NAT (Network Address Translation) is a fundamental IP service that allows private IP addresses to communicate with public networks by translating them to public addresses. On the CCNA 200-301 exam, objective 4.1 requires you to configure, verify, and troubleshoot NAT types — Static NAT, Dynamic NAT, and PAT (Port Address Translation). Mastering these concepts is critical because NAT is ubiquitous in enterprise and home networks, conserving public IPv4 address space and providing a basic layer of security. This chapter will give you the technical depth to configure NAT on Cisco IOS routers, interpret show commands, and avoid common exam traps.
Jump to a section
Imagine a large apartment building with 1000 residents, but only one street address: 123 Main Street. The building has a mail room clerk whose job is to manage incoming and outgoing packages. When a resident (private IP) wants to send a package to the outside world (the internet), they bring it to the clerk. The clerk writes the resident's apartment number (private IP) and a unique package ID (source port) on a log sheet (NAT table). Then the clerk puts the building's street address (public IP) and a new package ID (translated port) on the box and sends it out. When a reply comes back addressed to 123 Main Street with that package ID, the clerk checks the log sheet to find the original apartment number and delivers it to the correct resident. This is exactly how PAT works — it uses port numbers to multiplex many private addresses behind a single public IP. If the clerk only had a fixed mapping for certain residents (e.g., apartment 201 always gets outgoing packages with a specific package ID), that's Static NAT. If the clerk had a pool of street addresses (e.g., 123 Main Street and 124 Main Street) and assigned them on a first-come, first-served basis, that's Dynamic NAT. The key is that the clerk must keep accurate logs, and if the log overflows (exhausts port numbers), new packages are dropped — just like a router dropping packets when NAT resources are exhausted.
What is NAT and Why Does It Exist?
NAT (Network Address Translation) is a method used by routers to modify IP address information in packet headers while in transit. Its primary purpose is to allow devices with private IP addresses (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to access the public internet. Without NAT, every device would need a globally unique public IPv4 address, which is impossible due to IPv4 address exhaustion. NAT also provides a basic layer of security by hiding internal IP addresses from external networks.
Static NAT
Static NAT creates a one-to-one mapping between a private IP address and a public IP address. This mapping is configured manually and remains constant. It is typically used for servers that need to be accessible from the internet (e.g., a web server at 192.168.1.10 mapped to 203.0.113.10).
How it works: - When a packet from the inside host (192.168.1.10) destined to the internet arrives at the router's inside interface, the router replaces the source IP with the static public IP (203.0.113.10). - For return traffic, the router sees the destination IP 203.0.113.10 and translates it back to 192.168.1.10. - The translation is permanent and does not time out.
Configuration:
! Define the mapping between inside local and inside global
ip nat inside source static 192.168.1.10 203.0.113.10
!
! Configure interfaces
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
ip nat outsideVerification:
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.10 192.168.1.10 --- ---Dynamic NAT
Dynamic NAT maps a private IP address to a public IP address from a pool of public addresses on a first-come, first-served basis. The mapping is temporary and times out after a period of inactivity (default 24 hours for TCP, but can be changed). Once the mapping times out, the public IP returns to the pool for reuse.
How it works: - The router maintains a pool of public IP addresses (e.g., 203.0.113.20-203.0.113.30). - When an inside host sends a packet, the router picks an available public IP from the pool and creates a dynamic mapping. - The mapping remains active as long as traffic flows; after an idle timeout, it is removed. - If the pool is exhausted, new packets from inside hosts are dropped.
Configuration:
! Define an ACL to match inside local addresses that will be translated
access-list 1 permit 192.168.1.0 0.0.0.255
!
! Define the pool of public IP addresses
ip nat pool MYPOOL 203.0.113.20 203.0.113.30 netmask 255.255.255.0
!
! Enable dynamic NAT — translate packets matching ACL 1 using pool MYPOOL
ip nat inside source list 1 pool MYPOOL
!
! Configure interfaces as inside and outside
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
ip nat outsideVerification:
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.20 192.168.1.10 --- ---
--- 203.0.113.21 192.168.1.11 --- ---
R1# show ip nat statistics
Total active translations: 2
Pool MYPOOL: 203.0.113.20 - 203.0.113.30
Total addresses: 11
Available: 9
Allocated: 2PAT (Port Address Translation)
PAT, also known as NAT overload, is the most common type of NAT. It allows many private IP addresses to share a single public IP address (or a small pool) by using different source port numbers. The router tracks each session using a combination of protocol, source IP, source port, translated IP, and translated port.
How it works: - When an inside host sends a packet, the router changes the source IP to the public IP (from a pool or the interface IP) and assigns a unique source port number (typically starting from 1024). - The router stores this mapping in its NAT table. - When a reply comes back, the router looks up the destination port and finds the original private IP and port. - If the pool is a single IP, the router uses the interface's IP address as the inside global address.
Configuration (overloading the interface IP):
! Define an ACL to match inside local addresses
access-list 1 permit 192.168.1.0 0.0.0.255
!
! Enable PAT — use the IP address of the outside interface
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
! Configure interfaces
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
ip nat outsideVerification:
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.1:1024 192.168.1.10:1234 8.8.8.8:80 8.8.8.8:80
tcp 203.0.113.1:1025 192.168.1.11:5678 8.8.8.8:80 8.8.8.8:80
R1# show ip nat statistics
Total active translations: 2
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 100 Misses: 0
CEF Translated packets: 100, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/1 refcount 2Key Differences and Exam Points
Static NAT: One-to-one, permanent. Use for servers.
Dynamic NAT: Many-to-many, temporary pool. Less common in practice.
PAT: Many-to-one, uses ports. Most common for internet access.
Timeout values: Default timeout for dynamic NAT and PAT is 24 hours for TCP, but the router uses a shorter timeout for UDP (5 minutes) and ICMP (1 minute). The command ip nat translation timeout can change these.
NAT Table: Shows protocol, inside global (translated), inside local (original), outside local, outside global.
The `overload` keyword: Enables PAT. Without it, the command ip nat inside source list <acl> pool <pool> does dynamic NAT, not PAT.
Interaction with Other Protocols
ACLs: Used to define which traffic is translated. The ACL matches the inside local addresses.
Routing: NAT changes the source IP, but the destination IP is not changed (unless destination NAT is used, which is beyond CCNA). Return traffic must be routed back to the NAT router.
DNS: If an internal server is statically NATed, DNS must return the public IP for external queries. This is often handled by split DNS or DNS application-level gateway.
IPsec: NAT can break IPsec because it modifies IP addresses and ports. NAT-T (NAT Traversal) is used to encapsulate IPsec in UDP, but that is beyond CCNA.
Troubleshooting Commands
show ip nat translations — view active translations.
show ip nat statistics — see hit/miss counts, pool usage.
clear ip nat translation * — remove all dynamic translations.
debug ip nat — real-time translation events. Use with caution in production.
Example debug output:
R1# debug ip nat
NAT: s=192.168.1.10->203.0.113.1, d=8.8.8.8 [50]
NAT: s=8.8.8.8, d=203.0.113.1->192.168.1.10 [50]This shows the translation happening: source 192.168.1.10 becomes 203.0.113.1, and the reply is translated back.
Configure Inside and Outside Interfaces
Before any NAT translation can occur, you must designate which interfaces are 'inside' (facing the private network) and 'outside' (facing the public network). Use the `ip nat inside` command on the interface connected to the private LAN, and `ip nat outside` on the interface connected to the internet or WAN. This is a common misconfiguration — if you forget to set an interface as inside or outside, NAT will not function. Verify with `show ip interface brief` to confirm the interface status, but there is no direct show command for nat inside/outside status; you must check the running config. Example: `interface GigabitEthernet0/0` then `ip nat inside`.
