Dynamic NAT & PAT (NAT Overload) Configuration

Static NAT solves the problem of giving servers a fixed public identity — but most internal hosts (PCs, laptops, phones) only need outbound internet access, not a permanent inbound-reachable public IP. Assigning a dedicated public IP to every internal host is impractical and expensive. Dynamic NAT and PAT (Port Address Translation) solve this by allowing many internal hosts to share a small number — or even just one — public IP address simultaneously.

Dynamic NAT assigns a public IP from a configured pool on a first-come, first-served basis. When a host finishes, the IP returns to the pool for the next host. PAT (NAT Overload) goes further — it multiplexes thousands of simultaneous sessions from different internal hosts onto a single public IP by appending unique port numbers to each session. PAT is the mechanism behind nearly every home router and branch office internet connection in use today. For a conceptual overview of all NAT types see NAT Overview, Dynamic NAT, and PAT.

Before starting, complete Static NAT Configuration to understand NAT fundamentals, address types, and inside/outside interface roles. Review OSPF Single-Area Configuration for the internal routing context and DHCP Server Configuration for how internal hosts receive their private IP addresses.

1. Dynamic NAT vs PAT — How Each Works

Dynamic NAT — Pool-Based One-to-One

Dynamic NAT maps each internal host to one public IP from a pre-defined pool — but the assignment is temporary and automatic. When all pool IPs are in use, new sessions are dropped until an existing session ends and releases an IP back to the pool:

  Dynamic NAT Pool: 203.0.113.10 – 203.0.113.12  (3 public IPs)

  PC1 (192.168.10.10) initiates traffic → assigned 203.0.113.10
  PC2 (192.168.10.11) initiates traffic → assigned 203.0.113.11
  PC3 (192.168.10.12) initiates traffic → assigned 203.0.113.12
  PC4 (192.168.10.13) initiates traffic → ✗ NO IP AVAILABLE — dropped
                                            (pool exhausted)
  PC1 session ends   → 203.0.113.10 returned to pool
  PC4 retries        → assigned 203.0.113.10  ✓

PAT (NAT Overload) — Port Multiplexing

PAT extends Dynamic NAT by adding unique source port numbers to each session. Because port numbers are 16-bit values (0–65535), a single public IP can theoretically support over 65,000 simultaneous sessions — all uniquely identified by their port number:

  PAT — single public IP 203.0.113.2

  PC1 (192.168.10.10:49500) → 203.0.113.2:1024  → Server 8.8.8.8:443
  PC2 (192.168.10.11:51200) → 203.0.113.2:1025  → Server 8.8.8.8:443
  PC3 (192.168.10.12:48900) → 203.0.113.2:1026  → Server 1.1.1.1:80
  PC4 (192.168.10.13:52300) → 203.0.113.2:1027  → Server 1.1.1.1:80

  All four hosts reach the internet simultaneously using ONE public IP.
  The router tracks each session by the assigned port number.
  Reply packets arrive at 203.0.113.2 on different ports — router
  looks up the port to find which internal host to forward to.

Dynamic NAT vs PAT — Side-by-Side Comparison

Feature	Dynamic NAT	PAT (NAT Overload)
Mapping type	One internal IP → one public IP (temporary)	Many internal IPs → one public IP (port-multiplexed)
Public IPs required	One per simultaneous session	Just one (or a small pool)
Session limit	Limited by pool size	~65,000 per public IP
Port translation	No — only IP is changed	Yes — unique port per session
Inbound connections	Only while a session entry exists	Not supported — no fixed mapping
IOS keyword	(no extra keyword)	`overload`
Timeout (TCP)	24 hours by default	24 hours for established TCP, 60 sec for SYN-only
Common use	Enterprises with multiple public IPs, compliance requirements	Home routers, branch offices, most modern deployments

The ACL's Role in Dynamic NAT and PAT

Unlike static NAT which maps specific IPs, dynamic NAT and PAT use an ACL to define which internal hosts are eligible for translation. Any source IP that matches the ACL (permit) is translated. Any source IP that does not match (deny — explicitly or implicitly) is not translated and is forwarded with its private IP unchanged — which the internet will drop:

ACL Result	NAT Action	Outcome
permit (match)	Translate the source IP	✅ Host reaches the internet with a public IP
deny (no match / implicit deny)	Do not translate	❌ Private IP forwarded unchanged — dropped by ISP

