Troubleshooting NAT/PAT Issues

NAT and PAT failures are among the most deceptive faults in Cisco IOS networking — the router accepts every configuration command without complaint, yet traffic silently fails to reach the internet. The root causes almost always fall into one of four categories: interfaces not labelled inside or outside, an ACL that does not match the real traffic, a pool that is exhausted or misconfigured, or a routing gap that prevents translated packets from reaching their destination. This lab builds a structured diagnostic workflow using show ip nat translations, show ip nat statistics, and debug ip nat to pinpoint each failure category quickly.

Before starting, ensure you are familiar with how NAT works end-to-end. Review Static NAT Configuration for one-to-one address mapping, Dynamic NAT & PAT Configuration for pool-based and overload translation, and NAT Overview for the underlying theory. For ACL fundamentals referenced throughout this lab, see Standard ACL Configuration and ACL Overview. For wildcard mask syntax used in NAT ACLs, see Wildcard Masks. For default routes referenced in routing gap scenarios, see Default Routes.

1. NAT/PAT Failure Categories — Overview

How the Router Processes a NAT Packet

Understanding the exact processing order is essential for systematic troubleshooting. Every packet that should be translated passes through this sequence — a failure at any step produces silence with no error message:

  Packet arrives on inside interface (e.g. Gi0/1)
        │
        ▼
  Step 1 ── Is the interface marked "ip nat inside"?
            NO → packet is routed normally, NAT is never invoked
        │
        ▼
  Step 2 ── Does the ACL bound to the NAT rule permit this source IP?
            NO → packet is not translated, forwarded with private source IP
                 (internet drops or returns it)
        │
        ▼
  Step 3 ── Is a translation pool available (for dynamic NAT)?
            NO → packet dropped, "nat: address allocation failed" in debug
        │
        ▼
  Step 4 ── Is the egress interface marked "ip nat outside"?
            NO → translation table entry is created but packet is not
                 re-written on egress
        │
        ▼
  Step 5 ── Is there a route to forward the translated packet?
            NO → router drops packet with "no route to host"
        │
        ▼
  Translation succeeds — packet exits with public source IP

The Four NAT Failure Categories

#	Category	Root Cause	Symptom	Primary Diagnostic
1	Interface assignment	`ip nat inside` / `ip nat outside` missing or swapped	No translations appear — `show ip nat translations` is empty	`show ip interface [int]`
2	ACL mismatch	ACL does not match the actual source subnet; wrong wildcard; wrong ACL number bound to NAT rule	Translations missing for specific hosts; others work; debug shows no match	`show ip nat statistics`, `debug ip nat`
3	Pool exhaustion	Dynamic NAT pool has no free addresses; overload not configured; pool range too small	Some hosts translate, others do not; "misses" counter increments	`show ip nat statistics`, `show ip nat translations`
4	Routing gap	No default route or specific route to reach the public destination after translation	Translations appear correctly but traffic still fails end-to-end	`show ip route`, `ping` from inside address

NAT Address Terminology

Term	Definition	Example
Inside local	The private IP address of the internal host — as seen from inside the network	192.168.10.10
Inside global	The public IP address assigned to the internal host after translation — as seen from outside	203.0.113.5
Outside global	The public IP address of the remote server — as seen from outside	8.8.8.8
Outside local	The address of the remote server as seen from inside — usually the same as outside global unless NAT is applied in both directions	8.8.8.8

2. Lab Topology & Broken Scenarios

All four failure categories are reproduced using a single topology. Each scenario introduces one deliberate misconfiguration — the goal is to identify the fault and correct it using the diagnostic workflow:

         192.168.10.0/24 (Inside — Staff)
         [PC1: 192.168.10.10]
         [PC2: 192.168.10.11]
               │
          Gi0/1 (Inside)
          192.168.10.1
               │
          NetsTuts_R1
               │
          Gi0/0 (Outside)
          203.0.113.2/30
               │
         203.0.113.1 (ISP)
               │
         8.8.8.8 (Internet — Google DNS used as test destination)

  NAT Pool:   203.0.113.10 – 203.0.113.20  (name: INET-POOL)
  PAT:        203.0.113.2 overload          (interface-based PAT)
  ACL 1:      permit 192.168.10.0 0.0.0.255

