This chapter covers Network Address Translation (NAT) and Port Address Translation (PAT), essential technologies for conserving public IPv4 addresses and enabling private networks to communicate with the internet. Understanding NAT and PAT is critical for the N10-009 exam, as they appear in approximately 10-15% of questions, often in the context of configuration, troubleshooting, and security implications. We will explore the mechanisms, types, configuration commands, and common pitfalls you must master to succeed.
Jump to a section
NAT is like a company with one public phone number and 200 employees with internal extensions. When an employee calls out, the receptionist records which extension placed the call (e.g., extension 101) and replaces the internal extension with the company's public number (e.g., 555-1234). The receptionist also assigns a temporary port number (like a call ID) to distinguish multiple simultaneous calls. When the response comes back to the company number, the receptionist checks her log to see which extension was associated with that call ID and routes the call to the correct extension. From outside, nobody can dial employees directly—they only ever see the company number. If two employees call the same external number at the same time, the receptionist uses different call IDs to keep the conversations separate. PAT (Port Address Translation) is the same, but the receptionist also changes the employee's extension number to a different one in the log if needed, using the call ID to track the mapping. Without the log, the receptionist wouldn't know where to route incoming calls, just as without the NAT table, a router wouldn't know which internal host to forward a reply to.
What is NAT and Why Does It Exist?
Network Address Translation (NAT) is defined in RFC 2663 and RFC 3022. It allows multiple devices on a private network (using RFC 1918 addresses like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to share a single public IPv4 address (or a pool of addresses) when communicating with external networks, primarily the internet. The primary driver for NAT is IPv4 address exhaustion—there are not enough public IPv4 addresses to assign a unique one to every device. NAT also provides a basic layer of security by hiding internal IP addresses from external hosts, making direct inbound connections difficult.
How NAT Works Internally
When a host on a private network sends a packet to an external destination, the NAT-capable router (often the default gateway) intercepts the packet. The router modifies the source IP address (and optionally the source port) in the IP header to its own public IP address (or one from its pool). It also recalculates the IP header checksum and, for TCP/UDP, the transport layer checksum. The router then creates an entry in its NAT translation table mapping the internal private IP:port to the public IP:port. When a response returns, the router looks up the destination IP:port in its translation table, forwards the packet to the original internal host, and reverses the address/port modifications.
Key Components and Values
Inside Local: The IP address of the internal host as seen from inside the network (e.g., 192.168.1.10).
Inside Global: The IP address of the internal host as seen from outside (e.g., 203.0.113.5).
Outside Local: The IP address of the external host as seen from inside (often the same as Outside Global).
Outside Global: The IP address of the external host as seen from outside (e.g., 8.8.8.8).
NAT Table: A dynamic or static mapping between inside local and inside global addresses. The table size is limited by router memory; default timeout for dynamic entries is typically 24 hours (but can be as low as 60 seconds for UDP).
Port Numbers: For PAT, the router uses a unique source port (e.g., 1024-65535) to distinguish sessions. Cisco IOS reserves ports 1-511 for system use and 512-1023 for special services, but PAT typically uses ports 1024-65535.
Types of NAT
Static NAT: A one-to-one mapping between a private IP and a public IP. Used when an internal server (e.g., web server) must be accessible from the internet. Example: 192.168.1.10 always maps to 203.0.113.10. This does not conserve IP addresses but allows inbound connections.
Dynamic NAT: Maps a private IP to a public IP from a pool on a first-come, first-served basis. When the pool is exhausted, new hosts cannot translate. This conserves addresses if not all hosts need simultaneous access.
PAT (Port Address Translation) / NAT Overload: Maps multiple private IPs to a single public IP by using different source ports. This is the most common form of NAT used in home and small office routers. It allows hundreds of internal hosts to share one public IP.
Configuration and Verification Commands (Cisco IOS)
Static NAT:
ip nat inside source static 192.168.1.10 203.0.113.10Dynamic NAT with a pool:
ip nat pool MYPOOL 203.0.113.1 203.0.113.10 netmask 255.255.255.240
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool MYPOOLPAT (NAT Overload):
ip nat inside source list 1 interface GigabitEthernet0/0 overloadVerification commands:
- show ip nat translations – displays active translations.
- show ip nat statistics – shows hit/miss counts, pool usage, and number of translations.
- debug ip nat – real-time translation events (use cautiously in production).
Interaction with Related Technologies
ACLs: NAT uses ACLs to identify which traffic should be translated. Misconfigured ACLs are a common cause of NAT failures.
Routing: NAT changes the IP header; therefore, the router must have a route to the destination network. The public IP used for translation must be routable.
Firewalls: NAT is often performed on firewalls (e.g., ASA, FortiGate). Stateful firewalls track NAT sessions and automatically allow return traffic.
VPN: NAT can interfere with IPsec VPNs because IPsec encrypts the original IP header. Solutions include NAT-T (NAT Traversal, RFC 3947) which encapsulates ESP in UDP port 4500.
Defaults and Timers
Cisco IOS default NAT translation timeout for TCP is 24 hours (86400 seconds).
For UDP, the default is 300 seconds (5 minutes).
For ICMP, the default is 60 seconds.
These can be adjusted with ip nat translation timeout commands.
Troubleshooting Common Issues
No translation entry: Check ACL, pool exhaustion, or routing.
Inbound connections failing: Static NAT or port forwarding required.
NAT and DNS: DNS resolution may return a public IP that is not reachable from inside (split DNS or DNS doctoring may be needed).
NAT and applications: Some applications embed IP addresses in the payload (e.g., FTP active mode, SIP). Application Layer Gateway (ALG) functions are required to fix these.
Exam Tip
On the N10-009 exam, you will be asked to identify the correct NAT type given a scenario, interpret a NAT table, or troubleshoot why translation is not occurring. Know the difference between static, dynamic, and PAT, and remember that PAT uses port numbers to multiplex sessions.
Host Sends Packet to Internet
An internal host with IP 192.168.1.10 sends a TCP SYN packet to an external web server at 8.8.8.8:80. The source IP is 192.168.1.10 and source port is 12345. The packet is forwarded to the default gateway (the NAT router).
NAT Router Intercepts Packet
The router receives the packet on its inside interface (e.g., GigabitEthernet0/1). It checks whether the packet matches an ACL that triggers NAT. If yes, the router looks for an existing translation entry for (192.168.1.10, 12345). If none exists, it creates a new entry.
Router Creates Translation Entry
For PAT, the router selects a unique global port (e.g., 40001) and uses its public IP (e.g., 203.0.113.1). The translation table entry is: inside local (192.168.1.10:12345) -> inside global (203.0.113.1:40001). A timer starts (default 86400s for TCP).
Router Modifies Packet and Forwards
The router rewrites the source IP to 203.0.113.1 and source port to 40001. It recalculates the IP header checksum and TCP checksum. The packet is then forwarded out the outside interface (e.g., GigabitEthernet0/0) toward the destination.
Response Packet Arrives at Router
The web server responds to 203.0.113.1:40001. The router receives the packet on its outside interface. It looks up the destination IP:port in the NAT table and finds the mapping to 192.168.1.10:12345.
Router Reverses Translation and Delivers
The router rewrites the destination IP to 192.168.1.10 and destination port to 12345. It recalculates checksums and forwards the packet out the inside interface. The internal host receives the packet as if it came from 8.8.8.8:80.
Translation Entry Times Out or is Cleared
If no traffic for this session is seen for the timeout period (e.g., TCP FIN exchange or idle timeout), the router removes the translation entry. The global port 40001 becomes available for reuse. On the exam, know that UDP and ICMP have shorter timers.
Enterprise Internet Connectivity with PAT
In a typical enterprise with 500 employees, each with a laptop and phone, the organization might have a /28 subnet of public IPs (16 addresses, 14 usable). Using PAT on the border firewall (e.g., Cisco ASA or Palo Alto), all internal hosts share a single public IP (or a small pool) for outbound internet access. The firewall translates source ports to track sessions. This conserves public IPs and simplifies routing. In production, engineers must monitor the NAT table size: a large enterprise can have millions of simultaneous translations, requiring high-memory appliances. Common issues include port exhaustion (all 65,535 ports used) and application failures due to ALG limitations. For example, active FTP requires the firewall to inspect and rewrite the PORT command; if ALG is disabled, transfers fail.