2. Lab Topology & Scenario

NetsTuts_R1 is the edge router. The internal network (192.168.10.0/24) contains staff workstations that need outbound internet access. The ISP provides a single public IP (203.0.113.2) on the WAN link — all internal hosts must share it via PAT. A web server (192.168.10.100) already has a static NAT mapping and must be excluded from PAT. The lab configures both Dynamic NAT and PAT variants to illustrate both approaches:

                        Internet / ISP
                        203.0.113.1
                               |
                         Gi0/0 (OUTSIDE)
                         203.0.113.2 /30
                    ┌────────────────────────┐
                    │      NetsTuts_R1        │
                    │  PAT: inside hosts      │
                    │  → 203.0.113.2:unique   │
                    │  Static: .100 ↔ .113.10 │
                    └────────────────────────┘
                         Gi0/1 (INSIDE)
                         192.168.10.1 /24
                                |
              ══════════════════════════════════
                       192.168.10.0/24
              |           |           |           |
         192.168.10.10  .10.11     .10.12    192.168.10.100
           [PC1]         [PC2]     [PC3]     [Web Server]
           PAT ✓         PAT ✓     PAT ✓     Static NAT only

Host	Private IP	NAT Type	Public Result
PC1	192.168.10.10	PAT	203.0.113.2:[dynamic port]
PC2	192.168.10.11	PAT	203.0.113.2:[dynamic port]
PC3	192.168.10.12	PAT	203.0.113.2:[dynamic port]
Web Server	192.168.10.100	Static NAT (separate)	203.0.113.10 (fixed)

3. Step 1 — Interface Addressing and NAT Roles

Interface addressing and inside/outside markings follow the same pattern as Static NAT — these are prerequisites that must be in place before any NAT translation can occur. A default route toward the ISP is also required for outbound traffic to exit correctly:

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── WAN interface ────────────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#description WAN-to-ISP
NetsTuts_R1(config-if)#ip address 203.0.113.2 255.255.255.252
NetsTuts_R1(config-if)#ip nat outside
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

! ── LAN interface ────────────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#description LAN-Internal-Hosts
NetsTuts_R1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-if)#ip nat inside
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

! ── Default route toward ISP ─────────────────────────────
NetsTuts_R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.1

4. Step 2A — Dynamic NAT with a Pool

Dynamic NAT requires three configuration elements: an ACL identifying eligible inside hosts, a named pool of public IPs, and a binding command linking the ACL to the pool. This is the foundation that PAT builds on by adding the overload keyword:

Step 2A-1: Define the ACL (Which Hosts to Translate)

! ── ACL permits the entire 192.168.10.0/24 subnet ────────
! ── Hosts matching this ACL will be NAT-translated ───────
NetsTuts_R1(config)#ip access-list standard NAT-INSIDE-HOSTS
NetsTuts_R1(config-std-nacl)#permit 192.168.10.0 0.0.0.255
NetsTuts_R1(config-std-nacl)#exit

A named standard ACL is preferred over a numbered ACL for NAT — it is self-documenting. The ACL uses a wildcard mask (0.0.0.255 = match any host in 192.168.10.0/24). Any host in this range that initiates outbound traffic will be translated. Hosts not matched by this ACL (e.g., 192.168.20.x) will not be translated.

Step 2A-2: Define the Public IP Pool

! ── Define a pool of 3 public IPs for Dynamic NAT ────────
NetsTuts_R1(config)#ip nat pool PUBLIC-POOL 203.0.113.10 203.0.113.12 netmask 255.255.255.248

The pool command syntax:

ip nat pool [name] [first-IP] [last-IP]
    netmask [mask]

. This creates a pool named PUBLIC-POOL with three IPs: 203.0.113.10, .11, and .12. The netmask must match the subnet of the public IPs — not the internal subnet. A pool of 3 IPs can serve a maximum of 3 simultaneous external sessions — a 4th host would be dropped until one of the 3 sessions ends.

Step 2A-3: Bind ACL to Pool (Dynamic NAT)

! ── Bind ACL to pool — Dynamic NAT (no overload) ─────────
NetsTuts_R1(config)#ip nat inside source list NAT-INSIDE-HOSTS pool PUBLIC-POOL

This command ties everything together: "translate any inside source IP that matches the ACL NAT-INSIDE-HOSTS, using an IP from the pool PUBLIC-POOL." Without overload, each internal host gets its own public IP from the pool — true one-to-one dynamic NAT. The pool is exhausted when all 3 IPs are in use.

5. Step 2B — PAT (NAT Overload) — Single Public IP

PAT is the most common NAT deployment. Adding overload to the binding command tells IOS to use port numbers to multiplex many internal sessions onto a single public IP. There are two PAT variants — using a named pool or using the WAN interface IP directly:

PAT Variant 1 — Pool with Overload

! ── Remove the Dynamic NAT binding first (if replacing) ──
NetsTuts_R1(config)#no ip nat inside source list NAT-INSIDE-HOSTS pool PUBLIC-POOL

! ── Re-bind with overload keyword (PAT) ──────────────────
NetsTuts_R1(config)#ip nat inside source list NAT-INSIDE-HOSTS pool PUBLIC-POOL overload

Adding overload converts the Dynamic NAT to PAT. IOS now uses the same public IP (or cycles through the pool) for multiple hosts, differentiating sessions by unique source port numbers. If the pool has three IPs, IOS exhausts port numbers on the first IP before moving to the next — in practice 65,000+ sessions on a single public IP.

PAT Variant 2 — Interface Overload (Most Common)

! ── Remove pool-based PAT first ──────────────────────────
NetsTuts_R1(config)#no ip nat inside source list NAT-INSIDE-HOSTS pool PUBLIC-POOL overload

! ── PAT using the WAN interface IP directly ──────────────
! ── No pool needed — uses whatever IP is on Gi0/0 ────────
NetsTuts_R1(config)#ip nat inside source list NAT-INSIDE-HOSTS interface GigabitEthernet0/0 overload

NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#

This is the most widely used PAT configuration. Instead of a named pool, the command references the outside interface directly — IOS automatically uses whatever public IP is currently assigned to Gi0/0. If the ISP changes the WAN IP (common with DHCP or PPPoE), PAT continues working without any reconfiguration. This is the standard configuration for home routers, branch offices, and any deployment with a single ISP-assigned public IP.

Dynamic NAT & PAT Command Comparison

Configuration	Command	Result
Dynamic NAT (pool)	`ip nat inside source list [ACL] pool [POOL]`	Each host gets a unique public IP from the pool — max simultaneous sessions = pool size
PAT (pool + overload)	`ip nat inside source list [ACL] pool [POOL] overload`	All hosts share the pool IPs via port multiplexing — pool IPs used in order, ports exhausted first
PAT (interface overload)	`ip nat inside source list [ACL] interface [WAN-int] overload`	All hosts share the WAN interface IP via port multiplexing — no pool required, auto-follows interface IP

6. Step 3 — Static NAT and PAT Coexistence

In most production networks, static NAT (for servers) and PAT (for workstations) coexist on the same router. The ACL for PAT must exclude the server's IP — if the server is permitted by the PAT ACL, IOS may apply PAT to the server's outbound traffic, overriding the static mapping and breaking inbound connectivity:

! ── Existing static NAT for web server (from Static NAT lab)
NetsTuts_R1(config)#ip nat inside source static 192.168.10.100 203.0.113.10

! ── PAT ACL: permit all EXCEPT the server (.100) ─────────
NetsTuts_R1(config)#ip access-list standard PAT-HOSTS
NetsTuts_R1(config-std-nacl)#deny host 192.168.10.100
NetsTuts_R1(config-std-nacl)#permit 192.168.10.0 0.0.0.255
NetsTuts_R1(config-std-nacl)#exit

! ── PAT using interface overload ─────────────────────────
NetsTuts_R1(config)#ip nat inside source list PAT-HOSTS interface GigabitEthernet0/0 overload
NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#

The ACL PAT-HOSTS explicitly denies 192.168.10.100 (the web server) before permitting the rest of the subnet. The web server's outbound traffic does not match the PAT ACL — it falls through to the static NAT entry and is translated with its fixed public IP (203.0.113.10). Workstations (.10–.99 and .101–.254) match the permit and use PAT.