  Scenario A — Fault: ip nat inside/outside missing on interfaces
  Scenario B — Fault: ACL permits wrong subnet (192.168.20.0 instead of 192.168.10.0)
  Scenario C — Fault: Dynamic NAT pool has only 1 address, no overload — pool exhausted by PC1
  Scenario D — Fault: No default route — translated packets have no path to internet

3. Step 1 — Establish the Correct Baseline Configuration

Before introducing faults, configure a fully working PAT setup. All troubleshooting in subsequent steps diagnoses deviations from this known-good state:

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Interface labels ──────────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-if)#ip nat inside
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#ip address 203.0.113.2 255.255.255.252
NetsTuts_R1(config-if)#ip nat outside
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

! ── ACL permitting inside subnet ──────────────────────────
NetsTuts_R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255

! ── PAT using outside interface address (overload) ────────
NetsTuts_R1(config)#ip nat inside source list 1 interface GigabitEthernet0/0 overload

! ── Default route to ISP ──────────────────────────────────
NetsTuts_R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.1

NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]

Every NAT configuration requires exactly these four components to work: inside interface label, outside interface label, an ACL defining which traffic to translate, and a NAT/PAT rule binding the ACL to the translation method. A missing default route is a fifth failure point that operates independently of NAT — traffic can translate successfully but still have nowhere to go. Verify the full configuration with show running-config and save with write memory.

4. Step 2 — Primary Diagnostic Commands

show ip nat translations

NetsTuts_R1#show ip nat translations
Pro  Inside global       Inside local        Outside local       Outside global
tcp  203.0.113.2:49152   192.168.10.10:49152 8.8.8.8:53          8.8.8.8:53
tcp  203.0.113.2:49153   192.168.10.11:49153 8.8.8.8:80          8.8.8.8:80
icmp 203.0.113.2:1       192.168.10.10:1     8.8.8.8:1           8.8.8.8:1

Each row is one active translation. The Inside local column shows the original private IP — this is the source address of packets arriving from inside. The Inside global column shows the translated public IP and port assigned by PAT. Outside local and Outside global are both 8.8.8.8 here — they differ only when NAT is applied in both directions. An empty translation table when traffic should be flowing is the strongest indicator of a Category 1 (interface label) or Category 2 (ACL) fault.

show ip nat translations verbose

NetsTuts_R1#show ip nat translations verbose
Pro  Inside global       Inside local        Outside local       Outside global
tcp  203.0.113.2:49152   192.168.10.10:49152 8.8.8.8:53          8.8.8.8:53
    create 00:00:12, use 00:00:12, timeout:00:01:00, left 00:00:48,
    Map-Id(In): 1, portlist used: 49152, flags: extended

icmp 203.0.113.2:1       192.168.10.10:1     8.8.8.8:1           8.8.8.8:1
    create 00:00:05, use 00:00:05, timeout:00:01:00, left 00:00:55,
    Map-Id(In): 1, flags: extended

The verbose keyword adds the creation time, last-use time, remaining timeout, and the NAT map ID. The timeout shows how long before an idle entry is removed — PAT entries default to 1 minute for ICMP and DNS, 24 hours for TCP established sessions. If entries disappear faster than expected, confirm the timeout with show ip nat translations verbose and adjust with ip nat translation timeout [seconds].

show ip nat statistics

NetsTuts_R1#show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Peak translations: 5, occurred 00:02:14 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits:          47    Misses:         0
CEF Translated packets:  47, CEF Punted packets:  0
Expired translations:    12
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/0 refcount 3

This output is the fastest single-command health check for NAT. Key fields: Outside/Inside interfaces confirm which interfaces are labelled correctly. Hits is the count of packets that matched an existing or new translation. Misses is the count of packets that should have been translated but were not — a non-zero misses counter means something is preventing translation (ACL mismatch, pool exhaustion). Dynamic mappings shows the ACL and interface/pool bound to each NAT rule.

debug ip nat

! ── CAUTION: limit output with an ACL on busy routers ────
NetsTuts_R1(config)#access-list 100 permit ip host 192.168.10.10 any
NetsTuts_R1(config)#end

NetsTuts_R1#debug ip nat 100
IP NAT debugging is on for access list 100

! ── Sample output when NAT is working ────────────────────
NAT*: s=192.168.10.10->203.0.113.2, d=8.8.8.8 [13524]
NAT*: s=8.8.8.8, d=203.0.113.2->192.168.10.10 [13524]

! ── Sample output when NAT is NOT translating ─────────── 
! (silence — no NAT debug lines appear at all)

NetsTuts_R1#undebug all

Each debug line shows the translation event in real time. The format s=192.168.10.10->203.0.113.2 confirms the source address was rewritten — private to public. The return path line shows the destination being rewritten back. The asterisk (NAT*) indicates the translation was performed by CEF (fast path) rather than the process-switched slow path. Complete silence when traffic is flowing means NAT is not being invoked at all — the most likely cause is missing ip nat inside on the ingress interface. Always disable debug immediately after capture: undebug all.

Diagnostic Command Summary

Command	What It Shows	Best Used For
`show ip nat translations`	Active translation table — inside local/global, outside local/global, protocol, port	First check — is translation happening at all? Are specific hosts missing?
`show ip nat translations verbose`	All above plus creation time, timeout, map ID	Entry lifetime analysis — why are entries expiring too fast or not at all?
`show ip nat statistics`	Interface labels, hits/misses counters, dynamic mapping ACL+pool binding	Quick health check — confirm interfaces are labelled, check for misses
`debug ip nat [acl]`	Real-time per-packet translation events — shows address rewriting or absence of it	Confirm translation is happening packet-by-packet; silence confirms NAT not invoked
`show ip interface brief`	All interface IPs and line/protocol status	Confirm interfaces are up before troubleshooting NAT logic
`show ip route`	Routing table — default route, specific routes	Verify a path exists after translation (Category 4 — routing gap)
`clear ip nat translation *`	Clears all dynamic NAT/PAT translation entries	Reset the translation table before re-testing after a config fix

5. Scenario A — Missing or Swapped Inside/Outside Labels

The most common NAT misconfiguration. The router will not invoke NAT on a packet unless it arrives on an ip nat inside interface. If the labels are missing or reversed, every other part of the NAT configuration is irrelevant — translation never happens.

Introducing the Fault

! ── Remove inside label from Gi0/1 ──────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#no ip nat inside
NetsTuts_R1(config-if)#exit

Symptom — show ip nat statistics

NetsTuts_R1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  (none configured)
Hits:    0    Misses:    0

The critical indicator is "Inside interfaces: (none configured)". Both Hits and Misses are zero — the NAT process is not even being invoked because no interface is designated as inside. Packets arrive on Gi0/1 and are routed normally without NAT. Notice the misses counter is also zero — misses only increment when NAT is invoked but fails to find a translation. No inside label means NAT is never invoked in the first place.

Symptom — debug ip nat

NetsTuts_R1#debug ip nat 100
IP NAT debugging is on for access list 100

! ── PC1 pings 8.8.8.8 — complete silence in debug ───────
! (no NAT debug lines appear despite active traffic)

NetsTuts_R1#undebug all

Diagnosis — show ip interface

NetsTuts_R1#show ip interface GigabitEthernet0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 192.168.10.1/24
  Inbound  access list is not set
  Outgoing access list is not set
  IP NAT: outside  ← WRONG — should be "inside"
  ...

NetsTuts_R1#show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 203.0.113.2/30
  IP NAT: outside  ← correct
  ...

The show ip interface output explicitly states "IP NAT: outside" or "IP NAT: inside" for each interface. If neither label appears, NAT is not configured on that interface. If the labels are swapped (inside applied to the WAN, outside applied to the LAN), the router tries to translate packets arriving from the internet and re-write them toward the LAN — the exact opposite of the intended behaviour.

Fix

NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#ip nat inside
NetsTuts_R1(config-if)#exit

! ── Clear stale entries and re-test ──────────────────────
NetsTuts_R1#clear ip nat translation *

6. Scenario B — ACL Does Not Match the Traffic

The NAT rule references an ACL to determine which source addresses should be translated. If the ACL is misconfigured — wrong subnet, wrong wildcard, wrong ACL number in the NAT rule — matching packets are not translated. Non-matching packets are forwarded with their original private source IP, which the internet drops.

Introducing the Fault — Wrong Subnet in ACL

! ── ACL permits 192.168.20.0 but inside network is 192.168.10.0 ──
NetsTuts_R1(config)#no access-list 1
NetsTuts_R1(config)#access-list 1 permit 192.168.20.0 0.0.0.255

Symptom — show ip nat statistics

NetsTuts_R1#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 3, occurred 00:05:10 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits:    0    Misses:    14
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/0 refcount 0

The inside and outside interfaces are correctly labelled — but the Misses counter is 14 and climbing. This is the signature of a Category 2 fault: NAT is being invoked (interfaces are labelled), but the ACL is rejecting every packet (no hits, only misses). The translation table is empty — no successful translations have occurred. The peak translations of 3 from earlier confirm the configuration worked before the ACL was changed.

