NAT and PAT are fundamental to modern networking, enabling private IP addresses to communicate with the public internet. For the CCNA 200-301 exam (objective 4.1), you must understand configuration, verification, and troubleshooting of static NAT, dynamic NAT, and PAT (overload). This lab walks through a real-world scenario to build and verify these translations, preparing you for both the exam and real network engineering.
Jump to a section
Imagine a large office building where every employee has an internal desk number (private IP). The building has one street address (public IP) for receiving mail. The mailroom is your NAT router. When an employee sends a letter to the outside world, the mailroom replaces the sender's desk number with the building's street address, but also notes the employee's name and desk number in a log (NAT table). When a reply comes back addressed to the building, the mailroom checks the log to see which employee it's for and delivers it to the correct desk. This is static or dynamic NAT—each employee gets a unique temporary or permanent external identity.
Now, imagine the building has only one street address but hundreds of employees. The mailroom can't give each employee a unique external address. So, the mailroom uses PAT: it assigns each outgoing letter a different 'return port' (like a post office box number), and records the employee's desk number along with that port. When replies come in, the mailroom looks at the destination port to identify which employee gets the letter. This allows many employees to share the single street address simultaneously. The mailroom must keep careful track so that replies don't get misdelivered—if two employees use the same port, chaos ensues. In networking, PAT uses source ports to multiplex thousands of private IPs to a single public IP.
What is NAT and PAT?
Network Address Translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit. Port Address Translation (PAT), also known as NAT overload, is a variant that maps multiple private IP addresses to a single public IP address by differentiating traffic based on port numbers. The primary reasons for using NAT/PAT are: - Conserving public IPv4 addresses: Private IP addresses (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) can be reused internally, and only a few public IPs are needed for internet access. - Security: Hides internal IP structures from external networks, though it is not a firewall. - Network migration: Allows changing ISPs or merging networks without re-addressing all devices.
How NAT Works Step by Step
Consider a host with private IP 192.168.1.10 sending a packet to a web server at 8.8.8.8 (Google DNS). The packet has source IP 192.168.1.10, source port 12345, destination IP 8.8.8.8, destination port 80. The router with NAT configured receives the packet on its inside interface (e.g., GigabitEthernet0/0) and checks its NAT table. For dynamic NAT with overload (PAT):
The router sees that the source IP 192.168.1.10 is not in the NAT table.
It selects an available public IP from the NAT pool (e.g., 203.0.113.1) and assigns a unique source port (e.g., 54321).
It creates an entry in the NAT table: inside local (192.168.1.10:12345) <-> inside global (203.0.113.1:54321).
The router rewrites the source IP and port to 203.0.113.1:54321 and forwards the packet out the outside interface (e.g., GigabitEthernet0/1).
When the reply packet arrives (source 8.8.8.8:80, destination 203.0.113.1:54321), the router looks up the destination port 54321 in the NAT table.
It finds the corresponding inside local address (192.168.1.10:12345) and rewrites the destination IP and port.
The packet is forwarded to the inside host.
For static NAT, the mapping is 1:1 and manually configured. The router always translates a specific inside local IP to a specific inside global IP, regardless of port. No port translation occurs.
Key States, Timers, and Defaults
NAT translation timeout: By default, for TCP, the timeout is 24 hours (86400 seconds) after the last packet. For UDP, it's 5 minutes (300 seconds). For ICMP, it's 1 minute (60 seconds). These can be adjusted with ip nat translation timeout.
NAT entries: Can be simple (no port translation) for static NAT or extended (with port) for PAT. The router maintains up to thousands of entries depending on hardware.
Max number of NAT translations: Varies by platform; Cisco IOS default is platform-specific but often 3000+.
NAT pool: Defines a range of public IPs for dynamic NAT. PAT can use a single IP or a pool.