How IOS Processes NAT Rules — Priority Order

Priority	NAT Type	Checked First?	Notes
1st	Static NAT entries	✅ Yes — always checked first	Permanent mappings take precedence over dynamic rules — a host with a static mapping is always translated statically
2nd	Dynamic NAT / PAT (ACL match)	Only if no static entry matches	ACL is evaluated — if the source IP is permitted, dynamic or PAT translation is applied
3rd	No match	—	Packet forwarded without translation — private IP sent to internet, dropped by ISP

7. Verification

show ip nat translations — PAT Active Sessions

NetsTuts_R1#show ip nat translations
Pro  Inside global          Inside local          Outside local       Outside global
tcp  203.0.113.2:1024       192.168.10.10:49512   8.8.8.8:443         8.8.8.8:443
tcp  203.0.113.2:1025       192.168.10.11:51234   8.8.8.8:443         8.8.8.8:443
tcp  203.0.113.2:1026       192.168.10.12:48901   1.1.1.1:80          1.1.1.1:80
udp  203.0.113.2:4500       192.168.10.10:4500    8.8.8.8:53          8.8.8.8:53
--- 203.0.113.10            192.168.10.100         ---                 ---

PAT entries always show the port numbers — the Inside Global column shows 203.0.113.2:[assigned port] and the Inside Local column shows 192.168.10.x:[original port]. All three hosts (PC1 .10, PC2 .11, PC3 .12) share the single public IP 203.0.113.2 — differentiated by port numbers 1024, 1025, and 1026. The static NAT entry for the web server (.100 ↔ 203.0.113.10) appears at the bottom without port numbers — confirming both NAT types are active simultaneously.

show ip nat statistics — PAT Counters

NetsTuts_R1#show ip nat statistics
Total active translations: 5 (1 static, 4 dynamic; 4 extended)
Peak translations: 12, occurred 00:04:33 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits: 834     Misses: 0
CEF Translated packets: 830, CEF Punted packets: 4
Expired translations: 28
Dynamic mappings:
Dynamic in use: 1
 -- Inside Source
 access-list PAT-HOSTS interface GigabitEthernet0/0 refcount 4

Key fields for PAT: Total active translations: 5 (1 static, 4 dynamic; 4 extended) — the static entry for the web server plus four active PAT sessions. Misses: 0 — every packet matched a NAT rule. Expired translations: 28 — 28 previous sessions timed out and were cleared. The Dynamic mappings section confirms the PAT rule: access-list PAT-HOSTS interface GigabitEthernet0/0 with refcount 4 (four active translations using this rule).

show ip nat translations — Dynamic NAT Pool (No Overload)

NetsTuts_R1#show ip nat translations
Pro  Inside global       Inside local         Outside local       Outside global
tcp  203.0.113.10        192.168.10.10        8.8.8.8             8.8.8.8
tcp  203.0.113.11        192.168.10.11        1.1.1.1             1.1.1.1
tcp  203.0.113.12        192.168.10.12        8.8.8.8             8.8.8.8

Dynamic NAT (without overload) entries show no port numbers — each host gets its own public IP from the pool. Unlike static NAT, these entries only exist while the session is active — they disappear after the timeout period. A 4th host attempting internet access while all three pool IPs are in use would fail — no pool IP is available.

clear ip nat translation — Reset Sessions

! ── Clear all dynamic entries (static entries preserved) ─
NetsTuts_R1#clear ip nat translation *

! ── Clear a specific dynamic entry ──────────────────────
NetsTuts_R1#clear ip nat translation inside 203.0.113.2 192.168.10.10

! ── Confirm only static entries remain ───────────────────
NetsTuts_R1#show ip nat translations
Pro  Inside global      Inside local       Outside local    Outside global
---  203.0.113.10       192.168.10.100     ---              ---

clear ip nat translation * removes all dynamic and PAT entries — static entries (like the web server mapping) are never removed by this command. This is useful during troubleshooting to force clients to re-establish sessions, or to free pool IPs for new hosts without waiting for timeouts.

debug ip nat — Live Translation Events

NetsTuts_R1#debug ip nat
IP NAT debugging is on
NetsTuts_R1#
NAT: s=192.168.10.10->203.0.113.2, d=8.8.8.8 [13245]
NAT*: s=8.8.8.8, d=203.0.113.2->192.168.10.10 [13245]
NAT: s=192.168.10.11->203.0.113.2, d=1.1.1.1 [13246]
NAT*: s=1.1.1.1, d=203.0.113.2->192.168.10.10 [13246]

debug ip nat shows each translation in real time. s=192.168.10.10→203.0.113.2 confirms outbound PAT translating the source IP. The asterisk in NAT* indicates the return packet is being translated (destination changed from public back to private). Always turn off debug after use: no debug ip nat or undebug all.

