This chapter covers Network Address Translation (NAT) and Port Address Translation (PAT) troubleshooting, a critical skill for the N10-009 exam. NAT/PAT issues are a common source of connectivity problems in small-to-large networks. Approximately 10-15% of exam questions in the Network Troubleshooting domain involve NAT/PAT misconfigurations, address exhaustion, or asymmetric routing. Mastering this chapter will help you quickly identify and resolve these issues.
Jump to a section
Imagine a company with one public phone number and 200 employees, each with an internal extension (e.g., 101, 102). When an employee (internal host) wants to call an outside client (external host), they dial the client's number. The call goes to the company receptionist (NAT gateway). The receptionist records in a logbook: which extension placed the call, the client's number, and a temporary reference number (port number). She then places the call using the company's single public number, but with the reference number so the client knows which call it is. The client sees only the company number and the reference. When the client returns the call, the receptionist checks the logbook, finds the extension that placed the call, and routes it to the correct extension. Outsiders cannot call an extension directly because they only know the public number. If the logbook fills up (port exhaustion), new calls are blocked. This is exactly how NAT/PAT works: the gateway replaces the private source IP and port with its public IP and a unique port, maintains a translation table, and reverses the process on reply.
What is NAT and Why Does It Exist?
Network Address Translation (NAT) is defined in RFC 1631 and later updated by RFC 2663 and RFC 3022. NAT allows multiple devices on a private network (using RFC 1918 addresses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to share a single public IP address (or a small pool) to access the Internet. The primary reasons for NAT are:
IPv4 address conservation: Without NAT, every device needs a globally unique public IP.
Security: NAT hides internal IP addresses from external networks, providing a basic firewall effect.
Network migration: NAT allows renumbering internal networks without changing external connectivity.
How NAT Works Internally
NAT operates on a router or firewall. When a packet leaves the internal network, the NAT device changes the source IP address (and optionally the source port) to its own public IP (or one from a pool). It records the translation in a state table. When a reply packet arrives, the device looks up the destination IP and port in the table, reverses the translation, and forwards the packet to the original internal host.
For PAT (also called NAPT – Network Address Port Translation), the device also changes the source port to a unique value (e.g., 1025) so that many internal hosts can share a single public IP. The translation table includes:
Internal IP:Port
Public IP:Port
External IP:Port (optional for stateful filtering)
Protocol (TCP/UDP/ICMP)
Timers
Key Components, Values, and Defaults
- NAT Types: - Static NAT: One-to-one mapping between a private IP and a public IP. Used for servers that must be reachable from outside. - Dynamic NAT: Maps a private IP to the next available public IP from a pool. Requires enough public IPs for simultaneous sessions. - PAT (Overload): Maps multiple private IPs to a single public IP using unique source ports. The most common type on home and small business routers.
- Translation Table Entries: - Default timeout for TCP sessions: 24 hours (RFC 5382 recommends 2 hours 4 minutes, but many vendors use 24h). - Default timeout for UDP sessions: 5 minutes (RFC 4787 recommends 5 min). - Default timeout for ICMP: 30 seconds to 1 minute.
Port Range for PAT: Typically 1024-65535, but some devices reserve ports 0-1023 for well-known services. Some implementations use 1024-65535 or 16384-65535.
NAT Traversal: Protocols like STUN (RFC 5389), TURN (RFC 5766), and ICE (RFC 8445) help applications work behind NAT by discovering the public IP and port assigned by the NAT device.
Configuration and Verification Commands
On Cisco IOS, a typical PAT configuration:
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overloadVerification commands:
show ip nat translations
show ip nat statistics
show ip nat translations verbose
debug ip natExample output:
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.1:1025 192.168.1.10:1234 8.8.8.8:80 8.8.8.8:80
tcp 203.0.113.1:1026 192.168.1.11:5678 8.8.8.8:80 8.8.8.8:80How NAT Interacts with Related Technologies
VPN: NAT can break VPN protocols like IPsec because they authenticate the IP header. Solutions include NAT-T (NAT Traversal, RFC 3947) which encapsulates ESP in UDP port 4500.
Firewalls: NAT often runs on firewalls. Stateful firewalls track NAT translations as part of the session table.
DNS: Split DNS or DNS ALG (Application Layer Gateway) may be needed so that internal hosts resolve internal servers' private IPs while external hosts get public IPs.
IPv6: NAT is not needed for IPv6, but NPTv6 (Network Prefix Translation) exists for prefix translation.
Common Troubleshooting Steps
Verify connectivity without NAT: Ping from the internal host to the NAT device's inside interface. Then ping from the NAT device to an external host. If either fails, the issue is not NAT.
Check NAT translations: Use show ip nat translations to see if entries are being created. If no entries, check ACL and interface NAT direction.
Check NAT statistics: show ip nat statistics shows total translations, hits, misses, and expired translations. High misses indicate traffic not matching NAT rules.
Check for port exhaustion: If translations are present but new connections fail, look for many translations with similar timestamps. Use show ip nat statistics to see the number of allocated ports.
Check logs: NAT devices often log when the translation table is full.
Asymmetric Routing Issues
Asymmetric routing occurs when packets take different paths in each direction. For NAT to work, both directions must traverse the same NAT device. If return traffic goes through a different router, the NAT device will not have a translation entry, and packets are dropped. This is common in multi-homed networks. Solutions include:
Route all traffic through one NAT device.
Use VRF-aware NAT or policy-based routing to force symmetry.
Use stateful failover with session synchronization.
NAT and Application Layer Gateways (ALGs)
Some protocols embed IP addresses in the payload (e.g., FTP, SIP, H.323). NAT devices must inspect and modify these packets, a function called ALG. Common ALGs: - FTP ALG: Monitors PORT and PASV commands, translates IP addresses in the payload. - SIP ALG: Modifies SDP bodies with IP addresses. Often causes issues and is recommended to be disabled. - PPTP ALG: Handles GRE tunnel setup.
Troubleshooting ALG issues: If an application works on a public IP but fails through NAT, try disabling the ALG for that protocol.
1. Identify the Symptom
The first step is to recognize that the problem may be NAT-related. Common symptoms include: internal hosts cannot reach the Internet, external hosts cannot reach internal servers, intermittent connectivity, or one-way communication (e.g., can send packets but not receive replies). Confirm the symptom by testing from multiple internal hosts and to multiple external destinations. If only one application fails, it may be an ALG issue.
2. Verify Basic Connectivity
Before blaming NAT, ensure basic IP connectivity exists. From an internal host, ping the NAT device's inside interface IP. If that fails, the issue is at Layer 2 or the host's IP configuration. Then, from the NAT device itself, ping an external IP (e.g., 8.8.8.8). If that fails, the issue is upstream (default gateway, ISP). If both succeed, the problem is likely NAT translation.
3. Check NAT Configuration
Examine the NAT configuration on the device. Verify that the inside and outside interfaces are correctly assigned. Check the access-list or route-map that defines which traffic is to be translated. Ensure that the NAT pool (for dynamic NAT) has enough addresses or that overload is enabled. Use `show running-config | include nat` to review. A common mistake is applying NAT to the wrong interface or omitting the 'overload' keyword for PAT.
4. Inspect NAT Translations
Use `show ip nat translations` to see active entries. If no entries appear when you generate traffic, the traffic is not matching the NAT rule. Check the ACL with `show access-lists` to see if matches are incrementing. If matches are incrementing but no translations, the device may be out of NAT resources (memory, ports). Use `show ip nat statistics` to see the number of translations and the pool utilization.
5. Test with Debug and Logs
Enable `debug ip nat` (with caution on production) to see translation events in real time. Look for 'NAT: translation created' or 'NAT: translation failed' messages. Also check system logs for NAT errors like 'NAT pool exhausted'. If the debug shows no output when traffic is sent, the traffic is not reaching the NAT process. If it shows 'miss' or 'failure', check for ACL denies or expired timers.
In a typical enterprise, NAT is deployed at the edge router or firewall connecting the internal network to the Internet. One common scenario is a branch office with 200 users sharing a single public IP via PAT. The network engineer configures the firewall with an inside interface (192.168.1.0/24) and an outside interface with a public IP. An ACL permits all internal traffic. The 'overload' keyword enables PAT. In production, the engineer monitors the NAT translation table size; if it approaches the device's limit (e.g., 4000 entries on a small router), users experience connection failures. The solution is to either increase the port range, add more public IPs, or upgrade hardware.
