NAT configuration errors are among the most common and frustrating problems on the CCNA 200-301 exam and in real networks. A single misplaced keyword or incorrect ACL can break connectivity for hundreds of users, and Cisco loves to test your ability to spot these traps. This chapter covers the exact configuration mistakes that appear on the exam, how to diagnose them with CLI commands, and how to fix them. Mastering this topic is essential for Objective 4.1 and for your career as a network engineer.
Jump to a section
Imagine you manage a large apartment building with 100 apartments, but the building has only one street address. The mailroom receives all packages for the entire building. When a package arrives, the mailroom worker checks a list (the NAT translation table) to see which apartment should get the package. If the list has an entry, the worker writes the apartment number on the package and delivers it. If there is no entry, the package is discarded.
Now imagine a common mistake: the mailroom worker accidentally writes the wrong apartment number on a package because the list was incomplete or misconfigured. For example, the list says 'package for apartment 3B' but the actual resident in 3B moved out, and the new resident in 3B never registered. The package is delivered to the wrong person.
Another mistake: the worker might fail to update the list when a new resident moves in. If the list is missing an entry, packages for that resident are thrown away.
In the real world, NAT works exactly like this. The router's NAT translation table is the mailroom list. When an inside host sends traffic to the outside, the router creates an entry. When return traffic arrives, the router looks up the entry to forward the packet to the correct inside host. If the entry is missing or wrong, the packet is dropped or misdirected.
Common errors include: forgetting to configure 'ip nat inside' and 'ip nat outside' on the correct interfaces (the mailroom worker doesn't know which side is the building and which is the street), using an incorrect ACL that matches the wrong traffic (the list includes or excludes the wrong apartments), and exhausting the NAT pool (the list has no more spaces for new residents). Understanding this analogy helps you visualize the mechanism behind NAT configuration errors.
What is NAT and Why Does it Need Careful Configuration?
Network Address Translation (NAT) allows multiple devices on a private network to share a single public IP address (or a small pool of public addresses). Cisco's implementation on routers and switches supports several flavors: static NAT (one-to-one mapping), dynamic NAT (many-to-many using a pool), and PAT (Port Address Translation, also called NAT overload) which uses unique port numbers to differentiate sessions. On the CCNA 200-301 exam, you must be able to configure and troubleshoot all three, but the exam focuses heavily on common misconfiguration traps.
Step-by-Step Mechanism of NAT
When an inside host sends a packet to an outside destination, the router performs the following steps:
The packet arrives on an interface configured with ip nat inside.
The router checks the packet's source IP against the ACL (or route map) specified in the ip nat inside source command.
If the ACL permits the source IP, the router looks for an existing translation in its NAT translation table.
If no translation exists, the router creates one. For dynamic NAT, it selects an available address from the pool. For PAT, it uses the interface's IP address and assigns a unique port number.
The router rewrites the source IP (and possibly source port) and updates the checksum.
The packet is forwarded out the interface configured with ip nat outside.
When a return packet arrives on the outside interface, the router looks up the destination IP and port in the translation table.
If a match is found, the router rewrites the destination IP and port and forwards the packet to the inside host.
If no match is found, the packet is dropped.
Key Configuration Elements and Their Defaults
ip nat inside: Applied to interfaces facing the private network.
ip nat outside: Applied to interfaces facing the public network.
ip nat inside source list <acl> interface <interface> overload: Enables PAT using the interface's IP.
ip nat inside source list <acl> pool <pool-name> overload: Enables PAT using a pool of addresses.
ip nat pool <name> <start-ip> <end-ip> netmask <mask>: Defines a pool of public addresses.
ip nat inside source static <local-ip> <global-ip>: Creates a static one-to-one mapping.
Default timeout for NAT translations: 24 hours for TCP, 5 minutes for UDP, 1 minute for ICMP.
ip nat translation timeout <seconds>: Adjusts the timeout.
Common IOS CLI Verification Commands and Example Output
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.2 192.168.1.10 --- ---This output shows a static NAT entry mapping 192.168.1.10 to 203.0.113.2. For dynamic entries, you would see protocol, inside global:port, inside local:port, outside local:port, outside global:port.
