translate. Without this, NAT won't work even if other commands are correct.
Define NAT Pool (if using dynamic NAT or PAT)
Create a pool of public IP addresses using `ip nat pool POOL-NAME START-IP END-IP netmask SUBNET-MASK`. For example: `ip nat pool PUBLIC 203.0.113.1 203.0.113.10 netmask 255.255.255.0`. If you plan to use PAT, you can either use a pool or the outside interface's IP. The pool defines the range of global addresses available for translation.
Create Access List to Match Private Traffic
Define an access list that matches the private IP addresses you want to translate. Typically, you use a standard ACL: `access-list 100 permit ip 192.168.1.0 0.0.0.255 any`. This ACL is referenced in the NAT rule. Be careful: the ACL should only match the source addresses of the inside hosts, not the destination. Many candidates mistakenly use an extended ACL with both source and destination, which can cause issues.
Configure NAT Translation Rule
Use `ip nat inside source list ACL-NUMBER pool POOL-NAME [overload]` for dynamic NAT or PAT. For example: `ip nat inside source list 100 pool PUBLIC overload` enables PAT. Without `overload`, it's dynamic NAT (one-to-one). You can also use `ip nat inside source list 100 interface SERIAL0/0/0 overload` to use the interface's IP. This is the core command that ties the ACL, pool, and direction together.
Verify NAT/PAT Operation
After configuration, generate traffic from an inside host to an outside destination (e.g., ping 8.8.8.8). Then use `show ip nat translations` to see the translation entries. Use `show ip nat statistics` to see hit counts. If no translations appear, check that the inside and outside interfaces are correctly configured and that the ACL matches traffic. Common issues: ACL missing, interfaces not marked, or pool exhausted.
Troubleshoot Common Issues
If NAT isn't working, use `debug ip nat` (with caution in production) to see translation events. Check for `NAT: translation failed` messages. Ensure that routing is correct: the router must know how to reach the inside networks and the outside destinations. Also, verify that the ACL is not too restrictive. For PAT, ensure port exhaustion isn't occurring by checking `show ip nat statistics` for the number of translations.
In enterprise networks, NAT/PAT is ubiquitous. Consider a large company with 10,000 employees, each with a PC that has a private IP address. The company has only a /24 public subnet (254 usable IPs). Without PAT, only 254 users could access the internet simultaneously. With PAT, all 10,000 can share the public IPs, using port numbers to differentiate sessions. The network engineer configures a pool of, say, 10 public IPs and uses overload to allow each IP to support thousands of connections. This is standard practice. Another scenario is a small branch office with a single public IP on the WAN interface. The engineer configures ip nat inside source list 100 interface Dialer0 overload on a DSL router. This allows all internal hosts to share that single IP. Performance considerations: NAT/PAT adds processing overhead. On high-end routers, hardware acceleration (Cisco Express Forwarding with NAT) reduces the impact. However, on low-end routers, heavy NAT usage can cause CPU spikes. Misconfiguration can lead to problems: if the ACL is too broad, it might translate traffic that shouldn't be translated (e.g., internal-to-internal traffic that hits the outside interface). Also, forgetting to add overload results in one-to-one NAT, quickly exhausting the pool. In production, always use overload unless you have a specific need for static one-to-one mappings (e.g., for servers). Another real-world issue: NAT breaks applications that embed IP addresses in the payload, like FTP or SIP. Engineers must enable ALGs or use static NAT for those servers. Finally, NAT traversal for VPNs often requires special configuration, such as NAT-T (NAT Traversal) for IPsec.
On the CCNA 200-301 exam, Objective 4.1 expects you to compare NAT and PAT. The exam tests your ability to identify the correct translation type for a given scenario. Common traps include: (1) Thinking that NAT and PAT are the same. Wrong: PAT is a subset of NAT that includes port translation. (2) Believing that PAT can only be used with a single public IP. While PAT is often used with one IP, it can also be used with a pool of IPs. (3) Assuming that static NAT is the same as PAT. Static NAT is one-to-one fixed mapping; PAT is many-to-one with port translation. (4) Forgetting that PAT requires the overload keyword. Without it, you get dynamic NAT. The exam may give a configuration snippet and ask what happens if overload is missing. Answer: only one host can use each public IP at a time. Another trap: the exam might show a show ip nat translations output with multiple entries using the same public IP but different ports, and ask what type of NAT is configured. Answer: PAT. Also, know the default timers: 24 hours for NAT, but PAT uses 60 seconds for TCP idle and 30 seconds for UDP. The exam may ask which timer affects how long a translation stays active after the last packet. Finally, scenario questions: 'A company has 500 internal hosts and only one public IP. Which solution allows all hosts to access the internet?' Answer: PAT (NAT overload). Eliminate options that suggest static NAT or dynamic NAT without overload. Use the decision rule: if the question says 'many-to-one' or 'port translation', choose PAT.
PAT is a type of NAT that also translates source port numbers, allowing many internal hosts to share a single public IP.
The 'overload' keyword is required to enable PAT in the ip nat inside source command.
Default PAT timers: 60 seconds for TCP idle, 30 seconds for UDP idle (configurable).