Another scenario is hosting a public web server behind NAT. The engineer configures static NAT (1:1 mapping) or port forwarding (e.g., map public IP:80 to internal server 192.168.1.10:80). Troubleshooting involves verifying the static entry, checking that the server's default gateway points to the NAT device, and ensuring no firewall rules block inbound traffic. A common mistake is forgetting to set the server's gateway to the NAT device's inside IP, causing asymmetric routing.
In a multi-homed cloud environment, NAT is often used for outbound traffic from private subnets. AWS VPC uses Internet Gateway (IGW) for public subnets and NAT Gateway for private subnets. A typical issue is that the NAT Gateway's Elastic IP changes if the gateway is recreated, breaking outbound connectivity. The engineer must update route tables and security groups accordingly. Also, NAT Gateway has a default limit of 55,000 concurrent connections per destination IP; exceeding this causes packet drops. Monitoring CloudWatch metrics for 'PacketsOutToSource' and 'PortAllocationErrors' is essential.
The N10-009 exam tests NAT/PAT troubleshooting under Objective 5.3: 'Given a scenario, troubleshoot common network connectivity issues.' Specific focus areas:
Identifying symptoms of NAT pool exhaustion (port exhaustion) — e.g., users can browse but then suddenly cannot, or some sites work while others don't.
Recognizing the difference between static NAT, dynamic NAT, and PAT. The exam may present a scenario and ask which type is configured.
Understanding that PAT uses unique source ports to distinguish sessions; if the port range is exhausted, new connections fail.
Knowing that NAT breaks protocols that embed IP addresses (FTP, SIP, IPsec) unless an ALG is used.
Common wrong answers: 1. 'The problem is a DNS issue' — when the real problem is NAT. Candidates often jump to DNS because users cannot reach websites. But if internal hosts can ping by IP but not by name, it's DNS. If they can't ping by IP either, it's routing or NAT. 2. 'The firewall is blocking traffic' — while true in some cases, NAT issues often present as one-way traffic (can send but not receive). Firewall logs can help differentiate. 3. 'The router needs a default route' — if the router has a default route but NAT is misconfigured, traffic will leave but replies won't come back. Candidates may add a default route without fixing NAT.
Specific values to memorize:
Default TCP NAT timeout: 24 hours (or 2 hours 4 minutes per RFC 5382).
Default UDP NAT timeout: 5 minutes (RFC 4787).
Port range for PAT: typically 1024-65535 or 16384-65535.
Maximum concurrent connections per public IP: varies, but exam may mention 65,535 ports per IP (minus reserved).
Edge cases:
ICMP NAT: ICMP uses Identifier field instead of port. The NAT device must track ICMP IDs. Default timeout is 30-60 seconds.
Fragmented packets: Only the first fragment has the port; subsequent fragments are translated based on the first fragment's entry. If the first fragment is lost, subsequent fragments are dropped.
Hairpinning: When two internal hosts communicate via the public IP (e.g., internal server accessed by internal client via public IP). Some NAT implementations do not support this (NAT loopback).
How to eliminate wrong answers: Always check if the problem is symmetric. If internal hosts can initiate connections but external replies don't arrive, suspect NAT. If external hosts cannot initiate connections to an internal server, check port forwarding/static NAT and firewall rules. If the problem is intermittent, suspect port exhaustion.
NAT translates private IPs to public IPs; PAT adds port translation for multiplexing.
Default TCP timeout for NAT translations is 24 hours (or 2h4m per RFC 5382); UDP timeout is 5 minutes.
Port exhaustion occurs when all 65,535 ports (minus reserved) are used; symptoms include intermittent connectivity.
NAT breaks protocols with embedded IP addresses; ALGs are needed for FTP, SIP, etc.
Asymmetric routing causes NAT to fail because return traffic bypasses the NAT device.
Verification commands: 'show ip nat translations', 'show ip nat statistics', 'debug ip nat'.
Static NAT is for inbound access to servers; PAT is for outbound access from many hosts.