Define an Access List for Traffic to Translate
Create a standard access list that matches the source IP addresses of the hosts that should be translated. For example, `access-list 1 permit 192.168.1.0 0.0.0.255` permits all hosts in the 192.168.1.0/24 network. The ACL is used in the NAT configuration to specify which traffic is subject to translation. Remember: the ACL matches the inside local (private) addresses. If you mistakenly permit the wrong subnet, hosts may be translated when they shouldn't be, or not translated at all. Also note that standard ACLs (1-99) are typically used, but extended ACLs can be used for more granular control.
Configure the NAT Rule (Static, Dynamic, or PAT)
For Static NAT, use `ip nat inside source static <inside-local> <inside-global>`. For Dynamic NAT, create a pool with `ip nat pool <name> <start-ip> <end-ip> netmask <mask>` and then use `ip nat inside source list <acl> pool <pool-name>`. For PAT, add the `overload` keyword: either `ip nat inside source list <acl> interface <outside-interface> overload` or `ip nat inside source list <acl> pool <pool-name> overload`. The `overload` keyword enables port multiplexing. Without it, dynamic NAT uses one-to-one mapping. Exam tip: The most common exam question asks for PAT configuration — remember the `overload` keyword.
Verify NAT Translations and Statistics
After configuration, generate traffic from an inside host (e.g., ping an external IP like 8.8.8.8) and then use `show ip nat translations` to see the active translations. For PAT, you will see protocol and port numbers. Use `show ip nat statistics` to see hit counts, misses, pool usage, and the number of active translations. If translations appear but traffic fails, check routing — the return traffic must be routed back to the NAT router. Also verify that the outside interface has a route to the destination and that the inside hosts have a default gateway pointing to the router's inside interface.
Troubleshoot with Debug and Clear Commands
If translations are not being created, use `debug ip nat` to see real-time translation events. Look for messages like `NAT: s=<private>-><public>`. If you see no output, the traffic might not be matching the ACL, or the interfaces are not correctly designated. Use `clear ip nat translation *` to remove all dynamic translations (useful for testing). For a specific translation, use `clear ip nat translation <inside-global> <inside-local>` with the exact IP and port. Remember: `debug ip nat` can be CPU-intensive on a busy router; use it only in a lab or during maintenance windows.
Configure PAT with Pool for Exam Scenario
In some exam scenarios, you may need to configure PAT with a pool of public addresses (not just the interface IP). The command is `ip nat inside source list <acl> pool <pool-name> overload`. For example: `ip nat pool POOL 203.0.113.20 203.0.113.22 netmask 255.255.255.0` then `ip nat inside source list 1 pool POOL overload`. This allows multiple inside hosts to share the three public IPs using port numbers. The router will assign a public IP from the pool and a unique port for each session. If the pool has multiple IPs, the router load-balances sessions across them. This is a common exam topic — ensure you understand the difference between using `interface` and `pool` with `overload`.
In an enterprise network, NAT is deployed primarily for internet access. Consider a company with 500 employees, each with a laptop and phone, all using private IPs in the 10.0.0.0/8 range. The company has a single public IP address from its ISP (e.g., 203.0.113.1). The network engineer configures PAT on the edge router so that all 1000+ devices can share that one public IP. The configuration uses ip nat inside source list 100 interface GigabitEthernet0/1 overload, where ACL 100 permits the 10.0.0.0/8 network. The router's NAT table can handle thousands of simultaneous translations (depending on model and memory). Performance is generally excellent, but if the router runs out of port numbers (max 65535 per IP, minus reserved ports), new connections fail. This is rare in practice because most connections are short-lived.
Another scenario is hosting a web server internally. The web server has a private IP (10.0.0.10) but must be accessible from the internet. The engineer configures a static NAT mapping: ip nat inside source static 10.0.0.10 203.0.113.5. Additionally, they must ensure the firewall allows traffic to port 80/443 and that DNS resolves the company's domain to 203.0.113.5. This is common for small businesses that cannot afford a public IP for each server.
A third scenario is using Dynamic NAT with a pool for a department that needs to log all outbound traffic with a consistent source IP (e.g., for security auditing). The engineer creates a pool of 10 public IPs and assigns them via dynamic NAT without overload. Each user gets a unique public IP for the duration of their session. This is less common due to public IP scarcity.
Misconfiguration examples: Forgetting to apply ip nat inside or ip nat outside on interfaces — NAT simply doesn't work. Using the wrong ACL (e.g., permitting the outside network instead of inside) causes no translations. Forgetting the overload keyword when PAT is intended results in one-to-one dynamic NAT, which quickly exhausts the pool. Also, not setting a default route or having incorrect routing can cause asymmetric routing where return traffic does not go through the NAT router, breaking connectivity.
The CCNA 200-301 exam tests NAT under objective 4.1: Configure, verify, and troubleshoot NAT types. You must be able to differentiate between Static NAT, Dynamic NAT, and PAT, and know the exact IOS commands to configure each. The exam will present scenario-based questions, often with a topology and a requirement (e.g., 'Allow all hosts in subnet 192.168.1.0/24 to access the internet using the public IP 203.0.113.1').
Common wrong answers and why candidates choose them: 1. Using `ip nat inside source list 1 pool MYPOOL` without `overload` when PAT is needed. Candidates see 'pool' and think they need dynamic NAT, but the question asks for internet access for many hosts with a single IP — that requires overload. The wrong answer works for a small number of hosts but fails when more hosts than pool addresses try to connect. 2. Configuring the ACL to permit the public IP instead of the private IP. Candidates sometimes think the ACL should match the translated address, but it must match the inside local (private) addresses. 3. Forgetting to apply `ip nat inside` and `ip nat outside` on interfaces. Many candidates only configure the global NAT command and wonder why it doesn't work. 4. Using `ip nat inside source static` for dynamic scenarios. This creates a permanent mapping, which is not appropriate for general internet access.
Specific values and defaults:
- Default timeout for dynamic NAT/PAT is 24 hours for TCP, 5 minutes for UDP, 1 minute for ICMP.
- The show ip nat translations command shows protocol, inside global, inside local, outside local, outside global.
- The show ip nat statistics command shows total active translations, hits, misses, and pool usage.
- PAT port range typically starts at 1024 and goes up to 65535, but the router may reserve ports 1-1023.
Decision rule for scenario questions:
- If the requirement is to allow internal hosts to access the internet and there is only one public IP, choose PAT with overload.
- If the requirement is to make an internal server accessible from the internet with a fixed public IP, choose Static NAT.
- If the requirement is to provide a pool of public IPs for outbound access without port sharing (rare), choose Dynamic NAT without overload.
Calculation traps: None for NAT per se, but be careful with ACL wildcard masks — they are not subnet masks. For example, to permit 192.168.1.0/24, use 0.0.0.255, not 255.255.255.0.
Static NAT: one-to-one permanent mapping, configured with `ip nat inside source static <inside-local> <inside-global>`.
Dynamic NAT: one-to-one temporary mapping from a pool, configured with `ip nat inside source list <acl> pool <pool-name>`.
PAT (NAT overload): many-to-one using port numbers, configured with `ip nat inside source list <acl> interface <outside-int> overload` or `... pool <pool-name> overload`.
Interfaces must be designated with `ip nat inside` and `ip nat outside`.
Use `show ip nat translations` to view active translations; `show ip nat statistics` for counters and pool usage.
Default timeouts: TCP 24 hours, UDP 5 minutes, ICMP 1 minute (configurable with `ip nat translation timeout`).
The ACL in NAT configuration matches inside local (private) addresses, not public.
