Courseiva
IP AddressingCCNA 200-301

Public IP Exhaustion — Migrating to PAT for Multiple Users

Presenting Symptom

Users in the branch office cannot access the internet, and the router logs show 'NAT: pool exhausted' messages.

Network Context

A small branch office with 50 users connects to the internet via a Cisco 4321 ISR router running IOS XE 16.9. The router uses a single public IP address (203.0.113.1/30) on its WAN interface and is configured with dynamic NAT (overload disabled) to translate internal private addresses (192.168.1.0/24) to a pool of only 5 public IPs (203.0.113.10-203.0.113.14). As more than 5 users attempt simultaneous internet access, the pool is exhausted.

Diagnostic Steps

1

Check NAT translations

show ip nat translations
Pro Inside global      Inside local       Outside local
--- 203.0.113.10      192.168.1.10       8.8.8.8
--- 203.0.113.11      192.168.1.11       8.8.8.8
--- 203.0.113.12      192.168.1.12       8.8.8.8
--- 203.0.113.13      192.168.1.13       8.8.8.8
--- 203.0.113.14      192.168.1.14       8.8.8.8

All 5 public IPs are in use. No additional translations can be created, confirming pool exhaustion.

2

Verify NAT pool configuration

show running-config | include ip nat pool
ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.14 netmask 255.255.255.248

The pool has only 5 addresses. With 50 users, this is insufficient unless PAT (overload) is used.

3

Check NAT overload status

show running-config | include ip nat inside source
ip nat inside source list ACL_NAT pool PUBLIC_POOL

The NAT statement does not include the 'overload' keyword, meaning PAT is disabled. Each translation consumes a unique public IP.

4

Check NAT statistics

show ip nat statistics
Total active translations: 5 (0 static, 5 dynamic; 5 extended)
Peak translations: 5 at 10:00:00
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1
Hits: 1024  Misses: 0
CEF Translated packets: 1024, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id] 1 access-list ACL_NAT pool PUBLIC_POOL refcount 5
  pool PUBLIC_POOL: netmask 255.255.255.248
    start 203.0.113.10 end 203.0.113.14
    type generic, total addresses 5, allocated 5 (100%), misses 0

100% of pool addresses are allocated, confirming exhaustion. No misses indicate that translation attempts beyond the pool are failing silently (or being dropped).

Root Cause

The NAT configuration uses dynamic NAT without PAT (overload), mapping each internal user to a unique public IP address. With only 5 public IPs in the pool and 50 users, the pool is exhausted, preventing additional users from accessing the internet.

Resolution

Enable PAT (overload) on the NAT pool to allow multiple internal users to share a single public IP (or the pool). 1. Enter global configuration mode: configure terminal 2. Modify the NAT statement to include the overload keyword: ip nat inside source list ACL_NAT pool PUBLIC_POOL overload 3. (Optional) If using a single public IP, change to interface-based PAT: no ip nat inside source list ACL_NAT pool PUBLIC_POOL ip nat inside source list ACL_NAT interface GigabitEthernet0/0/0 overload 4. Save the configuration: copy running-config startup-config

Verification

1. Run 'show ip nat translations' — expect many translations sharing the same public IP (e.g., 203.0.113.1) with different ports. 2. Run 'show ip nat statistics' — expect total active translations >5, with pool allocation less than 100%. 3. Test internet access from multiple internal hosts — all should succeed.

Prevention

1. Always use PAT (overload) when the number of internal users exceeds the number of available public IPs. 2. Monitor NAT pool utilization with SNMP or syslog to detect exhaustion before users complain. 3. Design with a single public IP or a small pool with overload for branch offices to conserve public IP addresses.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions about NAT exhaustion. Candidates may be asked to identify why users cannot access the internet and to choose the correct fix (adding 'overload'). The exam tests understanding of the difference between dynamic NAT and PAT, and the command syntax for enabling overload.

Exam Tips

1.

Remember that 'overload' enables PAT, allowing many-to-one translation. Without it, each translation uses a unique public IP.

2.

The 'show ip nat statistics' command shows pool utilization percentage; 100% indicates exhaustion.

3.

In exam simulations, you may need to modify an existing NAT configuration by adding 'overload' to the ip nat inside source command.

Commands Used in This Scenario

debug ip nat

Use debug ip nat to monitor and troubleshoot NAT translations in real time on a Cisco router, displaying each packet's translation details as they occur.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions