NAT (Network Address Translation) is a cornerstone of modern IP networking, allowing private IP addresses to communicate with public networks. The CCNA 200-301 exam tests your ability to troubleshoot why NAT is not translating traffic — a skill that separates competent engineers from those who blindly configure and pray. Misconfigured NAT can silently drop traffic, causing users to lose connectivity while the network appears 'up.' This chapter covers exam objective 4.1, giving you the diagnostic toolkit to find and fix NAT failures quickly.
Jump to a section
Imagine a large office building where every employee has an internal desk number (private IP). To send mail to the outside world, all mail must go through a central mailroom (the NAT router). The mailroom has a single public address (the outside interface IP) and a directory (the NAT translation table) that maps each employee's desk number to a temporary external mailbox number (the translated port). When an employee sends a letter, the mailroom writes down the mapping: 'Desk 10.0.0.5 used mailbox 203.0.113.1:1025 for the next 5 minutes.' If the directory is full (no available ports) or the mailroom forgets to record the mapping (missing ip nat inside/outside), the letter gets dropped. Worse, if the mailroom is told that incoming mail must go to a specific desk but the directory has no entry (no static NAT), the mail is returned to sender. Troubleshooting NAT is like checking each step: Is the mailroom staffed (NAT enabled)? Are desks labeled correctly (inside/outside interfaces)? Is the directory working (show ip nat translations)? Are there enough temporary mailboxes (NAT pool exhaustion)?
What is NAT and Why Does It Fail?
NAT (Network Address Translation) modifies IP addresses in packet headers as they traverse a router. The most common form is PAT (Port Address Translation), also called NAT overload, which maps multiple private IPs to a single public IP using unique port numbers. NAT is essential for IPv4 conservation, but it introduces complexity: if any piece is misconfigured, traffic silently drops.
Common Causes of NAT Failure
Missing ip nat inside/outside on interfaces – The router must know which interface connects to the private network (inside) and which to the public (outside). If you forget one, NAT won't apply.
Incorrect ACL for NAT – The access list used in ip nat inside source list must match the traffic you want to translate. A common mistake is using an ACL that permits the wrong source or denies the traffic.
NAT pool exhaustion – For dynamic NAT without overload, if the pool runs out of addresses, new translations fail. For PAT, if all available ports (typically 65,535 per IP) are used, new connections are dropped.
Routing issues – The NAT router must have a route back to the translated destination. For example, if you NAT inside traffic to a public IP, the router must know how to reach that public IP (usually via a default route).
NAT order of operations – Cisco routers process NAT before routing. If the ACL permits traffic but the route is missing, the packet will be NATed but then dropped because no route exists.
VLAN and subinterface misconfigurations – If using router-on-a-stick, the inside/outside commands must be on the correct subinterface.
Firewall or ACL blocking – Even if NAT works, an ACL on the outside interface might block the translated traffic.
Step-by-Step Packet Flow with NAT
Consider a host 192.168.1.10 sending a packet to 8.8.8.8 (Google DNS). The router has inside interface Gi0/0 (192.168.1.1) and outside interface Gi0/1 (203.0.113.1).
Host sends packet: src IP 192.168.1.10, dst IP 8.8.8.8.
Router receives on Gi0/0 (inside). It checks if NAT is configured: ip nat inside source list 1 interface Gi0/1 overload. ACL 1 permits 192.168.1.0/24.
Router creates a NAT entry: src IP 192.168.1.10:1234 becomes 203.0.113.1:5678 (random port).
Router changes source IP and port, recomputes checksum, and forwards out Gi0/1 (outside).
Return packet arrives on Gi0/1 with dst 203.0.113.1:5678. Router looks up translation table, finds entry, changes dst to 192.168.1.10:1234, and forwards inside.
If any step fails (no translation entry, wrong interface, ACL denies), the packet is dropped.
Key Timers and Defaults
NAT translation timeout: 24 hours by default for dynamic entries. This can be changed with ip nat translation timeout seconds.
UDP timeout: 5 minutes (300 seconds).
DNS timeout: 1 minute (60 seconds).
TCP timeout: 24 hours, but can be reduced with ip nat translation tcp-timeout seconds.
Port range for PAT: 0-65535, but Cisco reserves ports 0-511 and 512-1023 are sometimes avoided. Use ip nat pool with start-port and end-port for custom ranges.
IOS CLI Verification Commands
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.1:5678 192.168.1.10:1234 8.8.8.8:53 8.8.8.8:53If the table is empty, no traffic is being translated. Check the ACL hit count:
R1# show access-lists 1
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (5 matches)If matches = 0, the ACL is not matching traffic. Check NAT statistics:
R1# show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 5 Misses: 0
CEF Translated packets: 5, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/1 refcount 1If 'Misses' is high, packets are arriving but no translation exists (e.g., no ACL match).
Common Misconfigurations
Using the wrong IP in the NAT pool: The pool must contain the outside interface's IP or a routable subnet. If you use a private IP in the pool, packets will be dropped.
Overloading without enough addresses: With overload, you can use one IP for many translations. But if you have multiple public IPs, the pool must be correct.
Static NAT with wrong inside/outside: Static NAT maps a specific inside IP to a specific outside IP. If you reverse the mapping, traffic goes to the wrong host.
Interaction with Routing and Firewalls
NAT happens before routing. After translation, the router performs a routing lookup on the destination. If no route exists, the packet is dropped. Also, any ACL applied on the outside interface (inbound) will see the translated source IP. If the ACL denies that IP, the return traffic is blocked.
Verify NAT interfaces
Use `show running-config | include ip nat` to see if `ip nat inside` and `ip nat outside` are configured on the correct interfaces. A common mistake is putting both on the same interface or missing one entirely. For example: ``` interface GigabitEthernet0/0 ip nat inside ! interface GigabitEthernet0/1 ip nat outside ``` If you see only one, add the missing command. Also verify the interface IP addresses are correct with `show ip interface brief`.
Check the NAT ACL
The ACL in `ip nat inside source list <acl>` must match the source IPs of inside traffic. Use `show access-lists <acl>` to see match counts. If matches are 0, the ACL is too restrictive or the wrong list is referenced. For example: ``` ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255 ``` If you need to translate all inside traffic, ensure the ACL permits the entire subnet. Also check for implicit deny: if no permit matches, all traffic is denied.
View NAT translations
Run `show ip nat translations` to see active entries. If empty, no traffic is being translated. Then use `debug ip nat` (with caution on production) to see real-time translations: ``` R1# debug ip nat NAT: s=192.168.1.10->203.0.113.1, d=8.8.8.8 [0] ``` If you see 's=...->...' but no output for return traffic, the translation is created but return packets may be blocked. Also check `show ip nat statistics` for hits vs misses.
Test connectivity end-to-end
From an inside host, ping an external IP (e.g., 8.8.8.8). If ping fails, check if the router can reach the destination: `ping 8.8.8.8` from the router. If the router can ping but the host cannot, NAT is likely the issue. Use extended ping from the router with source inside interface to simulate host traffic. Also verify that the outside interface has a route to the destination (usually a default route).
Inspect routing and ACLs
After NAT, the router routes the packet. Use `show ip route` to confirm a route to the destination (e.g., default route). If missing, add `ip route 0.0.0.0 0.0.0.0 <next-hop>`. Also check ACLs on the outside interface inbound: `show ip interface GigabitEthernet0/1` shows if an ACL is applied. If so, ensure it permits the translated source IP and destination.
Verify NAT pool and overload
For dynamic NAT without overload, ensure the pool has enough addresses. Use `show ip nat pool <name>` to see free addresses. For overload, check if the router is using the correct interface IP. A common error: using `ip nat inside source list 1 pool MYPOOL` but forgetting `overload`. This causes translation failures when the pool is exhausted. Also verify that the pool IPs are routable (not private).
Enterprise Scenario 1: Branch Office with PAT Exhaustion
A branch office with 200 users shares a single public IP via PAT. During peak hours, users report they cannot access external websites. The network engineer checks show ip nat translations and sees thousands of entries. The problem is PAT port exhaustion: the router has used all available ports (65,535) for active connections. The solution is to either reduce the TCP timeout (ip nat translation tcp-timeout 300) or add a second public IP to the pool with overload. In production, you might configure ip nat pool PUBLIC 203.0.113.1 203.0.113.2 netmask 255.255.255.248 and reference it with overload.
Enterprise Scenario 2: Static NAT for a Public Server
A company hosts a web server at 192.168.1.100 and wants it accessible via public IP 203.0.113.10. The engineer configures ip nat inside source static 192.168.1.100 203.0.113.10. But external users cannot reach the server. Troubleshooting reveals that the router's outside interface is 203.0.113.1, but the static NAT maps to a different IP. The key is that the static NAT IP must be a routable IP that the router owns (e.g., a secondary IP on the outside interface or a loopback). Also, the router must have a route for the public IP if it's not directly connected. A common fix is to add the public IP as a secondary address: ip address 203.0.113.10 255.255.255.248 secondary.
Enterprise Scenario 3: NAT with VPN Overlap
Two companies merge and have overlapping private IP ranges (192.168.1.0/24). They use NAT to translate one side's addresses before sending over a VPN. The engineer configures NAT on the router at Site A to translate 192.168.1.0/24 to 10.0.0.0/24. But traffic fails because the ACL permits the original source, not the translated. The correct approach is to use route-map with NAT to selectively translate only traffic destined to the VPN. Misconfiguration leads to asymmetric routing or dropped packets. In production, always test with a single host first.
What the 200-301 Exam Tests
Exam objective 4.1 covers 'Troubleshoot NAT and NTP.' For NAT, you must be able to identify why traffic is not being translated using show commands. Expect scenario-based questions where you are given a topology, partial configurations, and symptoms. You must choose the correct corrective action.
Common Wrong Answers and Why
'The ACL is missing the permit any statement' – This is wrong because the ACL only needs to permit the specific inside networks. Adding permit any would translate all traffic, which might be the intent but is not the only fix.
'The inside and outside interfaces are reversed' – While possible, the exam often presents a configuration where only one interface is missing the ip nat command. Candidates jump to swapping them instead of checking both.
'The NAT pool is exhausted' – This is a valid cause, but candidates often choose it when the real issue is a missing route or ACL. Always check show ip nat statistics for misses.
'The router needs a default route' – This is often the actual fix, but candidates overlook it because they focus on NAT. Remember: NAT translates the source, but the router still needs to route the destination.
Specific Values and Commands
Default NAT timeout: 24 hours (86400 seconds).
Default UDP timeout: 5 minutes (300 seconds).
Default DNS timeout: 1 minute (60 seconds).
Command to clear translations: clear ip nat translation *.
Command to verify translations: show ip nat translations.
Command to verify ACL hits: show access-lists.
Decision Rule for Scenario Questions
When given a NAT troubleshooting question, follow this order:
1. Check if ip nat inside and ip nat outside are on the correct interfaces.
2. Check the ACL referenced in the NAT command – does it permit the inside source?
3. Check for a route to the destination.
4. Check for ACLs on the outside interface that might block traffic.
5. If all else fails, check for NAT pool exhaustion or port overload issues.
Use the process of elimination: if the symptom is 'no translation entries,' the problem is likely before translation (ACL or interfaces). If entries exist but no return traffic, the problem is after translation (routing or ACL).
NAT requires both `ip nat inside` and `ip nat outside` on the correct interfaces; missing one is the most common misconfiguration.
The ACL in `ip nat inside source list` must match the source IPs of inside traffic; use `show access-lists` to verify hit counts.
Default NAT timeout for TCP is 24 hours; for UDP it is 5 minutes; for DNS it is 1 minute.
Use `show ip nat translations` to see active entries; an empty table means no traffic is being translated.
NAT happens before routing; ensure the router has a route to the destination after translation.
PAT overload uses port numbers; exhaustion occurs when all 65,535 ports are used per public IP.
The command `debug ip nat` shows real-time translation events; use with caution in production.
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one fixed mapping between inside local and global addresses.
Used for servers that need consistent public IP access.
Configured with `ip nat inside source static`.
No timeout; mapping is permanent until removed.
Does not conserve public IPs; each host needs a unique public IP.
Dynamic NAT (with overload)
Many-to-one mapping using port numbers (PAT).
Used for client devices that initiate outbound connections.
Configured with `ip nat inside source list <acl> interface <int> overload`.
Translations time out (default 24 hours for TCP).
Conserves public IPs; many hosts share one public IP.
Mistake
NAT configuration only requires `ip nat inside` on the inside interface.
Correct
Both `ip nat inside` and `ip nat outside` are required on their respective interfaces. Without `ip nat outside`, the router will not translate packets leaving that interface.
Candidates often think only the inside interface needs marking because that's where private traffic originates.
Mistake
The ACL in the NAT command must permit the destination traffic, not the source.
Correct
The ACL matches the source IP of inside traffic before translation. It should permit the private IP ranges that need translation.
Candidates confuse NAT ACLs with interface ACLs, which filter based on destination.
Mistake
Dynamic NAT with overload requires a pool of public IPs.
Correct
Overload (PAT) can use a single public IP (the outside interface IP) by referencing `interface` instead of a pool. A pool is only needed for multiple public IPs.
The term 'pool' suggests multiple addresses, but PAT can work with one.
Mistake
If NAT translations appear, the problem must be routing.
Correct
Translations can appear but return traffic may be blocked by an ACL or missing route. Always check both directions.
Candidates see entries and assume NAT works, ignoring post-NAT issues.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, verify that both `ip nat inside` and `ip nat outside` are configured on the correct interfaces. Use `show running-config | section interface` to check. Next, ensure the ACL referenced in the NAT command matches the source IP of your inside traffic. Use `show access-lists` to see match counts. If matches are 0, the ACL is too restrictive. Also, confirm that the router has a route to the destination; if not, packets are dropped before translation. Finally, use `debug ip nat` to see if the router sees the packets. Remember, NAT only translates packets that enter the inside interface and exit the outside interface.
The first command uses PAT (Port Address Translation) with the IP address of the outside interface (Gi0/1). It allows many inside hosts to share a single public IP by using unique port numbers. The second command uses a pool of public IPs (MYPOOL) for dynamic NAT, which can be one-to-one or with overload if you add the `overload` keyword. Without `overload`, each inside host uses a unique public IP from the pool, which can exhaust quickly. For the exam, remember that `overload` is what enables PAT.
Use the command `clear ip nat translation *` to clear all dynamic translations. This is useful when testing or when translations are stuck. Note that static NAT entries are not cleared by this command. You can also clear specific entries with `clear ip nat translation inside global <ip> local <ip>`. Be cautious in production, as clearing translations will drop active connections.
Yes, if traffic goes through one router for outbound (which does NAT) and returns through another router that does not have the NAT translation, the return traffic will be dropped. This is common in multi-homed networks. To fix, ensure that all traffic for a given flow goes through the same NAT router, or use stateful NAT solutions like Cisco's NAT with route maps and policy routing.
The default timeout for TCP translations is 24 hours (86400 seconds). For UDP, it is 5 minutes (300 seconds). For DNS, it is 1 minute (60 seconds). These can be changed with `ip nat translation timeout`, `ip nat translation udp-timeout`, and `ip nat translation dns-timeout` respectively. On the exam, know these defaults.
If 'Misses' is 0, it means the router has not seen any packets that need translation but fail to match. However, if 'Hits' is also 0, it means no packets have been processed by NAT at all. This indicates that either the inside interface is not receiving traffic, or the ACL is not matching. Check interface status and ACL match counts. If 'Hits' is non-zero but translations are missing, the translations may have expired quickly (e.g., UDP timeout).
Use static NAT: `ip nat inside source static <private-ip> <public-ip>`. For example: `ip nat inside source static 192.168.1.10 203.0.113.10`. Ensure the public IP is owned by the router (e.g., as a secondary IP on the outside interface). Also, configure an ACL on the outside interface to permit inbound traffic to that public IP. Finally, make sure the server's default gateway points to the router's inside interface.
You've just covered Troubleshoot: NAT Not Translating Traffic — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?