PAT (Port Address Translation), commonly called NAT overload, is the mechanism that allows hundreds or thousands of private IP hosts to share a single public IP address when accessing the internet. For the CCNA 200-301 exam (Objective 4.1), understanding PAT is critical because it is the most widely deployed form of NAT in enterprise and home networks. Beyond the exam, every network engineer must master PAT to conserve IPv4 addresses and secure internal networks.
Jump to a section
Imagine a large apartment building with 100 residents, but the building has only one street address (e.g., 123 Main Street). Each resident has a unique apartment number (e.g., Apt 1A, Apt 2B), which is like a private IP address. When a resident wants to receive a package from outside, the package is addressed to the building's street address, but the delivery driver doesn't know which apartment to deliver to. So, the building has a mailroom clerk. The clerk maintains a log: when a resident orders a package, the clerk writes down the resident's apartment number and assigns a temporary 'package number' (like a random number from 1000 to 9999). The delivery driver brings the package addressed to 123 Main Street, package number 1234. The clerk looks up 1234 in the log, sees it belongs to Apt 1A, and delivers it. Each package gets a unique number so that when multiple residents order packages, the clerk can tell them apart. This is exactly how PAT works: the router (mailroom clerk) translates many private IPs (apartment numbers) to one public IP (street address) using unique port numbers (package numbers). The log is the NAT translation table. When a resident moves out, the clerk reuses the package number. Similarly, PAT reuses port numbers after a timeout (default 60 seconds for TCP, 30 seconds for UDP on Cisco IOS). The key limitation: if too many residents order packages at once, the clerk runs out of unique numbers (port exhaustion). In networking, this causes NAT pool exhaustion, and new connections fail.
What is PAT (NAT Overload)?
Port Address Translation (PAT) is a form of Network Address Translation that maps multiple private IP addresses to a single public IP address by using different source port numbers. It is defined in RFC 2663 and is the most common type of NAT used in home routers and enterprise edge devices. PAT is also called NAT overload because it overloads a single public IP with many private hosts.
The core problem PAT solves is IPv4 address exhaustion. With PAT, an organization with, say, 1000 internal devices can use just one public IP address for all outbound internet traffic. This is possible because the transport layer (TCP/UDP) uses port numbers (16-bit values, 0-65535) to identify individual sessions. By changing the source port number for each connection, the NAT router can distinguish which internal host initiated which session.
How PAT Works Step by Step at the Packet Level
Consider an internal host 192.168.1.10 sending an HTTP request to a web server at 203.0.113.5. The internal host creates a TCP SYN packet with:
Source IP: 192.168.1.10
Source port: 5000 (ephemeral port chosen by the host)
Destination IP: 203.0.113.5
Destination port: 80
Step 1: The packet arrives at the inside interface of the NAT router.
Step 2: The router checks its NAT table. Since this is a new session, no entry exists. The router creates a translation entry. It selects a public IP from its NAT pool (or the interface IP) and an available port number (e.g., 1025). The router records:
Inside Local: 192.168.1.10:5000
Inside Global: 203.0.113.1:1025 (assuming the router's outside interface IP is 203.0.113.1)
Outside Local: 203.0.113.5:80
Outside Global: 203.0.113.5:80 (no translation for the server)
Step 3: The router rewrites the packet's source IP to 203.0.113.1 and source port to 1025. It recalculates the IP header checksum (and TCP checksum if needed).
Step 4: The packet is forwarded out the outside interface.
Step 5: The server sends a reply to 203.0.113.1:1025. The reply arrives at the router's outside interface.
Step 6: The router looks up the destination IP and port in its NAT table. It finds the entry and rewrites the destination IP to 192.168.1.10 and destination port to 5000.
Step 7: The packet is forwarded to the internal host.
If a second internal host (192.168.1.20) sends a request to the same server using source port 5000, the router will assign a different port (e.g., 1026) to keep the sessions unique. If the second host uses a different source port (e.g., 5001), the router could reuse port 1025 if it is no longer in use, but typically it assigns a new port to avoid ambiguity.
Key States, Timers, and Defaults
Cisco IOS NAT maintains translation entries with timers:
TCP translation timeout: 24 hours (86400 seconds) by default. This is very long because TCP sessions can be idle for a long time. However, if the router sees a FIN or RST, it reduces the timeout to 60 seconds.
UDP translation timeout: 5 minutes (300 seconds) by default.
ICMP translation timeout: 60 seconds by default.
DNS timeout: 60 seconds by default.