Symptom — debug ip nat

NetsTuts_R1#debug ip nat 100
IP NAT debugging is on for access list 100

! ── PC1 pings 8.8.8.8 — still silence ───────────────────
! NAT is invoked but immediately rejects the packet due to ACL miss
! No translation event fires — packet forwarded un-translated

NetsTuts_R1#undebug all

Even with debug enabled, there is silence — but the cause is different from Scenario A. Here NAT is invoked (the interface labels are correct), but the ACL denies the packet before a translation entry is created, so no debug line is generated. The distinguishing factor between Scenario A and B is the Misses counter: zero in Scenario A (NAT not invoked), non-zero in Scenario B (NAT invoked but ACL denies).

Diagnosis — Verify the ACL

NetsTuts_R1#show ip nat statistics
! ── Misses counter confirms ACL is rejecting packets ─────

NetsTuts_R1#show access-lists 1
Standard IP access list 1
    10 permit 192.168.20.0, wildcard bits 0.0.0.255 (0 matches)

! ── Zero matches confirm no inside traffic is matching ACL 1 ──
! ── Inside network is 192.168.10.0 — ACL permits wrong subnet ─

Fix

NetsTuts_R1(config)#no access-list 1
NetsTuts_R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255

NetsTuts_R1#clear ip nat translation *

ACL bound to wrong NAT rule: A second variant of this fault is when the correct ACL exists but the NAT rule references a different ACL number. For example, ACL 1 permits the correct subnet but the NAT rule says ip nat inside source list 2 ... and ACL 2 does not exist or permits a different range. Check the "Dynamic mappings" section of show ip nat statistics — it shows exactly which ACL is bound to each NAT rule.

7. Scenario C — Pool Exhaustion (Dynamic NAT Without Overload)

Dynamic NAT (without overload) maps each inside host to one dedicated public IP address from a pool. When the pool runs out of free addresses, new translation requests are silently dropped. This is the classic scenario where PC1 can reach the internet but PC2 cannot — because PC1 holds the only pool address.

Introducing the Fault — Single-Address Pool Without Overload

! ── Remove PAT overload, configure dynamic NAT with tiny pool ──
NetsTuts_R1(config)#no ip nat inside source list 1 interface GigabitEthernet0/0 overload

NetsTuts_R1(config)#ip nat pool INET-POOL 203.0.113.10 203.0.113.10 netmask 255.255.255.0
NetsTuts_R1(config)#ip nat inside source list 1 pool INET-POOL

The pool INET-POOL contains only one address (203.0.113.10 to 203.0.113.10). Without overload, each inside host requires one dedicated pool address. The first host to generate traffic claims 203.0.113.10 — the second host finds the pool empty and its packets are dropped without any notification.

Symptom — show ip nat translations

NetsTuts_R1#show ip nat translations
Pro  Inside global     Inside local        Outside local    Outside global
---  203.0.113.10      192.168.10.10       ---              ---

PC1 (192.168.10.10) has claimed 203.0.113.10. Notice there are no port numbers in this entry — this is a dynamic NAT entry (no overload), not PAT. The --- in the protocol and outside columns indicates a static-style mapping with no specific connection tracking. PC2 (192.168.10.11) has no entry — its traffic is being dropped silently.

Symptom — show ip nat statistics

NetsTuts_R1#show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 0 extended)
Peak translations: 1
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits:    22    Misses:    18
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 pool INET-POOL refcount 1
 pool INET-POOL: id 1, netmask 255.255.255.0
       start 203.0.113.10 end 203.0.113.10
       type generic, total addresses 1, allocated 1 (100%), misses 18

The pool statistics are the definitive indicator of exhaustion: total addresses 1, allocated 1 (100%), misses 18. Every new translation request since the pool was exhausted increments the misses counter. The 100% allocation confirms there are no free addresses remaining. In a real environment with a larger pool, partial exhaustion would show 80–90% allocation with a growing misses count during peak hours.