NAT is not a security feature; always use a firewall for access control.
These come up on the exam all the time. Here's how to tell them apart.
Static NAT
One-to-one mapping between private and public IP.
Uses one public IP per internal host.
Public IP is fixed for the internal host.
Allows inbound connections from external hosts.
Requires a public IP for each internal host that needs external access.
PAT (Overload)
Many-to-one mapping using unique ports.
Multiple internal hosts share one public IP.
Public IP and port are dynamically assigned.
Typically blocks inbound connections unless port forwarding is configured.
Efficient use of public IP addresses, but limited by port range.
Mistake
NAT provides security by hiding internal IPs.
Correct
NAT is not a security feature; it is an address translation mechanism. It provides a basic level of obfuscation but can be bypassed by techniques like UPnP or STUN. A firewall should be used for security.
Mistake
PAT can handle unlimited connections.
Correct
PAT has a limit of 65,535 ports per public IP (minus well-known ports). Many devices have lower practical limits (e.g., 4000 entries). Exhaustion causes new connections to fail.
Mistake
NAT translates all traffic identically.
Correct
Some protocols embed IP addresses in the payload (FTP, SIP). Without an ALG, these protocols fail. Also, ICMP does not have ports; NAT uses the Identifier field.
Mistake
Static NAT is the same as port forwarding.
Correct
Static NAT maps an entire IP address (all ports) one-to-one. Port forwarding maps a specific port on a public IP to a specific port on a private IP. Static NAT is used for servers needing full inbound access; port forwarding is more selective.
Mistake
NAT is only used for IPv4.
Correct
NAT is primarily for IPv4, but IPv6 can use NPTv6 (Network Prefix Translation) for prefix translation, though not for address conservation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
This is often a NAT issue with SMTP. SMTP uses port 25, and some NAT devices or ISPs block port 25 outbound. Also, if you host an internal mail server, you need port forwarding (static NAT) for port 25. Check if the NAT device has an SMTP ALG that may be interfering. Use 'telnet mail.server.com 25' from internal host to test connectivity. If it fails, check NAT translations and firewall rules.
Check 'show ip nat statistics' on the router. Look for 'allocated ports' near the maximum. Use 'show ip nat translations' to see many entries with similar timestamps. Symptoms: users report that some websites work but others don't, or connections fail after a period of heavy usage. Solutions: increase the port range, add more public IPs, reduce TCP timeout, or upgrade hardware. Also check for applications that hold connections open (e.g., P2P).
This indicates that the router can reach the external IP, but traffic from the internal host is not being translated. Verify that the inside interface is correctly configured with 'ip nat inside' and the outside interface with 'ip nat outside'. Check the ACL that defines which traffic is NATted. Use 'show access-lists' to see if matches are incrementing. Enable 'debug ip nat' to see if translation attempts are made.
FTP uses two connections: control (port 21) and data (port 20). In active mode, the server initiates a data connection to the client's IP, which is private. The NAT device must inspect the PORT command and create a temporary translation. This is done by the FTP ALG. If the ALG is disabled or buggy, FTP fails. Solution: enable FTP ALG on the NAT device or use passive FTP (PASV) which uses only client-initiated connections.
NAT (Network Address Translation) translates IP addresses only. PAT (Port Address Translation) translates both IP and port numbers, allowing multiple internal hosts to share a single public IP. PAT is also called 'NAT overload'. In common usage, 'NAT' often refers to PAT. The exam distinguishes them: NAT uses a pool of public IPs; PAT uses one IP with port multiplexing.
Yes. If traffic leaves through one NAT device but returns through another, the return packet will not have a translation entry, and it will be dropped. This is common in multi-homed networks. To fix, ensure all traffic for a given session uses the same NAT device. Use policy-based routing or ensure the default route points to the NAT device. Some firewalls support asymmetric routing with session sync.
ICMP does not have ports; it uses an Identifier field (echo request/reply). The NAT device creates a translation entry based on the ICMP Identifier and Type. The default timeout for ICMP translations is typically 30-60 seconds. Some NAT implementations may not handle all ICMP types (e.g., Destination Unreachable), causing path MTU discovery issues.
You've just covered NAT/PAT Troubleshooting — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?