Port allocation: The router uses ports 1-511 for reserved services, 512-1023 for some system processes, and 1024-65535 for dynamic allocation. The exact range can be configured.
These timers are configurable with the ip nat translation commands.
IOS CLI Verification Commands
To verify PAT operation, use the following commands:
show ip nat translationsExample output:
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.1:1025 192.168.1.10:5000 203.0.113.5:80 203.0.113.5:80
tcp 203.0.113.1:1026 192.168.1.20:5000 203.0.113.5:80 203.0.113.5:80The "Pro" column shows the protocol. "Inside global" is the translated address/port. "Inside local" is the original internal address/port. "Outside local" and "Outside global" are usually the same unless destination NAT is used.
show ip nat statisticsExample output:
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Peak translations: 45
Outside interfaces: GigabitEthernet0/0
Inside interfaces: GigabitEthernet0/1
Hits: 1234 Misses: 0
Expired translations: 100
Dynamic mappings:
-- Inside Source
[Id] ip nat pool POOL1 203.0.113.1 203.0.113.1 netmask 255.255.255.0
access-list 1
refcount 2"Total active translations" shows the number of current sessions. "Hits" is the number of translations performed. "Misses" are packets that failed to create a translation (e.g., no ACL match).
show ip nat translations verboseAdds timeout information.
How PAT Interacts with Related Protocols
ICMP: PAT translates ICMP packets by using the ICMP query ID as the port equivalent. Each ICMP echo request gets a unique ID, which the router maps.
FTP: FTP can use PORT (active) or PASV (passive) modes. PAT must inspect FTP control traffic to dynamically open translations for data connections. Cisco IOS uses the ip nat service command or ALG (Application Layer Gateway) to handle this.
DNS: PAT works with DNS queries normally, but if the DNS response contains an internal IP address (e.g., for a server inside the network), the router must rewrite the answer. This is called DNS doctoring and is configured separately.
IPsec: PAT breaks IPsec because IPsec encrypts the original port numbers. IPsec VPNs often use NAT-T (NAT Traversal) to encapsulate packets in UDP, allowing PAT to work.
Configuration Example
To configure PAT on a Cisco router:
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet0/0 overloadThe overload keyword enables PAT. Without it, the router would perform dynamic NAT (one-to-one mapping), which would exhaust the pool quickly.
Configure Inside and Outside Interfaces
Identify which router interfaces connect to the internal network (inside) and which connect to the external network (outside). Use the `ip nat inside` and `ip nat outside` interface subcommands. For example: ``` interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 ip nat outside ``` This step is mandatory. If you forget to mark an interface, NAT will not translate packets on that interface.
Define an Access List for Private Networks
Create a standard access list that matches the private IP addresses you want to translate. Usually, this is the entire internal subnet. For example: ``` access-list 1 permit 192.168.1.0 0.0.0.255 ``` This ACL is used in the NAT configuration to identify which source addresses should be translated. Only packets matching the ACL will be NATed. Packets from other sources will be forwarded without translation.
Enable PAT with the Overload Keyword
Apply the NAT rule using the `ip nat inside source list` command with the `overload` keyword. Specify the outside interface (or a pool) as the translated address. For example: ``` ip nat inside source list 1 interface GigabitEthernet0/0 overload ``` This command tells the router to translate any packet from inside (matching ACL 1) to the IP address of GigabitEthernet0/0, using PAT (overload). The `overload` keyword is what enables port multiplexing. Without it, the router would perform dynamic NAT (one-to-one mapping).
Verify Translation Table and Statistics
After configuration, generate traffic from an internal host (e.g., ping an external IP). Then verify translations with: ``` show ip nat translations ``` You should see extended entries with port numbers. Also check: ``` show ip nat statistics ``` Look for "Total active translations" and "Hits". If hits are zero, traffic is not matching the ACL or the interfaces are misconfigured.
Troubleshoot Common Issues
If PAT does not work, check the following: 1. Verify that both inside and outside interfaces are correctly configured with `ip nat inside/outside`. 2. Ensure the ACL matches the correct source subnet. 3. Check that the outside interface has a valid IP address (not DHCP-assigned if the router is the gateway). 4. Use `debug ip nat` to see translations in real time: ``` debug ip nat detailed ``` This shows each packet being translated. Look for "NAT: creating translation" messages. Be careful using debug on production routers. 5. Check for ACL conflicts: If an ACL blocks traffic, NAT will not even see the packet.