Fix — Add Overload (PAT)

! ── Option 1: Add overload to the existing pool rule ─────
NetsTuts_R1(config)#no ip nat inside source list 1 pool INET-POOL
NetsTuts_R1(config)#ip nat inside source list 1 pool INET-POOL overload

! ── Option 2: Switch to interface-based PAT (simpler) ────
NetsTuts_R1(config)#no ip nat inside source list 1 pool INET-POOL
NetsTuts_R1(config)#ip nat inside source list 1 interface GigabitEthernet0/0 overload

NetsTuts_R1#clear ip nat translation *

Adding overload converts dynamic NAT to PAT — multiple inside hosts share the single pool address (or the interface address) differentiated by port number. This resolves pool exhaustion completely: PAT supports up to approximately 65,535 concurrent translations per public IP address. Option 2 (interface-based PAT) is the most common real-world configuration because it automatically uses whatever IP address is assigned to the outside interface, even if it changes via DHCP from the ISP.

Fix — Expand the Pool

! ── If PAT is not desired — expand the pool range ────────
NetsTuts_R1(config)#no ip nat pool INET-POOL
NetsTuts_R1(config)#ip nat pool INET-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
! ── Pool now has 11 addresses (10 through 20) ────────────

8. Scenario D — Routing Gap After Translation

NAT only rewrites addresses — it does not create routes. If no route exists to forward the translated packet toward the internet, the router drops it after translation. This is a uniquely deceptive fault because show ip nat translations looks perfectly healthy — entries are being created — yet traffic still fails end-to-end.

Introducing the Fault — Remove the Default Route

! ── Remove default route ─────────────────────────────────
NetsTuts_R1(config)#no ip route 0.0.0.0 0.0.0.0 203.0.113.1

Symptom — show ip nat translations

NetsTuts_R1#show ip nat translations
Pro  Inside global       Inside local        Outside local    Outside global
icmp 203.0.113.2:1       192.168.10.10:1     8.8.8.8:1        8.8.8.8:1

The translation entry exists and looks correct — 192.168.10.10 has been translated to 203.0.113.2. But the ping still fails. This is what makes the routing gap fault the hardest to diagnose: every NAT command shows green. The fault lies entirely outside the NAT subsystem.

Symptom — show ip nat statistics

NetsTuts_R1#show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Hits:    4    Misses:    0

Hits are incrementing, misses are zero — NAT is translating every packet successfully. The fault is not in NAT at all. This is the critical distinction: in all other scenarios either the translation table is empty or misses are non-zero. Here everything in NAT is working perfectly.

Diagnosis — show ip route

NetsTuts_R1#show ip route
Codes: C - connected, S - static, ...

      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/1
L        192.168.10.1/32 is directly connected, GigabitEthernet0/1
      203.0.113.0/30 is variably subnetted, 2 subnets, 2 masks
C        203.0.113.0/30 is directly connected, GigabitEthernet0/0
L        203.0.113.2/32 is directly connected, GigabitEthernet0/0

! ── No S*  0.0.0.0/0 entry — default route is missing ────

The absence of S* 0.0.0.0/0 confirms the routing gap. After translating 192.168.10.10 to 203.0.113.2, the router looks up the destination 8.8.8.8 in the routing table and finds no match. The packet is dropped with an ICMP unreachable message back to the inside host — which never reaches the internet. Always check show ip route when NAT looks correct but end-to-end connectivity fails. For general Layer 3 routing troubleshooting see Troubleshooting Layer 3 Routing.

Fix

NetsTuts_R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.1

NetsTuts_R1#show ip route | include 0.0.0.0
S*    0.0.0.0/0 [1/0] via 203.0.113.1

9. Additional NAT/PAT Issues

Static NAT — Translation in Wrong Direction

! ── Static NAT maps inside host to public IP ─────────────
! ── Correct direction: ip nat inside source static [inside-local] [inside-global]
NetsTuts_R1(config)#ip nat inside source static 192.168.10.10 203.0.113.5

! ── WRONG — this translates OUTSIDE-to-INSIDE (destination NAT) ──
! NetsTuts_R1(config)#ip nat outside source static 203.0.113.5 192.168.10.10

ip nat inside source translates the source address of packets arriving from inside — the typical outbound NAT direction. ip nat outside source translates the source address of packets arriving from outside — used for very specific inbound translation scenarios. Confusing these two commands produces translations in the wrong direction — inside hosts cannot reach the internet and/or inbound connections behave unexpectedly. Always verify direction with show ip nat statistics and confirm the Dynamic mappings section shows "Inside Source."

