This chapter covers Network Address Translation (NAT) and Port Address Translation (PAT)—cornerstone technologies for conserving public IPv4 addresses and enabling private network connectivity to the internet. On the N10-009 exam, NAT/PAT concepts typically appear in 5–10% of questions, often in the context of troubleshooting connectivity issues or interpreting router configurations. You will need to understand the differences between static NAT, dynamic NAT, and PAT, how translation tables work, and common misconfigurations that break communication.
Jump to a section
Imagine a company with one public phone number but 200 employees, each with a private extension (like 201, 202, etc.). The receptionist operates a switchboard that connects internal calls to the outside world. When employee 201 calls a customer, the receptionist notes that extension 201 placed the call and replaces the caller ID with the company’s public number. She also logs the destination number and the internal extension in a call log. When the customer returns the call, the receptionist checks the log to find which extension made the original call and routes the incoming call to extension 201. From the outside, callers never know the internal extensions—they only see the company number. If a new employee calls out, the receptionist assigns the next available public number from a pool (if multiple public lines exist) or uses the single number with a different source port to distinguish sessions. This is exactly how NAT/PAT works: the router (receptionist) translates private IPs to a public IP (or pool), tracks sessions in a translation table (call log), and rewrites packets so external devices respond to the public address, which the router then forwards to the correct internal host.
What is NAT and Why Does It Exist?
Network Address Translation (NAT) is a method defined in RFC 1631 (and later RFC 2663) that allows a router to translate private IP addresses (as defined in RFC 1918) into public IP addresses. The primary driver for NAT is the exhaustion of IPv4 addresses. Without NAT, every device on a private network would need a globally unique public IP, which is impractical. NAT enables multiple devices to share a single public IP (or a small pool of public IPs) by modifying the source IP address in outgoing packets and tracking the translations.
How NAT Works at the Packet Level
When a host on a private network (e.g., 192.168.1.10) sends a packet to a public destination (e.g., 8.8.8.8), the NAT router intercepts the packet before forwarding it out the public interface. The router:
Replaces the source IP address (192.168.1.10) with its own public IP (e.g., 203.0.113.1).
For PAT, it also changes the source TCP/UDP port to a unique port number from a pool (e.g., 1024–65535).
Creates an entry in the NAT translation table (also called the NAT state table) that maps the internal IP:port to the external IP:port.
Recomputes the IP header checksum and, if applicable, the TCP/UDP checksum (since the pseudo-header changes).
When the response returns (e.g., from 8.8.8.8 to 203.0.113.1:12345), the router looks up the destination IP and port in the translation table to find the original internal host and port. It then reverses the translation: rewrites the destination IP to 192.168.1.10 and the destination port back to the original source port, recalculates checksums, and forwards the packet to the internal host.
Types of NAT
Static NAT: A one-to-one mapping between a private IP and a public IP. The mapping is manually configured and remains constant. Used when an internal server (e.g., a web server) must be accessible from the internet via a fixed public IP. Static NAT does not conserve IP addresses but provides inbound accessibility.
Dynamic NAT: Maps private IPs to a pool of public IPs on a first-come, first-served basis. When a private host initiates an outbound connection, the router assigns an available public IP from the pool. Once the session ends, the public IP is returned to the pool. Dynamic NAT still requires at least as many public IPs as simultaneous outbound sessions.
PAT (Port Address Translation): Also known as NAT overload, PAT maps multiple private IPs to a single public IP by differentiating sessions based on source port numbers. The router assigns a unique source port for each session (e.g., 1024, 1025, …). PAT is the most common form of NAT used in home and enterprise networks because it allows hundreds of internal hosts to share one public IP.