In enterprise networks, PAT is almost always deployed at the edge router or firewall that connects the internal network to the internet. A typical scenario: a company with 500 employees, each with a desktop and a smartphone, totaling 1000 devices. The ISP provides a single public IP address (or a small block). The network engineer configures PAT on the edge router to allow all 1000 devices to share that one public IP. The engineer would configure the inside interface (connected to the LAN), the outside interface (connected to the ISP), an ACL matching the internal subnet (e.g., 10.0.0.0/8), and the ip nat inside source list ... interface ... overload command. The router now handles hundreds of simultaneous connections, each with a unique port number.
Another common scenario is when an organization has multiple public IP addresses but still uses PAT. They might create a NAT pool of several IPs and use PAT over that pool. For example, they could have 4 public IPs and 2000 internal hosts. The router will assign each new translation to one of the pool IPs and a unique port. This increases the total number of available ports (4 * 65535 = 262140 ports), reducing the risk of port exhaustion.
Performance considerations: PAT adds processing overhead because the router must rewrite packet headers and maintain a large translation table. High-end enterprise routers use hardware acceleration for NAT. In software-based routers (like many Cisco ISR series), PAT can become a bottleneck under heavy traffic. A common misconfiguration is not setting adequate timeouts, causing the translation table to fill with stale entries. For example, leaving the default UDP timeout of 5 minutes might be too long for applications that send many short UDP packets (like DNS). Reducing the UDP timeout to 1 minute can free up ports faster.
When PAT is misconfigured, the most common symptom is that some applications fail intermittently. For instance, if the ACL is too restrictive, some hosts may not get translated and will use their private IPs on the internet, which will be dropped. Another issue is that if the outside interface IP changes (e.g., dynamic DHCP), all existing translations become invalid, breaking all active connections. Engineers must use a loopback interface or a static IP to avoid this.
The CCNA 200-301 exam tests PAT under Objective 4.1 (Configure and verify NAT). Candidates must understand the difference between static NAT, dynamic NAT, and PAT (NAT overload). The exam focuses on configuration verification and troubleshooting, not on the theory of port multiplexing at a deep level.
Common wrong answers:
Confusing PAT with dynamic NAT: Many candidates think that PAT uses a one-to-one mapping like dynamic NAT. The trap is that PAT uses the same public IP for multiple hosts, while dynamic NAT consumes one public IP per host. The exam may show a configuration without the overload keyword and ask how many hosts can access the internet. Without overload, only as many hosts as public IPs in the pool (e.g., 1 host if pool has 1 IP).
Misunderstanding the translation table output: A question might show show ip nat translations with entries that have the same inside global IP but different ports. Candidates might think this is an error. Actually, it is correct PAT behavior. The trap is that they expect each entry to have a unique inside global IP.
Forgetting to mark interfaces: A scenario might describe a router with NAT configured but no ip nat inside/outside on interfaces. Candidates may assume NAT works anyway. The correct answer is that NAT will not translate any packets.
Port exhaustion: A question may describe a scenario where many hosts are trying to connect and some fail. Candidates might blame the ACL or routing, but the real issue is that the router has run out of available ports (port exhaustion). Each TCP/UDP connection uses a unique port, and if all 65535 are in use, new connections fail.
Specific values to remember:
Default TCP translation timeout: 24 hours (or until FIN/RST, then 60 seconds)
Default UDP timeout: 5 minutes
Default ICMP timeout: 60 seconds
The overload keyword is required for PAT.
Decision rule for scenario questions: If the question says "allows multiple internal hosts to share a single public IP", the answer must involve PAT (NAT overload). If it mentions "one-to-one mapping", it is dynamic NAT without overload. If it says "static", it is static NAT.
Elimination strategy: When given a configuration, first check if ip nat inside and ip nat outside are present on the correct interfaces. Then check if the ACL matches the correct source network. Then look for the overload keyword. If any of these are missing, the configuration is incorrect.
PAT (NAT Overload) maps multiple private IPs to a single public IP using unique source port numbers.
The 'overload' keyword in 'ip nat inside source list' command enables PAT.
Default TCP translation timeout is 24 hours (86400 seconds); UDP timeout is 5 minutes (300 seconds).
Common verification commands: 'show ip nat translations', 'show ip nat statistics'.
Port exhaustion occurs when all 65,535 ports are in use, causing new connections to fail.
Interfaces must be marked with 'ip nat inside' and 'ip nat outside' for NAT to function.
PAT is used to conserve IPv4 addresses and is mandatory for home and enterprise internet access.
The translation table shows 'Inside global' (translated IP:port) and 'Inside local' (original IP:port).
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one fixed mapping between private and public IP.