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one mapping
Permanent (no timeout)
Used for servers needing fixed public IP
Configured with `ip nat inside source static`
No pool required
Dynamic NAT
One-to-one mapping from a pool
Temporary (times out after idle period)
Used for outbound access with limited public IPs
Configured with `ip nat inside source list <acl> pool <pool>`
Requires a pool of public IPs
Dynamic NAT
One-to-one mapping
Each private IP gets a unique public IP from pool
Pool exhaustion blocks new connections
No port translation
Less common due to IP scarcity
PAT (NAT Overload)
Many-to-one mapping
Multiple private IPs share one public IP via port numbers
Extremely scalable (up to 65535 ports per IP)
Uses port translation
Most common form of NAT
Mistake
PAT and Dynamic NAT are the same thing.
Correct
Dynamic NAT maps one private IP to one public IP from a pool (one-to-one). PAT maps many private IPs to one public IP using port numbers (many-to-one). PAT uses the `overload` keyword; Dynamic NAT does not.
Both involve a pool, but PAT adds port multiplexing to allow multiple hosts to share a single public IP.
Mistake
The ACL in a NAT configuration should permit the public IP addresses.
Correct
The ACL should permit the inside local (private) IP addresses that need to be translated. The router matches the source IP of the packet against the ACL to decide whether to translate.
Candidates often confuse the purpose of the ACL — it defines which traffic is translated, not the translated address itself.
Mistake
Static NAT creates a temporary mapping that times out.
Correct
Static NAT creates a permanent, one-to-one mapping that does not time out. It remains until the configuration is removed.
The word 'static' implies permanence, but some candidates assume all NAT entries are dynamic.
Mistake
You can configure NAT without designating inside and outside interfaces.
Correct
The router must know which interface is inside (private) and which is outside (public) to apply translations correctly. Without `ip nat inside` and `ip nat outside` on the interfaces, NAT will not work.
Candidates sometimes think the global NAT command alone is sufficient, ignoring interface-level configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT (Network Address Translation) is a general term for modifying IP addresses in packets. PAT (Port Address Translation) is a specific type of NAT that also modifies the source port number to allow many private IPs to share a single public IP. In Cisco terminology, PAT is called 'NAT overload' and is configured with the `overload` keyword. The key difference: NAT typically does one-to-one translation (static or dynamic), while PAT does many-to-one using ports.
The router needs to know which interface is connected to the private network (inside) and which is connected to the public network (outside) to apply translation correctly. When a packet arrives on an inside interface, the router checks if it matches the NAT ACL and translates the source IP. When a packet arrives on an outside interface, the router checks the destination IP against the NAT table and translates it back. Without these interface designations, the router does not know where to apply translations.
Yes, you can use an extended ACL (100-199, 2000-2699) to match more specific traffic, such as only HTTP traffic. For example, `access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80` would only translate web traffic. However, for basic internet access, a standard ACL is simpler and sufficient. The CCNA exam typically uses standard ACLs for NAT.
For TCP, the default timeout is 24 hours (86400 seconds). For UDP, it's 5 minutes (300 seconds). For ICMP, it's 1 minute (60 seconds). You can change these with the `ip nat translation timeout` command. For example, `ip nat translation timeout 600` sets a 10-minute timeout for all protocols. There are also protocol-specific timeouts like `ip nat translation udp-timeout 120`.
Use the command `clear ip nat translation *` to remove all dynamic translations (including PAT entries). Static NAT entries are not affected. You can also clear a specific translation with `clear ip nat translation <inside-global> <inside-local>` (for dynamic) or `clear ip nat translation <protocol> <inside-global> <port> <inside-local> <port>` for PAT entries. Be careful — clearing translations will disrupt active sessions.
It shows the total number of active translations, hits (packets translated), misses (packets that could not be translated), and pool usage (number of addresses allocated vs available). It also lists the outside and inside interfaces and any dynamic mappings. This command is useful for verifying that NAT is processing traffic and to check pool exhaustion.
Yes, you can configure both static and dynamic NAT simultaneously. Static NAT entries are checked first; if a packet matches a static entry, it is translated statically. If not, the router checks dynamic NAT/PAT. This is common when you have a server with static NAT and other hosts using PAT.
You've just covered NAT Types — Static, Dynamic, and PAT — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?