Verification Command Summary

Command	What It Shows	Key Indicator
`show ip nat translations`	All active NAT entries — PAT shows IP:port, Dynamic shows IP only	Port numbers present = PAT active. No ports = Dynamic NAT. No entries = misconfiguration
`show ip nat statistics`	Session counts, hit/miss counters, interface roles, dynamic rule reference	Misses > 0 = some hosts not being translated. Dynamic mappings section confirms ACL and pool/interface
`show ip access-lists PAT-HOSTS`	ACL entries and match counters — confirms which hosts are being permitted for translation	Match count increasing = ACL is being evaluated for NAT
`show ip nat pool`	Dynamic NAT pool status — total IPs, IPs in use, IDs assigned	Pool exhausted = all IPs in use — increase pool or convert to PAT
`clear ip nat translation *`	Removes all dynamic/PAT entries — static entries unaffected	Use during troubleshooting or to force session re-establishment
`show ip nat translations verbose`	Extended detail — flags, timeout, use count per entry	Flags: extended = PAT entry. Flags: static = permanent mapping

8. Troubleshooting Dynamic NAT & PAT Issues

Problem	Symptom	Cause	Fix
No PAT translations for any host	`show ip nat translations` shows only static entries — no PAT sessions despite hosts generating traffic	ACL does not match the inside hosts, inside/outside interfaces not marked, or the binding command references wrong ACL name	Verify ACL with `show ip access-lists [name]` — match counters should increase when hosts send traffic. Check `show ip nat statistics` confirms correct inside/outside interfaces and the dynamic mapping section shows the correct ACL
Some hosts translated, others not	PC1 and PC2 reach internet but PC3 cannot — PC3 gets no translation	PC3's IP is explicitly denied by the NAT ACL, or PC3's IP is outside the ACL's permitted range	Review the ACL with `show ip access-lists [name]` — confirm PC3's IP matches a permit statement. Check for an explicit deny above the permit range
Dynamic NAT pool exhausted	Some hosts cannot reach internet — `show ip nat pool` shows all IPs in use	Pool size smaller than concurrent session demand — more hosts are active than the pool has IPs	Convert to PAT by adding `overload` to the binding command, or expand the pool. PAT eliminates pool exhaustion by multiplexing sessions on port numbers
Server losing inbound connectivity after enabling PAT	Web server still reaches internet but external clients cannot connect to its public IP	PAT ACL is not excluding the server — its outbound traffic matches the PAT rule, overriding the static NAT mapping. The server gets a dynamic port-based translation instead of its fixed public IP	Add `deny host 192.168.10.100` before the permit statement in the PAT ACL. Static NAT is always checked first — but only if the PAT ACL does not match first at the ACL evaluation stage
Misses counter increasing rapidly	`show ip nat statistics` shows Misses counter rising — some internet traffic failing	Traffic from hosts not covered by the PAT ACL is crossing the NAT boundary untranslated	Run `debug ip nat` to identify which source IPs are missing. Expand the ACL permit range to include those hosts or add additional `permit` statements
PAT works but FTP or SIP fails	General web browsing works but FTP data channels or SIP voice calls fail	Application-layer protocols that embed IP addresses in their payload (FTP, SIP, H.323) require NAT Application Layer Gateways (ALG) to rewrite embedded addresses	Verify ALG is enabled: `show ip nat translations` — FTP control and data connections should both appear. IOS enables most ALGs by default. For SIP, verify `ip nat service sip udp port 5060`