Requires one public IP per internal host.
Used for inbound access to internal servers.
No port translation; entire IP is mapped.
Configuration: ip nat inside source static <private> <public>
PAT (NAT Overload)
Many-to-one mapping using port numbers.
One public IP supports many internal hosts.
Used for outbound internet access from many hosts.
Translates both IP and port.
Configuration: ip nat inside source list <acl> interface <int> overload
Dynamic NAT (without overload)
One-to-one dynamic mapping from a pool.
Each internal host gets a unique public IP from the pool.
Pool of public IPs required; size limits concurrent translations.
No port translation.
Configuration: ip nat inside source list <acl> pool <pool-name>
PAT (NAT Overload)
Many-to-one mapping using port numbers.
All internal hosts share one or few public IPs.
Only one public IP needed for many hosts.
Translates both IP and port.
Configuration: ip nat inside source list <acl> interface <int> overload
Mistake
PAT assigns a unique public IP address to each internal host.
Correct
PAT uses one public IP for all internal hosts and differentiates sessions by port numbers. Multiple hosts share the same public IP.
Candidates confuse PAT with dynamic NAT (one-to-one mapping).
Mistake
The 'show ip nat translations' output should show different inside global IPs for each translation.
Correct
In PAT, all translations show the same inside global IP but different port numbers. Different IPs indicate dynamic NAT without overload.
They expect each host to have its own public IP, not realizing port multiplexing.
Mistake
NAT works automatically without configuring interfaces.
Correct
Both inside and outside interfaces must be explicitly configured with 'ip nat inside' and 'ip nat outside' for NAT to process packets.
Candidates overlook this mandatory step.
Mistake
PAT can support an unlimited number of simultaneous connections.
Correct
PAT is limited by the number of available ports (65,535 per public IP). Each TCP/UDP session uses one port, so maximum ~65,535 simultaneous connections per IP.
They forget the port number is a 16-bit field.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT (Network Address Translation) is a general term for translating IP addresses. PAT (Port Address Translation) is a specific type of NAT that also translates port numbers to allow many private IPs to share a single public IP. In common Cisco terminology, 'NAT' often refers to static or dynamic NAT (one-to-one), while 'PAT' is NAT overload. The key difference: NAT changes only the IP address; PAT changes both the IP address and the port number.
Theoretically, PAT can support up to 65,535 simultaneous connections per public IP address because the port field is 16 bits (0-65535). However, ports 0-1023 are reserved for well-known services, so the usable range is typically 1024-65535 (64,511 ports). In practice, the number is lower due to timeouts and the fact that each connection uses a unique port for the duration of the session. If you have multiple public IPs in a pool, you multiply the port capacity (e.g., 2 IPs give ~131,070 ports).
When all available ports are in use, the router cannot create new translations. Any new outbound connection attempt will fail. The router will drop the packet and may log a message like 'NAT: out of ports'. This condition is called port exhaustion. To mitigate, you can add more public IPs to the NAT pool, reduce translation timeouts, or implement application-layer proxies. On the CCNA exam, port exhaustion is a common troubleshooting scenario.
Yes, PAT translates ICMP packets by using the ICMP query ID as the equivalent of a port number. Each ICMP echo request (ping) gets a unique ID, which the router maps in its translation table. The default timeout for ICMP translations is 60 seconds. This allows multiple pings from different internal hosts to share the same public IP.
The default TCP translation timeout is 24 hours (86,400 seconds). However, if the router sees a TCP FIN or RST packet, the timeout is reduced to 60 seconds. This long default ensures that long-lived TCP sessions (like file transfers or database connections) are not prematurely terminated. You can adjust the timeout with the 'ip nat translation tcp-timeout' command.
FTP can be problematic for PAT because FTP uses two connections: a control connection (port 21) and a data connection (port 20 or a random high port). In active FTP, the server initiates the data connection to the client, which requires a reverse translation. Cisco routers use an Application Layer Gateway (ALG) to inspect FTP control traffic and dynamically create NAT entries for data connections. This is enabled by default. In passive FTP, the client initiates the data connection, so PAT works normally.
Yes, you can configure a NAT pool with multiple public IPs and use PAT over that pool. For example, you can define a pool with 5 IPs and use the 'overload' keyword. The router will assign each new translation to one of the pool IPs and a unique port. This increases the total number of available ports (5 * 65535) and provides some load distribution. The configuration uses 'ip nat pool' and then 'ip nat inside source list <acl> pool <pool-name> overload'.
You've just covered PAT (NAT Overload) Deep Dive — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?