Static NAT for Public Servers
An organization hosts a web server at 192.168.1.100 and an email server at 192.168.1.101. They have two public IPs: 203.0.113.10 and 203.0.113.11. Static NAT maps each private IP to a dedicated public IP. The firewall also allows inbound traffic on ports 80/443 for the web server and 25/587 for the email server. This setup is common in small-to-medium businesses. Misconfiguration occurs when the static NAT entry is missing or the ACL does not permit inbound traffic—resulting in unreachable servers. Engineers use show ip nat translations and packet captures to verify.
Carrier-Grade NAT (CGNAT) for ISPs
ISPs use CGNAT (RFC 6598) to share a single public IP among hundreds of customers. They assign customers private IPs from 100.64.0.0/10 and translate them to a pool of public IPs. This extends IPv4 life but introduces challenges: customers cannot port forward, and some applications (like gaming or VoIP) may suffer from double NAT. Engineers must configure logging of translations for law enforcement and troubleshoot issues like broken peer-to-peer connections. CGNAT requires robust hardware to handle millions of concurrent sessions.
Exam Objective N10-009 1.4: Given a scenario, configure and deploy network services (including NAT/PAT).
The exam tests your ability to:
Identify the correct NAT type (static, dynamic, PAT) for a given scenario.
Interpret a NAT translation table output.
Troubleshoot why translation is not occurring (ACL, pool exhaustion, routing).
Understand the implications of NAT on applications (FTP, SIP, IPsec).
Common Wrong Answers and Traps
Confusing Dynamic NAT with PAT: A candidate sees "multiple internal hosts share one public IP" and selects dynamic NAT. Wrong—that's PAT. Dynamic NAT uses a pool and one-to-one mapping, not port multiplexing.
Assuming NAT always provides security: While NAT hides internal IPs, it is not a firewall. The exam may test that NAT alone does not block inbound traffic; an ACL or firewall rule is required.
Incorrectly identifying inside local vs. inside global: On the exam, you may be given a translation table and asked which IP is the inside local. Remember: inside local is the private IP of the host.
Forgetting that PAT uses port numbers: A question may describe a scenario with 200 hosts but only one public IP. The correct answer is PAT (overload), not static or dynamic NAT.
Specific Numbers and Values to Memorize
RFC 1918 address ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Default NAT timeout values: TCP 24 hours, UDP 5 minutes, ICMP 60 seconds.
PAT port range typically 1024-65535.
CGNAT address range: 100.64.0.0/10.
Edge Cases the Exam Loves
NAT and DNS: An internal user tries to access a server that has a public DNS record pointing to its public IP. Without DNS doctoring or split DNS, the traffic may hairpin through the NAT (NAT loopback). The exam may ask how to fix this.
NAT overload with same source port: If two internal hosts use the same source port (e.g., 80), PAT assigns different global ports. The exam may test that the router uses a unique port per session.
NAT and ICMP: ICMP echo requests (pings) are translated using ICMP ID as the port-like identifier. The exam expects you to know that PAT works for ICMP.
How to Eliminate Wrong Answers
If the scenario mentions "multiple hosts sharing one IP" and "port numbers," eliminate static and dynamic NAT—choose PAT.
If the scenario requires an external host to initiate a connection to an internal server, eliminate PAT and dynamic NAT (unless port forwarding is configured)—choose static NAT.
If the question asks about "conserving IPv4 addresses," PAT is the most efficient.
If the translation table shows a one-to-one mapping without port numbers, it's static or dynamic NAT (not PAT).
NAT translates private IPs to public IPs; PAT uses port numbers to multiplex many sessions on one IP.
Static NAT is one-to-one and allows inbound connections; dynamic NAT uses a pool; PAT is the most common for outbound access.
Default NAT timeouts: TCP 86400s, UDP 300s, ICMP 60s.
RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
NAT does not provide inherent security; ACLs or firewalls are needed.
Common troubleshooting commands: show ip nat translations, show ip nat statistics, debug ip nat.
PAT can exhaust port numbers (65,535 per public IP) in high-traffic environments.
NAT breaks applications that embed IP addresses in payload (e.g., FTP, SIP); ALG or NAT helper is required.
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one fixed mapping between private and public IP.
Configured manually; does not change over time.
Allows inbound connections from the internet to internal servers.
Does not conserve public IPs (one private IP uses one public IP).
Requires a dedicated public IP for each internal host.
Dynamic NAT
One-to-one mapping from a pool of public IPs, assigned on demand.
Automatic; router selects an available public IP from the pool.
Inbound connections are not possible unless a static mapping is also configured.
Conserves public IPs if not all hosts need simultaneous access.
When the pool is exhausted, new hosts cannot translate.
PAT (NAT Overload)
Maps multiple private IPs to a single public IP using unique port numbers.
Highly efficient for IPv4 conservation (one public IP can serve thousands of hosts).
Inbound connections require port forwarding (static PAT).
Uses source port numbers to distinguish sessions.
Default timeout for TCP is 24 hours; UDP 5 minutes.
Dynamic NAT
Maps private IPs to public IPs from a pool; one-to-one per session.
Less efficient: each active host consumes one public IP.
Inbound connections generally not possible without static NAT.
Does not use port multiplexing; only IP address translation.
Pool exhaustion prevents new translations.
Mistake
NAT provides complete security like a firewall.
Correct
NAT does not inspect application-layer traffic or maintain a stateful session table like a firewall. It only translates addresses. Security is achieved through ACLs or firewall rules in addition to NAT.
Mistake
Dynamic NAT and PAT are the same thing.
Correct
Dynamic NAT maps a private IP to a public IP from a pool without port multiplexing. PAT (overload) maps multiple private IPs to a single public IP using different ports. They are different mechanisms.
Mistake
NAT breaks all peer-to-peer applications.
Correct
NAT can interfere with peer-to-peer, but techniques like UPnP, STUN, and NAT-PMP can help. Not all applications break; many work fine with PAT.
Mistake
A home router uses static NAT for internet access.
Correct
Home routers overwhelmingly use PAT (NAT overload) to allow multiple devices to share one public IP. Static NAT is rare in home environments.
Mistake
NAT translations last forever.
Correct
NAT entries have timeouts. Defaults: TCP 24 hours, UDP 5 minutes, ICMP 60 seconds. Entries are removed after inactivity or when the session ends.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT (Network Address Translation) translates private IP addresses to public IP addresses. PAT (Port Address Translation), also known as NAT overload, is a type of NAT that also translates the source port number to allow multiple private IPs to share a single public IP. PAT is the most common form used in home routers.
Use the command `ip nat inside source static [private-ip] [public-ip]` in global configuration mode. For example: `ip nat inside source static 192.168.1.10 203.0.113.10`. Then assign the inside and outside interfaces with `ip nat inside` and `ip nat outside`.
The default timeout for TCP NAT translations is 24 hours (86400 seconds). This can be changed with the command `ip nat translation timeout seconds`.
NAT is primarily for IPv4. IPv6 has enough addresses that NAT is not needed. However, NAT66 (NAT for IPv6) exists but is rarely used. The N10-009 exam focuses on NAT for IPv4.
Active FTP uses the PORT command to tell the server which IP and port to connect back to. The client sends its private IP in the command, which the server cannot reach. An FTP ALG (Application Layer Gateway) on the NAT device rewrites the payload to the public IP, allowing the connection.
NAT loopback occurs when an internal host tries to reach another internal host using the public IP of the NAT router. The router must support hairpinning to forward the packet back inside. Some routers do not support this by default, causing connectivity issues.
Use `show ip nat translations` to view active translations. Use `show ip nat statistics` to see translation counts and pool usage. For real-time debugging, use `debug ip nat` (caution: can overwhelm the router).
You've just covered NAT and PAT Concepts — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?