R1# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic, 0 extended)
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 100 Misses: 0
CEF Translated packets: 100, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id] 1 access-list 100 pool MYPOOL refcount 0
pool MYPOOL: netmask 255.255.255.0
start 203.0.113.2 end 203.0.113.10
type generic, total addresses 9, allocated 0 (0%), misses 0This shows the pool, ACL, and hit/miss counters. A high miss count indicates packets are being dropped because no translation is available.
R1# debug ip nat
IP NAT debugging is on
R1#
*Mar 1 00:01:23.456: NAT: s=192.168.1.10->203.0.113.2, d=8.8.8.8 [0]
*Mar 1 00:01:23.456: NAT: s=8.8.8.8, d=203.0.113.2->192.168.1.10 [0]Debug output shows the translation in real time. Use with caution in production.
How NAT Interacts with Other Technologies
ACLs: The ACL used in ip nat inside source list determines which traffic is translated. If the ACL is too permissive, it may translate traffic that should not be translated. If too restrictive, some hosts will have no connectivity.
Routing: NAT changes the source IP, but routing must still work for the translated packet to reach its destination. A default route to the ISP is usually required.
Firewalls: NAT can interfere with firewall inspection. Many firewalls need to be aware of NAT to properly track sessions.
DNS: If internal servers are reachable via public IPs, DNS must return the correct IP (split DNS or DNS ALG).
Trap: Forgetting ip nat inside or ip nat outside
This is the number one NAT configuration error. If you forget to apply ip nat inside on the inside interface, the router will not even consider the packet for translation. The ACL might be perfect, the pool defined correctly, but the packet will pass through untranslated. The symptom is that inside hosts cannot reach the outside, but outside hosts can reach the inside (if static NAT is configured, but the inside interface is not marked, the translation might not work in both directions).
Trap: Misordered ACL or Incorrect ACL Logic
The ACL used for dynamic NAT must permit only the traffic you want to translate. A common mistake is to use an ACL that permits all traffic (e.g., permit ip any any) but then also use overload – this works but can exhaust ports. Another mistake is to use an ACL that denies the traffic you want to translate (e.g., accidentally using deny instead of permit). The router will not translate denied traffic, breaking connectivity for those hosts.
Trap: NAT Pool Exhaustion
If the pool has fewer addresses than the number of simultaneous translations needed, some hosts will fail to get a translation. The router will drop packets for those hosts. The show ip nat statistics command will show a high misses count and allocated addresses at 100%.
Trap: Using the Wrong Interface in ip nat inside source
For PAT, you can use ip nat inside source list <acl> interface <interface> overload. If you specify the wrong interface (e.g., the inside interface), the router will use that interface's IP as the translated source, which is likely a private IP, defeating the purpose.
Trap: Static NAT with Overlapping Addresses
If you configure a static NAT that maps an inside local address to a global address that is also used by an outside host, traffic will be misrouted. For example, mapping 192.168.1.10 to 8.8.8.8 would cause the router to send traffic destined to 8.8.8.8 to the inside host.
Trap: Timeout Mismatch
If the NAT timeout is too short, active sessions may be dropped prematurely. If too long, the translation table may fill up with stale entries. Defaults are usually fine, but be aware of the values.
Trap: PAT and Applications that Embed IP Addresses
Some applications (e.g., FTP active mode, SIP) embed IP addresses in the payload. NAT by default does not inspect payloads, so these applications break. Cisco IOS includes NAT ALGs for some protocols (e.g., FTP, SIP) that can be enabled with ip nat service commands, but they are not always on by default. This is a common exam trap: they will present a scenario where FTP active mode fails after NAT, and you need to know why.
Summary of Exam-Relevant Commands
show ip nat translations – View active translations.
show ip nat statistics – View pool usage, hits/misses.
debug ip nat – Real-time translation events.
clear ip nat translation * – Clear all dynamic translations.
ip nat inside and ip nat outside – Interface commands.
ip nat inside source list <acl> interface <int> overload – PAT configuration.
ip nat pool – Define a pool.
ip nat inside source static – Static NAT.
Master these commands and the common traps, and you will be well prepared for the exam.
Verify Interface NAT Configuration
The first step in troubleshooting NAT is to check that the correct interfaces have `ip nat inside` and `ip nat outside` applied. Use `show running-config | include ip nat` or `show ip interface brief` and then check the specific interface configuration. A common mistake is to apply both commands to the same interface or to forget one entirely. For example, if the inside interface (GigabitEthernet0/0) is missing `ip nat inside`, the router will not translate packets from that interface. Verify each interface with `show running-config interface GigabitEthernet0/0` and look for the NAT keyword. If missing, enter interface configuration mode and add the command.