Key Points & Exam Tips

Dynamic NAT maps each internal host to a unique IP from a pool — sessions are temporary. PAT (NAT Overload) maps all internal hosts to a single public IP using unique port numbers to differentiate sessions — the overload keyword is required.
Both Dynamic NAT and PAT use an ACL to identify eligible inside hosts. Hosts that match the ACL (permit) are translated. Hosts that do not match are forwarded with their private IP unchanged and dropped by the ISP.
The three-component PAT configuration: (1) ACL defining inside hosts, (2) binding command referencing the ACL and interface with overload, (3) ip nat inside/ip nat outside on the correct interfaces.
Interface overload (ip nat inside source list [ACL] interface [WAN-int] overload) is the most common PAT configuration — no pool required, automatically uses the WAN interface's current IP. Ideal for dynamic ISP-assigned addresses.
When static NAT and PAT coexist, the PAT ACL must explicitly deny the static server's IP to prevent PAT from overriding the static mapping on outbound traffic. Static entries are processed first, but only if the PAT ACL does not intercept the traffic first.
In show ip nat translations: PAT entries always include port numbers (IP:port format). Dynamic NAT entries show IP only (no ports). Static entries show IP only with --- in the protocol column.
clear ip nat translation * removes all dynamic and PAT session entries — static mappings are never removed by this command. Use it to force session re-establishment or free pool IPs during troubleshooting.
A rising Misses counter in show ip nat statistics means packets are crossing the NAT boundary without matching any translation rule — the source host's IP is not permitted by the NAT ACL.
Dynamic NAT pool exhaustion occurs when all pool IPs are assigned and a new host needs internet access. Converting to PAT (adding overload) eliminates this problem — ports are the multiplexing mechanism, not IPs.
On the CCNA exam: know the difference between Dynamic NAT and PAT, what the overload keyword does, where to place the ACL, and how to read PAT entries in show ip nat translations. Also review show ip route to confirm the default route is in place before NAT is expected to work.

Next Steps: With outbound internet access via PAT and server reachability via Static NAT, the network edge is complete. For troubleshooting NAT issues see Troubleshooting NAT & PAT. For securing internet-bound traffic, explore standard and extended ACLs in Standard ACL Configuration and Extended ACL Configuration. For VPN connectivity over the NAT'd WAN link, see Site-to-Site IPsec VPN. For the internal routing context that feeds hosts to the NAT router, see OSPF Single-Area Configuration.

TEST WHAT YOU LEARNED

1. What is the single keyword difference between a Dynamic NAT binding command and a PAT binding command, and what does it change?

A. The keyword static — converts the dynamic mapping to a permanent entry B. The keyword pool — replaces the interface reference with a named pool C. The keyword overload — appended at the end of the binding command. Without it, each host gets its own public IP from the pool (Dynamic NAT). With it, all hosts share the same public IP differentiated by unique port numbers (PAT) D. The keyword extended — enables Layer 4 port tracking for the NAT table

Correct answer is C. The only syntactic difference between Dynamic NAT and PAT is the overload keyword at the end of the binding command. Dynamic: ip nat inside source list ACL pool POOL. PAT: ip nat inside source list ACL pool POOL overload or ip nat inside source list ACL interface Gi0/0 overload. Without overload, IOS assigns one pool IP per host — pool exhaustion stops the 4th host. With overload, IOS multiplexes all hosts onto shared IPs via port numbers — effectively unlimited concurrent sessions per public IP.

2. A PAT ACL permits 192.168.10.0/24. The web server at 192.168.10.100 also has a static NAT entry mapping it to 203.0.113.10. When the web server sends outbound traffic, which NAT rule applies?

A. In standard IOS processing, static NAT is checked before dynamic/PAT rules. The static mapping (203.0.113.10) is applied — but if the PAT ACL also matches .100, IOS may apply PAT first. Best practice is to explicitly deny the server in the PAT ACL to guarantee the static mapping is used B. PAT always overrides static NAT for outbound traffic C. Static NAT is only for inbound — PAT always applies to all outbound traffic including servers D. Both translations are applied simultaneously — the packet is translated twice

Correct answer is A. IOS processes static NAT entries before dynamic NAT/PAT rules — static entries take priority. However, if the PAT ACL permits the server's IP (.100), there is a risk of PAT being applied depending on IOS version and processing order. The safe and recommended practice is to explicitly deny the server in the PAT ACL: add deny host 192.168.10.100 before the permit statement. This ensures the server's outbound traffic does not match the PAT ACL at all — IOS then falls through to the static mapping, guaranteeing the server always uses its fixed public IP for both inbound and outbound traffic.

3. Why is `ip nat inside source list PAT-HOSTS interface GigabitEthernet0/0 overload` preferred over using a named pool for PAT in most deployments?