Key Components, Values, and Defaults
- RFC 1918 Private Address Ranges: - 10.0.0.0/8 (10.0.0.0 – 10.255.255.255) - 172.16.0.0/12 (172.16.0.0 – 172.31.255.255) - 192.168.0.0/16 (192.168.0.0 – 192.168.255.255) - PAT Port Range: Typically 1024–65535 (ephemeral ports). Some implementations use 1024–65535 or 49152–65535 (RFC 6335). - NAT Translation Table Entry: Contains inside local IP:port, inside global IP:port, outside global IP:port, and outside local IP:port. For outbound traffic, inside local is the private address, inside global is the translated public address, outside global is the destination public address, and outside local is usually the same as outside global (unless additional translation occurs). - Timeouts:
UDP NAT timeout: default 30 seconds (varies by vendor; Cisco uses 30s for UDP, 60s for TCP established, 10s for TCP SYN).
ICMP NAT timeout: default 10 seconds.
DNS timeout: often 5 seconds.
Configuration and Verification Commands (Cisco IOS)
- Static NAT:
ip nat inside source static 192.168.1.10 203.0.113.10
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside- Dynamic NAT with a pool:
ip nat pool MYPOOL 203.0.113.20 203.0.113.30 netmask 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool MYPOOL- PAT (overload):
ip nat inside source list 1 interface GigabitEthernet0/1 overload- Verification:
show ip nat translations
show ip nat statistics
debug ip natInteraction with Related Technologies
ACLs: NAT and ACLs interact when filtering translated traffic. The ACL that defines which traffic to translate (the "inside source list") must permit the private source addresses. Additionally, ACLs applied to the outside interface should permit the translated public IP (not the private IP).
Routing: NAT changes the source or destination IP, so routing decisions are made after translation. For outbound traffic, the router routes based on the destination (unchanged), but the source is rewritten. For inbound traffic, the router must have a route to the destination (the inside global IP) before translation—often a route to the public IP pointing to the inside interface.
DNS: NAT can cause issues with DNS if an internal server is reachable by both public and private IPs. DNS views or split DNS may be needed to return the correct IP based on the requester.
VPNs: NAT can interfere with VPN protocols like IPsec, especially when AH (Authentication Header) is used because NAT modifies the IP header, breaking the integrity check. NAT traversal (NAT-T) is used to encapsulate IPsec in UDP to avoid this.
Common Pitfalls
Insufficient port pool: PAT can exhaust port ranges if many sessions are opened, causing new sessions to fail. The symptom is intermittent connectivity.
NAT64/464XLAT: For IPv6-only networks, NAT64 translates IPv6 to IPv4. The N10-009 exam may touch on this as a transition mechanism, but the focus is on IPv4 NAT.
Hairpinning: When an internal host tries to reach another internal host via the public IP, the NAT router must support hairpin NAT (NAT loopback) to forward the traffic back inside. Not all routers do this by default.
Packet arrives at inside interface
A host on the private network (e.g., 192.168.1.10:5000) sends a packet to a public destination (e.g., 8.8.8.8:80). The router receives this packet on its inside interface (configured with 'ip nat inside'). The router checks if the source IP matches an access list or static mapping that triggers NAT. If it does, the router proceeds to the translation step.
Router checks NAT translation table
The router looks up the tuple (source IP, source port, protocol) in its NAT translation table. If an existing translation entry is found (e.g., from a previous session that hasn't timed out), the router uses that mapping. For PAT, if no entry exists, the router allocates a new global port from the pool and creates a new entry. The entry includes: inside local (192.168.1.10:5000), inside global (203.0.113.1:12345), outside global (8.8.8.8:80), and outside local (8.8.8.8:80).
Packet translation and checksum recalculation
The router rewrites the source IP address to the public IP (203.0.113.1) and the source port to the assigned global port (12345). The IP header checksum is recalculated because the source IP changed. For TCP and UDP, the checksum covers a pseudo-header that includes the source IP, so the transport layer checksum must also be recalculated. The router then forwards the packet out the outside interface.
Response packet arrives at outside interface
The destination server responds to the translated source (203.0.113.1:12345). The packet arrives at the router's outside interface. The router examines the destination IP and port and looks up the translation table to find the corresponding inside local address. If no match is found, the packet is dropped (no unsolicited inbound traffic).
Reverse translation and forwarding to inside host
The router rewrites the destination IP to 192.168.1.10 and the destination port to 5000. It recalculates checksums and forwards the packet out the inside interface to the original host. The host receives the packet as if it came directly from the server, unaware that NAT occurred.