Use 'show ip nat translations' to view active translations; 'show ip nat statistics' for hit counts and pool usage.
Static NAT provides one-to-one fixed mapping; dynamic NAT provides one-to-one dynamic mapping; PAT provides many-to-one mapping.
NAT/PAT breaks applications that carry IP addresses in payload (e.g., FTP, SIP); use ALGs or static NAT for such applications.
PAT can support up to 65,536 simultaneous connections per public IP (theoretically), but practical limits are lower due to reserved ports and timers.
These come up on the exam all the time. Here's how to tell them apart.
NAT (Dynamic NAT)
One-to-one mapping: one private IP to one public IP
Requires a pool of public IPs equal to or greater than the number of simultaneous users
No port translation; source port remains unchanged
Limited scalability: only as many users as public IPs in pool
Configuration: ip nat inside source list <acl> pool <pool>
PAT (NAT Overload)
Many-to-one mapping: multiple private IPs to one or a few public IPs
Can use a single public IP or a pool; uses port numbers to differentiate sessions
Translates source port to a unique global port
Highly scalable: thousands of users can share one public IP
Configuration: same as NAT but with 'overload' keyword added
Mistake
NAT and PAT are the same thing.
Correct
PAT is a specific type of NAT that includes port number translation. NAT generally refers to any IP address translation, while PAT specifically uses port numbers to multiplex multiple internal hosts over a single public IP.
Candidates often hear 'NAT' used loosely to mean PAT, but the exam distinguishes them.
Mistake
PAT can only be used when you have a single public IP address.
Correct
PAT can be used with a pool of public IPs. Each translation uses one IP from the pool, but multiple internal hosts can share each IP via different ports.
Many think the 'overload' keyword implies a single IP, but it works with pools too.
Mistake
Dynamic NAT without overload allows multiple internal hosts to share a public IP.
Correct
Dynamic NAT without overload provides one-to-one mapping: each internal host gets a unique public IP from the pool. If the pool is exhausted, additional hosts cannot access the internet.
Confusion arises because both NAT and PAT are dynamic, but only PAT allows sharing.
Mistake
The default NAT translation timeout is 60 seconds.
Correct
The default timeout for NAT entries is 24 hours. For PAT, the idle timeout for TCP is 60 seconds and for UDP is 30 seconds. The 24-hour timeout applies to static NAT and dynamic NAT entries that are not PAT.
Candidates mix up the generic NAT timeout with the PAT-specific idle timers.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT (Network Address Translation) translates private IP addresses to public IP addresses. It can be static (one-to-one fixed) or dynamic (one-to-one from a pool). PAT (Port Address Translation), also called NAT overload, is a type of NAT that also translates the source port number, allowing multiple internal hosts to share a single public IP. PAT is more scalable because it uses port numbers to differentiate sessions. On Cisco IOS, you enable PAT by adding the 'overload' keyword to the 'ip nat inside source' command.
First, mark inside and outside interfaces with 'ip nat inside' and 'ip nat outside'. Then define an access list that matches the private addresses to be translated. For PAT using the outside interface's IP, use: 'ip nat inside source list <acl> interface <interface> overload'. For PAT using a pool, create a pool with 'ip nat pool <name> <start> <end> netmask <mask>' and then 'ip nat inside source list <acl> pool <name> overload'. Verify with 'show ip nat translations'.
The default timeout for NAT entries (including static and dynamic) is 24 hours. However, for PAT entries, the idle timeout is 60 seconds for TCP and 30 seconds for UDP. These timers are configurable with 'ip nat translation timeout' and 'ip nat translation udp-timeout'. On the exam, remember that PAT has shorter timeouts than regular NAT because it needs to free up ports for other connections.
Yes. PAT can use a pool of public IPs. When you configure 'ip nat inside source list <acl> pool <poolname> overload', the router will assign one public IP from the pool for each new translation, but multiple internal hosts can share that same public IP via different ports. This is useful when you have multiple public IPs but still want to maximize usage. The router will load-balance across the pool IPs.
FTP uses two separate TCP connections: a control connection (port 21) and a data connection. In active FTP, the server initiates the data connection to the client's IP address, which is private and unreachable from the internet. Additionally, the client's IP address is embedded in the control connection payload. NAT/PAT only changes the IP header, not the payload, so the server gets the private IP and tries to connect to it. Cisco IOS includes FTP ALG that inspects the control connection and modifies the payload, but if the ALG is not enabled or the router doesn't support it, active FTP fails. Passive FTP works better because the client initiates both connections.
This command configures the source NAT rule. It specifies that traffic coming from the inside interface and matching an access list should have its source IP translated. The syntax is 'ip nat inside source list <acl> {pool <poolname> | interface <interface>} [overload]'. The 'overload' keyword enables PAT. Without it, it's dynamic NAT. You can also use 'static' for static NAT: 'ip nat inside source static <private> <public>'.
Use 'clear ip nat translation *' to clear all dynamic translations. Static translations are not cleared. To clear specific translations, you can use 'clear ip nat translation inside <global-ip> <local-ip>' or specify the protocol and port. Use with caution in production as it will disconnect active sessions.
You've just covered NAT vs PAT: Address Translation Comparison — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?