A. Interface overload uses less router memory than pool-based PAT B. Named pools are only valid for Dynamic NAT — overload only works with interface references C. Interface overload supports more simultaneous sessions than pool-based PAT D. The interface keyword automatically uses whatever IP is currently assigned to the WAN interface — if the ISP changes the public IP (common with DHCP or PPPoE), PAT continues working without reconfiguration. A named pool has hardcoded IPs that must be manually updated when the public IP changes

Correct answer is D. Interface overload is dynamic — it references the interface rather than a specific IP. If the ISP assigns a new public IP via DHCP or PPPoE, the interface IP changes automatically and PAT immediately uses the new IP without any administrator intervention. A named pool like ip nat pool PUBLIC-POOL 203.0.113.10 203.0.113.12 has hardcoded addresses — if the ISP changes the public IP range, the pool must be manually updated, which interrupts service. For any environment where the public IP can change (home internet, most branch offices), interface overload is the correct choice.

4. `show ip nat translations` shows no entries for PC1 even though PC1 is sending traffic to 8.8.8.8. `show ip nat statistics` shows Misses counter is increasing. What does this indicate?

A. PC1's traffic is being blocked by an ACL before reaching the NAT process B. PC1's IP address does not match any permit statement in the NAT ACL — the traffic crosses the inside-to-outside boundary but finds no matching NAT rule. The packet is forwarded with PC1's private IP as source, which the ISP drops C. The NAT translation table is full — PC1 must wait for existing sessions to expire D. PC1 is using IPv6 — NAT only processes IPv4 traffic

Correct answer is B. A NAT "miss" occurs when a packet crosses the inside-to-outside boundary (confirmed by the interfaces being correctly marked with ip nat inside/outside) but no matching translation entry exists. This means PC1's source IP is not permitted by the NAT ACL. The traffic exits R1 toward the ISP with PC1's private IP (192.168.10.x) as the source address — the ISP drops it because private IPs are not routable on the internet. The fix is to verify the NAT ACL with show ip access-lists and ensure PC1's IP falls within a permitted range.

5. A Dynamic NAT pool has 5 public IPs. 5 hosts are actively using the internet. PC6 tries to open a browser. What happens?

A. PC6 shares an IP with an existing host — Dynamic NAT automatically enables port sharing when the pool is exhausted B. The oldest active session is forcibly terminated to free an IP for PC6 C. PC6 is queued and receives an IP as soon as one becomes available — Dynamic NAT has a built-in queue D. PC6's DHCP Discover is matched by the NAT ACL but no pool IP is available — IOS drops the packet and logs a miss. PC6 gets no translation and cannot reach the internet until one of the 5 active sessions ends and returns an IP to the pool

Correct answer is D. Dynamic NAT has no queuing mechanism — when all pool IPs are assigned, any new translation request is simply dropped. The router does not share IPs (that is PAT's function), does not terminate existing sessions, and does not queue pending requests. This pool exhaustion scenario is one of the most common reasons organisations switch from Dynamic NAT to PAT — PAT's port multiplexing means pool exhaustion is virtually impossible (65,000+ sessions per IP). Check pool status with show ip nat pool to see how many IPs are in use vs available.

6. In `show ip nat translations`, what is the key visual difference between a PAT (overload) entry and a Dynamic NAT entry?

A. PAT entries always show IP:port in the Inside Global and Inside Local columns (e.g., 203.0.113.2:1024 and 192.168.10.10:49512). Dynamic NAT entries show IP addresses only — no port numbers (e.g., 203.0.113.10 and 192.168.10.10) B. PAT entries show a "P" flag in the Pro column while Dynamic NAT entries show the protocol name C. Dynamic NAT entries appear at the top of the table and PAT entries at the bottom — ordered by type D. PAT entries show the pool name in brackets while Dynamic NAT entries show the interface name

Correct answer is A. The presence of port numbers in the translation table is the definitive indicator of PAT (overload) operation. PAT entries show IP:port format in both Inside Global and Inside Local columns because the port number is the key differentiator — multiple hosts share the same public IP so the port is what identifies each session. Dynamic NAT entries show only IP addresses because each host has its own dedicated public IP — no port multiplexing is needed. Static NAT entries also show only IPs (with --- in the Pro column and --- in the Outside columns when idle).