Inspect the NAT ACL
The ACL used in the `ip nat inside source list` command determines which traffic is translated. Use `show access-lists <acl-number>` to view the ACL entries. Ensure that the ACL permits the source IPs of the inside hosts that need translation. A common trap is an ACL that has a `deny` statement before a `permit`, or an ACL that permits all traffic but is accidentally applied to the wrong direction. Also check that the ACL is referenced correctly in the NAT configuration with `show running-config | include ip nat inside source list`. If the ACL is missing or incorrect, no translation will occur for the intended traffic.
Check NAT Translation Table
Use `show ip nat translations` to see the current translations. Look for entries that match the inside hosts. If you see no entries for a host that should be translated, the router is not creating translations. This could be due to the ACL not permitting the traffic, or the interface not being marked as inside. If you see entries but they are incomplete (e.g., missing outside local/global), the translation might be stuck. Also check the `show ip nat statistics` command to see the total active translations and the number of hits versus misses. A high miss count indicates packets are being dropped because no translation is available.
Verify Pool Configuration (Dynamic NAT)
If using dynamic NAT with a pool, use `show ip nat statistics` to see the pool details: start and end addresses, netmask, total addresses, and allocated count. Ensure the pool has enough addresses for the number of simultaneous translations. If the allocated count equals the total addresses, the pool is exhausted. Also verify the pool is correctly referenced in the NAT configuration. Use `show running-config | include ip nat pool` to see the pool definition. A common mistake is to define the pool with the wrong subnet mask or overlapping addresses with the inside network.
Test with Debug and Ping
Enable `debug ip nat` on the router (in a lab or maintenance window) and generate traffic from an inside host (e.g., ping to an outside destination). Observe the debug output to see if the router is attempting to translate the packet. Look for messages like `NAT: s=192.168.1.10->203.0.113.2`. If no translation attempt is seen, the issue is likely with the interface NAT markings or the ACL. If translation is attempted but fails, the debug may show `NAT: translation failed` or similar. Also use `ping` with extended options to test from the router itself, but remember that the router's own traffic is not subject to NAT unless specifically configured.
Check for PAT Port Exhaustion
When using PAT (overload), the router uses unique port numbers for each session. If the router runs out of available ports (typically 65,535 per IP, but many are reserved), new translations will fail. Use `show ip nat statistics` to see the number of extended translations (PAT entries). If the count is very high (close to 65,000), port exhaustion is likely. You can also use `show ip nat translations | count` to get a count. To resolve, either add more public IPs to the pool (if using pool-based PAT) or reduce the NAT timeout to free up ports faster.
In a typical enterprise network, NAT is used to allow hundreds or thousands of internal users to access the internet using a small number of public IP addresses. For example, a company with 500 employees might have a /28 subnet (14 usable public IPs) from their ISP. The network engineer configures PAT on the border router to map all internal traffic to one or more of these public IPs.
Scenario 1: Small Office with Single Public IP
A small office has a single public IP address on their WAN interface. The engineer configures ip nat inside source list 1 interface GigabitEthernet0/1 overload and applies ip nat inside on the LAN interface and ip nat outside on the WAN interface. The ACL 1 permits all internal subnets. This works fine until the company adds a VPN server that must be reachable from the internet. The engineer then adds a static NAT entry for the VPN server's private IP to the same public IP but with a different port (port forwarding). A common mistake is to forget to add the static NAT before the dynamic PAT, causing the VPN traffic to be handled by PAT instead of static NAT. The fix is to ensure static NAT entries are configured before dynamic NAT in the configuration.
Scenario 2: Large Enterprise with NAT Pool
A larger company has a pool of 10 public IPs. They configure dynamic NAT with a pool and use an ACL that permits only certain subnets (e.g., employees, not guests). A misconfiguration trap occurs when an engineer adds a new subnet to the ACL but accidentally places the permit statement after a deny any statement. The new subnet is denied, and users in that subnet cannot access the internet. The symptom is that some users work, others don't. The engineer must examine the ACL order and reorder or add the permit statement before the deny.