Enterprise Scenarios
1. Branch Office Internet Access with PAT A company with 500 employees in a branch uses a single public IP from their ISP. The edge router is configured with PAT (overload) to allow all internal users to browse the web. The router's NAT pool is just one IP: the interface address. The ACL permits the entire internal subnet (e.g., 10.10.0.0/16). The administrator must ensure the port pool is large enough—PAT can theoretically support up to 65,535 concurrent sessions per public IP, but real-world limits are lower due to memory and CPU. Common issues: running out of ports if users open many connections (e.g., peer-to-peer apps). The fix is to increase the port range or add a second public IP.
2. Static NAT for a Public Web Server An internal web server at 192.168.1.100 must be reachable from the internet via a fixed public IP (203.0.113.100). The administrator configures a static NAT mapping: 'ip nat inside source static 192.168.1.100 203.0.113.100'. Additionally, an ACL on the outside interface permits inbound HTTP/HTTPS traffic to 203.0.113.100. Without static NAT, inbound connections would fail because the router has no translation entry for unsolicited traffic. A common misconfiguration is forgetting to set the inside and outside interfaces, causing the router to not translate.
3. NAT with Redundancy (HSRP) In a high-availability setup, two routers share a virtual IP (HSRP) for the public gateway. NAT configurations must be consistent across both routers. When a failover occurs, the active router must rebuild NAT translation entries, which can disrupt active sessions. Stateful NAT failover (e.g., using Cisco's NAT HA) synchronizes the translation table between routers, but requires extra configuration. Without stateful failover, all TCP connections break during failover, which is acceptable for stateless protocols like HTTP but problematic for long-lived connections like SSH.
Exam Focus for N10-009
Objective 2.6: Given a scenario, implement network address translation (NAT) and port address translation (PAT). The exam expects you to:
Differentiate between static NAT, dynamic NAT, and PAT.
Understand the purpose of NAT (IPv4 conservation, security through obscurity).
Identify correct placement of 'ip nat inside' and 'ip nat outside' on interfaces.
Interpret output from 'show ip nat translations' and 'show ip nat statistics'.
Troubleshoot scenarios where NAT is misconfigured (e.g., missing ACL, wrong interface, port exhaustion).
Common Wrong Answers and Why Candidates Choose Them 1. "PAT uses a pool of public IPs" – This is wrong because PAT typically uses a single public IP (or interface IP) and differentiates by port. Dynamic NAT uses a pool. Candidates confuse the two. 2. "Static NAT is used for outbound traffic" – Static NAT is primarily for inbound access to internal servers. For outbound, PAT is more common. Candidates assume static means permanent for outbound. 3. "NAT provides security by encrypting packets" – NAT does not encrypt; it only translates addresses. Security is a side effect (hiding internal IPs), not encryption. Candidates overstate NAT's security role. 4. "NAT works with IPv6" – Standard NAT is for IPv4. IPv6 uses NPTv6 or NAT66, but the exam focuses on IPv4 NAT. Candidates may think NAT is protocol-agnostic.
Specific Numbers and Terms - RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. - Default UDP NAT timeout: 30 seconds (Cisco). - Port range for PAT: 1024–65535 (or 49152–65535). - Command 'ip nat inside source list <acl> interface <int> overload' for PAT.
Edge Cases - NAT and overlapping networks: When two merged companies use the same private subnet, NAT can translate one side to a different range (NAT with route maps). - NAT and IPsec: AH fails with NAT; ESP with NAT-T works. - NAT and DNS: An internal host trying to reach an internal server by its public FQDN may fail if hairpin NAT is not configured.
Eliminating Wrong Answers For a question like "Which NAT type allows multiple internal hosts to share a single public IP?" eliminate answers that mention pools (dynamic NAT) or one-to-one mapping (static NAT). The correct answer is PAT (overload).
NAT translates private IPv4 addresses to public IPv4 addresses (RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
PAT (NAT overload) uses source port numbers to multiplex many private hosts behind a single public IP.