IOS CLI Verification Commands with Example Output
To verify NAT translations:
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.1 192.168.1.10 --- ---This shows a static translation (no protocol). For PAT, you'll see:
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.1:54321 192.168.1.10:12345 8.8.8.8:80 8.8.8.8:80To see statistics:
Router# show ip nat statistics
Total active translations: 5 (1 static, 4 dynamic; 4 extended)
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 100 Misses: 0
Expired translations: 20
Dynamic mappings:
-- Inside Source
[Id] ip nat pool POOL1 203.0.113.1 203.0.113.10 netmask 255.255.255.240
refcount 4
total 10, used 4, extra 6
Start 203.0.113.1, end 203.0.113.10
type: match host, use: dynamic, outside: False
access-list ACL_NAT refcount 4To clear translations:
Router# clear ip nat translation *To clear a specific entry:
Router# clear ip nat translation inside 192.168.1.10 12345 8.8.8.8 80How NAT Interacts with Related Protocols
ACLs: Used to identify which inside traffic should be translated. The ACL is applied to the inside interface via ip nat inside source list <acl> pool <pool>.
Routing: NAT changes the source/destination IP, but routing is still based on the original destination IP (before translation). The router must have a route to the destination.
DNS: If a host inside wants to reach an external server by name, DNS queries are sent to an external DNS server. The NAT device must translate the query and response correctly. For inbound traffic (e.g., a web server inside), you may need static NAT or port forwarding.
VPN: NAT can interfere with VPN protocols (ESP, IKE). Use NAT traversal (NAT-T) or avoid NAT for VPN traffic.
Firewalls: Often integrated with NAT; stateful firewalls track connections similar to NAT entries.
Design the NAT Topology
For this lab, assume a simple topology: a PC (192.168.1.10/24) connected to a router's inside interface (G0/0, 192.168.1.1/24), and the router's outside interface (G0/1, 203.0.113.1/30) connected to an ISP router representing the internet. The goal: configure PAT so the PC can access a web server at 8.8.8.8. First, ensure basic connectivity: configure IP addresses on interfaces, enable routing (default route), and test with ping. For PAT, we need an ACL to define interesting traffic (traffic to be translated) and a NAT pool (optional if using a single IP). We'll use the outside interface IP for PAT.
Configure Inside and Outside Interfaces
On the router, assign the inside interface and outside interface. Inside interface: `interface GigabitEthernet0/0`, `ip address 192.168.1.1 255.255.255.0`, `ip nat inside`. Outside interface: `interface GigabitEthernet0/1`, `ip address 203.0.113.1 255.255.255.252`, `ip nat outside`. The `ip nat inside` and `ip nat outside` commands mark the interfaces for NAT processing. Without these, NAT will not be applied even if translation rules exist.
Define an ACL for NAT Traffic
Create a standard ACL to match traffic from the inside network that should be translated. For example: `access-list 1 permit 192.168.1.0 0.0.0.255`. This ACL permits all traffic from the 192.168.1.0/24 subnet. Only traffic matching the ACL will be considered for NAT. If you omit the ACL, no traffic is translated. The ACL is applied in the NAT configuration, not to an interface.
Configure PAT (NAT Overload)
Use the command: `ip nat inside source list 1 interface GigabitEthernet0/1 overload`. This tells the router to translate packets matching ACL 1 using the IP address of the outside interface (G0/1) as the inside global address, and to overload (PAT) so multiple inside hosts share that IP. The keyword `overload` enables port translation. Without `overload`, it would be dynamic NAT (one-to-one) and require a pool with enough IPs.
Add a Default Route and Test Connectivity
Configure a default route pointing to the ISP router: `ip route 0.0.0.0 0.0.0.0 203.0.113.2`. This ensures traffic to the internet is forwarded out the outside interface. From the PC, ping 8.8.8.8. If successful, check NAT translations: `show ip nat translations`. You should see an extended entry with the PC's inside local IP/port and the translated inside global IP/port. Also verify with `show ip nat statistics` to see hits incrementing.
Verify NAT Operation with Debug
For deeper verification, use `debug ip nat` (caution: can be verbose). Example output: `NAT: s=192.168.1.10->203.0.113.1, d=8.8.8.8 [0]` shows translation of source. `NAT*: s=8.8.8.8, d=203.0.113.1->192.168.1.10 [1]` shows the reverse translation (asterisk indicates packet is fast-switched). Use `undebug all` when done. This helps confirm that translation occurs and that return traffic is correctly mapped.