7. An engineer runs `clear ip nat translation *`. What entries are removed and what entries remain?

A. All entries including static mappings are removed — the command clears the entire translation table B. Only expired entries are removed — active sessions are preserved C. All dynamic entries (Dynamic NAT and PAT session entries) are removed. Static NAT entries remain — they are permanent configuration entries that are never removed by clear ip nat translation D. Only PAT entries are removed — Dynamic NAT pool entries are protected because they hold allocated IPs

Correct answer is C. clear ip nat translation * removes all dynamic NAT and PAT entries from the translation table — these are temporary session-based entries. Static NAT entries are part of the router configuration (created by ip nat inside source static) and are never affected by the clear command. After running this command, show ip nat translations shows only the static entries. Dynamic entries are recreated when hosts initiate new sessions. This command is routinely used during troubleshooting to force all hosts to re-establish their NAT sessions with fresh entries.

8. Why do some application-layer protocols like FTP fail through PAT even when basic web browsing works correctly?

A. PAT only translates TCP — FTP uses UDP which PAT cannot process B. FTP embeds the client's private IP address inside the FTP payload (PORT command) when negotiating data channel connections. PAT only translates the IP header — the private IP inside the FTP data payload is not updated, causing the server to try connecting to an unreachable private address C. FTP uses port numbers below 1024 which PAT reserves for system use and cannot assign D. FTP requires a dedicated public IP — it cannot function through shared port-based NAT

Correct answer is B. FTP in active mode sends the client's IP address and port number inside the FTP PORT command payload to tell the server where to connect for the data channel. Standard PAT only modifies IP header source addresses and TCP/UDP port numbers — it does not inspect or modify application-layer payload content. The private IP embedded in the PORT command payload remains unchanged, causing the FTP server to attempt a data connection to the private IP (which is unreachable from the internet). Cisco IOS uses Application Layer Gateways (ALG) to handle this — the FTP ALG intercepts PORT commands and rewrites the embedded private IP with the translated public IP.

9. The PAT binding command is `ip nat inside source list PAT-HOSTS interface GigabitEthernet0/0 overload`. The ACL PAT-HOSTS permits 192.168.10.0/24. A host at 192.168.20.50 (on a different subnet) tries to reach the internet through R1. What happens?

A. The host is translated — PAT applies to all traffic that crosses the inside interface regardless of the ACL B. The host gets a special outside NAT entry and is translated as an outside host C. R1 creates a new PAT entry using the nearest pool IP since no explicit deny exists D. 192.168.20.50 does not match the permit in ACL PAT-HOSTS (which only covers 192.168.10.0/24) — the implicit deny at the end of the ACL means no NAT translation occurs. R1 forwards the packet with the private source IP 192.168.20.50, which the ISP drops

Correct answer is D. The ACL is the gatekeeper for NAT — only source IPs that match a permit statement in the ACL are eligible for translation. 192.168.20.50 is in the 192.168.20.0/24 subnet which is not covered by the permit 192.168.10.0 0.0.0.255 statement. The implicit deny at the end of every ACL means 192.168.20.50 is denied — no NAT translation entry is created. R1 routes the packet toward the ISP with the private source IP intact. The ISP's router drops the packet because RFC 1918 private addresses are not routable on the public internet. To fix, add permit 192.168.20.0 0.0.0.255 to the ACL.

10. `show ip nat statistics` shows: "access-list PAT-HOSTS interface GigabitEthernet0/0 refcount 847". What does the refcount value indicate?

A. The ACL has been evaluated 847 times since the router booted B. 847 hosts have successfully authenticated through AAA before being PAT-translated C. There are currently 847 active PAT translation entries using this specific NAT rule (access-list PAT-HOSTS + interface Gi0/0 overload) — indicating 847 simultaneous sessions are active from inside hosts D. The NAT pool has been referenced 847 times since configuration — a cumulative historical counter

Correct answer is C. The refcount in the dynamic mappings section of show ip nat statistics shows the number of currently active translation entries that were created by that specific NAT rule. A refcount of 847 means 847 active PAT sessions are currently using the PAT-HOSTS ACL + Gi0/0 interface overload rule at this moment. This is a real-time counter (not cumulative) — it decreases as sessions expire and increases as new sessions are created. High refcount values help diagnose whether a NAT rule is actively being used and how much concurrent load it is handling.

Back to Home