Static NAT provides fixed one-to-one mapping for inbound access to internal servers.
Dynamic NAT uses a pool of public IPs; each private host gets a temporary public IP from the pool.
Default UDP NAT timeout is 30 seconds (Cisco); TCP established timeout is 60 seconds.
The command 'ip nat inside source list <acl> interface <int> overload' enables PAT on Cisco routers.
NAT breaks protocols that embed IP addresses in the payload (e.g., FTP); use NAT ALG or passive mode.
NAT does not provide encryption or authentication; it only hides internal IP addresses.
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one mapping of private to public IP.
Requires one public IP per internal host.
Used for inbound access to servers.
Translation is permanent until removed.
Does not conserve public IP addresses.
PAT (Overload)
Many-to-one mapping using ports.
Conserves public IPs; many hosts share one IP.
Primarily for outbound traffic.
Translation entries are dynamic and timeout.
Supports thousands of concurrent sessions per public IP.
Mistake
NAT provides encryption and authentication.
Correct
NAT does not encrypt or authenticate. It only modifies IP addresses and ports. Security is limited to hiding internal addresses; it does not replace a firewall or VPN.
Mistake
Dynamic NAT is the same as PAT.
Correct
Dynamic NAT maps private IPs to a pool of public IPs, but each session uses a different public IP. PAT maps many private IPs to a single public IP using different ports. They are different.
Mistake
PAT can support unlimited concurrent sessions.
Correct
PAT is limited by the number of available ports (65,535 per public IP, minus reserved ports). In practice, memory and CPU also limit the translation table size.
Mistake
Static NAT allows any internal host to initiate outbound connections.
Correct
Static NAT creates a permanent one-to-one mapping. Outbound connections work, but the main purpose is to allow inbound connections to a specific internal host.
Mistake
NAT breaks all application protocols.
Correct
NAT breaks protocols that embed IP addresses in the payload (e.g., FTP, SIP). ALGs or NAT helpers are needed for those protocols. Many modern applications (HTTP, HTTPS) work fine.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT (Network Address Translation) translates IP addresses between private and public networks. PAT (Port Address Translation) is a type of NAT that also translates port numbers, allowing multiple internal hosts to share a single public IP. In common usage, 'NAT' often refers to PAT, but technically NAT includes static and dynamic NAT without port translation.
Use the command 'ip nat inside source list <acl> interface <interface> overload'. First, define an ACL to match private IPs (e.g., 'access-list 1 permit 192.168.1.0 0.0.0.255'). Then apply 'ip nat inside' on the internal interface and 'ip nat outside' on the external interface. The 'overload' keyword enables PAT.
FTP uses two connections: control (port 21) and data (port 20). In active mode, the server initiates a data connection to the client's IP address, but the client's IP is private after NAT. The server tries to connect to the private IP, which fails. Passive mode helps because the client initiates the data connection. NAT ALG (Application Layer Gateway) can also fix this by rewriting FTP control messages.
NAT hairpinning (or NAT loopback) allows an internal host to access another internal host using the public IP address of the destination. Without it, traffic from inside to the public IP would be sent to the router and then dropped because the destination is the router's own public IP. Hairpinning forwards the traffic back inside after translation.
Use 'show ip nat translations' to view the current translation table. 'show ip nat statistics' shows counts of translations, hits, misses, and expired entries. 'debug ip nat' provides real-time translation events (use with caution in production).
On Cisco routers, the default UDP timeout is 30 seconds. This means a UDP translation entry is removed 30 seconds after the last packet. ICMP timeout is 10 seconds, and TCP established timeout is 60 seconds. These can be adjusted with 'ip nat translation timeout'.
Standard NAT is designed for IPv4. IPv6 has a huge address space, so NAT is not needed for address conservation. However, NAT66 (IPv6-to-IPv6 NAT) exists for network renumbering, and NPTv6 (Network Prefix Translation) translates prefixes without breaking end-to-end connectivity. The CompTIA Network+ exam focuses on IPv4 NAT.
You've just covered NAT and PAT Implementation — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?