In enterprise networks, NAT/PAT is ubiquitous for internet access. A typical scenario: a company with 500 employees using RFC 1918 addresses (10.0.0.0/8) has only a few public IPs from their ISP. The border router is configured with PAT to allow all 500 users to browse the web simultaneously. The NAT configuration uses an ACL to match inside traffic and the outside interface IP (or a small pool) with overload. The network engineer must ensure that the NAT table does not overflow; a single public IP can support roughly 65,535 ports per protocol (TCP/UDP) minus reserved ports, but practical limits are lower due to timeouts and application behavior. For example, many web browsers open multiple connections, consuming ports rapidly. Engineers often increase the NAT translation timeout for UDP to 10 minutes to reduce table churn.
Another scenario: hosting a public web server inside the private network. This requires static NAT (or port forwarding) to map a public IP (e.g., 203.0.113.5) to the internal server (10.0.1.100). The configuration: ip nat inside source static tcp 10.0.1.100 80 203.0.113.5 80. The engineer must also configure a security policy (ACL) on the outside interface to permit inbound traffic to the public IP. Without proper ACLs, the server is unreachable even with static NAT.
A common misconfiguration: forgetting to apply ip nat inside and ip nat outside on interfaces. Without these, no translation occurs. Another: using an ACL that does not match the traffic (e.g., wrong source network). Engineers use show ip nat statistics to check if hits are incrementing; if hits stay zero, the ACL or interface marking is wrong. Performance-wise, NAT adds processing overhead; high-throughput networks may use dedicated hardware or avoid NAT with IPv6. But for CCNA, you must know how to configure and troubleshoot basic NAT/PAT.
The CCNA 200-301 exam tests NAT/PAT under objective 4.1 'Configure and verify NAT/PAT'. You must be able to interpret show commands, identify correct configurations, and troubleshoot why translation fails. Common wrong answers include:
1. Confusing static NAT with dynamic NAT: Static NAT is a permanent 1:1 mapping; dynamic NAT assigns from a pool and times out. On the exam, if a question says 'permanent mapping for a server', it is static NAT.
2. Forgetting the overload keyword: PAT requires overload; without it, the router does one-to-one translation and may run out of addresses. A question may show a config with ip nat inside source list 1 pool MY_POOL and ask why only some users can get online. The answer: no overload, so only as many users as pool IPs can translate.
3. Misplacing inside/outside: The inside interface is where private hosts reside; outside is where public network is. If interfaces are reversed, translation fails. The exam may show a config with ip nat inside on the WAN interface and expect you to spot the error.
4. Ignoring ACL: The ACL must permit the source network. A common trap: using access-list 1 permit any which works but is less secure; or using an ACL with wrong subnet mask. Show commands like show access-lists can verify matches.
Specific values to memorize: default timeouts (TCP 24 hours, UDP 5 minutes, ICMP 1 minute). The command clear ip nat translation * clears all dynamic entries. show ip nat translations shows active entries; show ip nat statistics shows hits/misses. A 'miss' indicates a packet that needed translation but no matching entry was found (and no dynamic translation possible).
For scenario questions: If a host can ping an outside IP but not a domain name, the issue is DNS, not NAT. If some hosts work but others don't, check the ACL. If all hosts fail, check interface marking and default route. Use elimination: if the config has ip nat inside source list 1 interface Serial0/0/0 overload and the interface has no IP, translation fails. The exam expects you to identify such errors.
NAT translates private IPs to public IPs; PAT uses port numbers to multiplex many private IPs to one public IP.
Three types: static NAT (1:1 manual), dynamic NAT (pool, 1:1 automatic), PAT (overload, many:1).
Default timeouts: TCP 24 hours, UDP 5 minutes, ICMP 1 minute.
Commands: `ip nat inside`, `ip nat outside` on interfaces; `ip nat inside source list <acl> interface <int> overload` for PAT.