Scenario 3: NAT and VoIP
Voice over IP (VoIP) phones often use SIP, which embeds IP addresses in the packet payload. Standard NAT does not translate these embedded addresses, causing one-way audio or call failure. The engineer must enable SIP ALG on the router with ip nat service sip or use a session border controller. On the CCNA exam, this scenario appears as a troubleshooting question where VoIP calls fail after NAT is implemented. The candidate must identify that the issue is related to NAT and application-layer protocols.
Performance Considerations
NAT adds processing overhead because the router must rewrite IP headers and checksums for every packet. On high-speed links, this can become a bottleneck. Cisco routers use Cisco Express Forwarding (CEF) to accelerate NAT, but it still consumes CPU. In production, engineers monitor CPU utilization and may offload NAT to a dedicated firewall or use NAT64 for IPv6 transition. For the exam, know that NAT can impact performance and that the show ip nat statistics command includes CEF translation counters.
What Happens When Misconfigured
A misconfigured NAT can cause complete loss of internet access for some or all users, asymmetric routing (if only one direction is translated), or security vulnerabilities (if internal IPs are exposed). In one real-world incident, a network engineer forgot to apply ip nat inside on a new VLAN interface, causing all users in that VLAN to lose internet access. The fix took only a minute once the issue was identified, but the troubleshooting took hours because the engineer didn't check the interface configuration first.
Understanding these real-world scenarios helps you think like an engineer and answer exam questions that describe similar situations.
The CCNA 200-301 exam tests NAT configuration and troubleshooting under Objective 4.1. You will encounter multiple-choice questions, simulation questions (using Packet Tracer or similar), and possibly drag-and-drop. The exam focuses on identifying configuration errors and understanding the effect of each command.
Exactly What the Exam Tests
- The difference between static NAT, dynamic NAT, and PAT.
- The correct placement of ip nat inside and ip nat outside.
- How ACLs control which traffic is translated.
- The impact of pool exhaustion and port exhaustion.
- The default timeouts for TCP, UDP, and ICMP.
- Troubleshooting steps using show ip nat translations and show ip nat statistics.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong Answer: 'The ACL is applied to the wrong interface.' Why chosen: Candidates confuse NAT ACLs with interface ACLs. NAT ACLs are not applied to interfaces; they are referenced by the NAT configuration. The correct answer is that the ACL is missing a permit statement for the source network.
2. Wrong Answer: 'The ip nat inside source command is missing the overload keyword.' Why chosen: Candidates think that PAT requires the overload keyword, but dynamic NAT without overload also works (one-to-one mapping). The exam may present a scenario where overload is needed because there are more inside hosts than pool addresses. The correct answer depends on the pool size.
3. Wrong Answer: 'The router needs a default route to the ISP.' Why chosen: While a default route is necessary for internet connectivity, it is not a NAT issue. The exam question will specifically ask about NAT configuration errors, not routing. Candidates must focus on NAT-specific commands.
4. Wrong Answer: 'The NAT translation timeout is too short.' Why chosen: This is a valid issue but less common. The exam often tests more fundamental errors like missing interface commands or ACL misconfiguration. Candidates should check the most obvious first.
Specific Values and Command Outputs
- Default NAT timeouts: TCP 24 hours, UDP 5 minutes, ICMP 1 minute.
- show ip nat statistics output includes 'Hits' and 'Misses'. A high miss count indicates translation failures.
- show ip nat translations shows 'Inside global', 'Inside local', 'Outside local', 'Outside global'. For PAT, the protocol and port numbers are shown.
- The command clear ip nat translation * clears all dynamic translations.
Decision Rule for Scenario Questions
When given a scenario where some inside hosts can access the internet but others cannot, follow this decision tree:
1. Are the interfaces correctly marked? (show running-config | include ip nat)
2. Is the ACL permitting the affected hosts? (show access-lists)
3. Is the NAT pool exhausted? (show ip nat statistics – check allocated vs total)
4. Are there any static NAT entries conflicting? (show ip nat translations)
5. Are the timeouts appropriate? (Less likely, but check if sessions drop after idle time)
By systematically applying this decision rule, you can eliminate wrong answers and identify the correct misconfiguration.
Calculation Traps - When calculating the number of usable translations in a PAT scenario, remember that each public IP provides up to 65,535 ports, but many ports are reserved (0-1023). The exam may ask how many simultaneous connections are possible with a given number of public IPs. Multiply the number of IPs by ~64,000 (approximate usable ports) to get an estimate. - For dynamic NAT without overload, the number of simultaneous translations is limited to the number of addresses in the pool. If the pool has 5 addresses, only 5 inside hosts can be translated at once.
Mastering these exam-specific details will help you answer NAT questions confidently.
Always verify `ip nat inside` and `ip nat outside` are applied on the correct interfaces.
The ACL in `ip nat inside source list` must permit the source IPs of traffic to be translated.
Use `show ip nat statistics` to check for pool exhaustion (allocated = total) and high miss counts.
Default NAT timeouts: TCP 24 hours, UDP 5 minutes, ICMP 1 minute.
PAT uses port numbers to multiplex many inside hosts to a single public IP.
Static NAT entries take precedence over dynamic entries.
The command `clear ip nat translation *` clears all dynamic translations.
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one fixed mapping between local and global IP.
Requires one public IP per inside host.
Used for servers that must be reachable from outside.
Configuration: `ip nat inside source static local-ip global-ip`.
Translation remains until manually removed.
Dynamic NAT with PAT
Many-to-one mapping using port numbers.
Many inside hosts share one or more public IPs.
Used for general internet access for clients.
Configuration: `ip nat inside source list <acl> interface <int> overload`.
Translations are dynamically created and timeout.
Mistake
NAT automatically translates all traffic on the inside interface.
Correct
NAT only translates traffic that matches an ACL referenced in the `ip nat inside source` command. Without an ACL, no translation occurs.
Candidates assume NAT is like a firewall that inspects all traffic, but it requires explicit configuration.
Mistake
The `ip nat inside` and `ip nat outside` commands are optional.
Correct
These commands are mandatory. Without them, the router does not know which interfaces are inside and outside, and translation will not occur.
Candidates often skip these commands in labs and wonder why NAT doesn't work.
Mistake
Dynamic NAT and PAT are the same thing.
Correct
Dynamic NAT maps inside addresses to a pool of global addresses one-to-one. PAT (overload) maps many inside addresses to a single global address using unique port numbers.
Both are dynamic, but PAT uses port multiplexing. The exam tests the distinction.
Mistake
NAT translates both source and destination IP addresses in the same packet.
Correct
NAT typically translates only the source IP for outbound packets and only the destination IP for inbound packets. It does not translate both in the same direction.
Candidates confuse NAT with a full proxy. Understanding the one-way translation is key.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
`ip nat inside source` translates the source IP of packets coming from the inside interface. `ip nat outside source` translates the source IP of packets coming from the outside interface (used for overlapping networks). For the CCNA exam, focus on inside source NAT. Outside source NAT is less common but can appear in questions about VPN or merging networks.
FTP active mode uses two connections: one for control (port 21) and one for data (port 20). The data connection is initiated by the server to the client using the client's IP address as reported in the control connection. NAT changes the client's IP, but the FTP control message still contains the original private IP. The server tries to connect to that private IP, which fails. FTP passive mode (PASV) avoids this because the client initiates both connections. Cisco IOS includes an FTP ALG that can be enabled, but it is not on by default.
Use the command `clear ip nat translation *` in privileged EXEC mode. This removes all dynamic entries but leaves static entries intact. You can also clear specific entries with `clear ip nat translation inside global-ip local-ip outside local-ip global-ip`.
The default timeout for UDP is 5 minutes. For TCP, it is 24 hours. For ICMP, it is 1 minute. You can change these with the `ip nat translation timeout` command. On the exam, know these defaults and that they can be adjusted.
Yes, you can use the same ACL, but be careful. The ACL used for NAT should only contain permit statements for traffic to be translated. If you also use it for a firewall filter, you might inadvertently block traffic. It's better to use separate ACLs to avoid confusion.
The `overload` keyword enables Port Address Translation (PAT). Without it, the command would perform dynamic NAT without overload, meaning each inside host would need a unique public IP from a pool. With overload, many inside hosts can share a single public IP by using unique port numbers.
Use an ACL that permits only the specific hosts. For example, `access-list 10 permit host 192.168.1.10` then `ip nat inside source list 10 interface GigabitEthernet0/1 overload`. Only the host with IP 192.168.1.10 will be translated. All other traffic will pass through untranslated.
You've just covered Exam Trap: NAT Configuration Errors — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?