Verification: `show ip nat translations`, `show ip nat statistics`, `debug ip nat`.
Troubleshooting: check interface markings, ACL matches, default route, and NAT pool exhaustion.
Static NAT is used for inbound access to internal servers (e.g., web server).
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one mapping, manually configured.
Permanent until removed.
Used for inbound access to internal servers.
No port translation.
Requires a public IP for each internal host.
Configuration: `ip nat inside source static <inside-local> <inside-global>`
Dynamic NAT (with PAT/Overload)
Many-to-one mapping using port numbers.
Entries time out after inactivity.
Used for outbound internet access for many hosts.
Uses port translation (PAT).
Shares a single public IP (or pool) among many hosts.
Configuration: `ip nat inside source list <acl> interface <int> overload`
Mistake
NAT provides security like a firewall.
Correct
NAT is not a security feature; it only translates addresses. It can provide a degree of obscurity but does not inspect packets or block attacks. A firewall is needed for security.
Candidates often think hiding internal IPs equals security, but NAT does not filter traffic.
Mistake
PAT uses a different public IP for each session.
Correct
PAT uses the same public IP for all sessions but different source ports. The combination of public IP and port uniquely identifies each session.
The term 'overload' may confuse candidates into thinking multiple IPs are used.
Mistake
Dynamic NAT and PAT are the same thing.
Correct
Dynamic NAT maps one private IP to one public IP from a pool (no port translation). PAT maps many private IPs to one public IP using port numbers. They are configured differently (overload vs. pool without overload).
Both are dynamic, but PAT is a specific type of dynamic NAT.
Mistake
The `ip nat inside source` command is applied to the inside interface.
Correct
It is a global configuration command, not applied to an interface. The interface is marked with `ip nat inside` or `ip nat outside` to indicate direction.
Many candidates apply the translation rule under the interface, which is incorrect.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT (Network Address Translation) is a broad term for translating IP addresses. PAT (Port Address Translation) is a specific type of NAT that also translates port numbers, allowing many private IPs to share a single public IP. In Cisco IOS, PAT is configured with the `overload` keyword. For CCNA, remember: NAT can be static (1:1) or dynamic (pool), while PAT is always dynamic and uses port numbers.
First, mark interfaces: `interface G0/0`, `ip nat inside`; `interface G0/1`, `ip nat outside`. Then create an ACL to match inside traffic: `access-list 1 permit 192.168.1.0 0.0.0.255`. Finally, apply PAT: `ip nat inside source list 1 interface GigabitEthernet0/1 overload`. Replace the interface with your outside interface. Verify with `show ip nat translations` and `show ip nat statistics`.
Common causes: (1) Interfaces not marked with `ip nat inside` and `ip nat outside`. (2) ACL not matching traffic (check with `show access-lists`). (3) No default route to the internet. (4) NAT pool exhausted (if using pool without overload). (5) Firewall ACL blocking traffic. Use `debug ip nat` to see if packets are being translated. Also check `show ip nat statistics` for hits vs misses.
TCP: 24 hours (86400 seconds). UDP: 5 minutes (300 seconds). ICMP: 1 minute (60 seconds). These can be changed with `ip nat translation timeout <seconds>` for a specific protocol or globally. For exam, remember these values.
Yes. Static NAT entries are permanent and take precedence for matching traffic. PAT handles dynamic translations for other traffic. For example, a static mapping for a web server (port 80) can coexist with PAT for outbound user traffic. The router checks static entries first.
The `overload` keyword enables Port Address Translation (PAT). Without it, the router performs dynamic NAT (one-to-one mapping from a pool). With `overload`, multiple inside hosts can share a single public IP by using unique source ports. This conserves public IP addresses.
Use `clear ip nat translation inside <local-ip> <local-port> <outside-ip> <outside-port>` for an extended entry. For a simple entry, use `clear ip nat translation <inside-global-ip>`. To clear all dynamic entries, use `clear ip nat translation *`. Static entries are not cleared.
You've just covered Lab: Configure NAT and PAT — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?