Clearing the Translation Table

! ── Clear all dynamic translations ───────────────────────
NetsTuts_R1#clear ip nat translation *

! ── Clear only translations for one inside host ──────────
NetsTuts_R1#clear ip nat translation inside 192.168.10.10

! ── Clear only TCP translations to a specific destination ─
NetsTuts_R1#clear ip nat translation tcp inside 192.168.10.10 49152 outside 8.8.8.8 80

! ── Static translations are NOT cleared by "clear ip nat translation *"
! ── Remove and re-add the static command to reset static entries

Always clear the translation table after changing NAT configuration — stale entries from the old configuration will continue to be used until they time out naturally (up to 24 hours for established TCP). clear ip nat translation * removes all dynamic entries instantly. Note it does not remove static entries — those are only removed by deleting the ip nat inside source static command. If a fix does not seem to take effect, stale translations are often the reason.

NAT Pool Subnet Mismatch

! ── WRONG: pool netmask does not match the pool address range ──
NetsTuts_R1(config)#ip nat pool BAD-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.252

! ── The /30 netmask covers only 203.0.113.8 – 203.0.113.11 ──────
! ── Addresses 203.0.113.12 – 203.0.113.20 are outside the subnet ─
! ── IOS will reject or silently truncate the pool ────────────────

! ── CORRECT: use a netmask that covers the entire pool range ──
NetsTuts_R1(config)#ip nat pool GOOD-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0

The netmask in an ip nat pool command must cover the entire address range from start to end. If the netmask is too narrow, IOS either rejects the command or silently limits the pool to the addresses that fit within the subnet boundary. Verify pool size in show ip nat statistics — "total addresses" should match the expected count. A /24 covering 203.0.113.0–255 contains 11 usable addresses from .10 to .20.

PAT Port Block Exhaustion (High-Volume)

NetsTuts_R1#show ip nat translations total
Total number of translations: 64521

! ── Approaching the 65535 port limit per public IP ───────────
! ── Add a second public IP or pool to expand PAT capacity ────
NetsTuts_R1(config)#ip nat pool EXTRA-POOL 203.0.113.3 203.0.113.4 netmask 255.255.255.252
NetsTuts_R1(config)#ip nat inside source list 1 pool EXTRA-POOL overload

PAT supports approximately 65,535 simultaneous port translations per public IP address. In high-density environments (schools, enterprises, ISPs), a single IP can become saturated. When the port table is full, new connections are dropped silently. Monitor with show ip nat translations total — if the count approaches 64,000 consistently, add additional public IP addresses to the PAT pool. Each additional IP multiplies the available port space.

10. Structured Troubleshooting Workflow

Step	Command	What to Look For	If Found
1	`show ip nat statistics`	Inside/outside interfaces listed? Hits/misses ratio?	No inside interface → Scenario A (add `ip nat inside`). Misses only → Scenario B (fix ACL). Misses + pool 100% → Scenario C (add overload or expand pool)
2	`show ip nat translations`	Are entries being created? Correct inside local/global addresses?	Empty table → confirm interfaces first. Correct entries but no connectivity → Scenario D (check routing)
3	`show ip interface [int]`	"IP NAT: inside" on LAN interface, "IP NAT: outside" on WAN interface?	Missing or swapped → remove and re-add the correct label
4	`show access-lists [n]`	Does the ACL permit the actual inside subnet? Is the match counter incrementing?	Zero matches or wrong subnet → fix the ACL permit statement
5	`show ip route`	Is there a default route (`S* 0.0.0.0/0`) or a specific route to the internet?	No default route → add `ip route 0.0.0.0 0.0.0.0 [next-hop]`
6	`debug ip nat [acl]`	Are translation events appearing? Or silence?	Silence → interface labels missing (Scenario A). Events but traffic fails → routing gap (Scenario D)
7	`clear ip nat translation *`	After any config fix, clear stale translations before retesting	Always do this — old entries persist and mask fixes

Key Points & Exam Tips

NAT requires both ip nat inside on the LAN interface and ip nat outside on the WAN interface. Missing either label means NAT is never invoked — the translation table stays empty and the misses counter stays at zero.
show ip nat statistics is the fastest first diagnostic: check the Inside/Outside interface list first, then compare Hits vs Misses. All misses and no hits means the ACL is rejecting traffic or NAT is not being invoked at all.
The Misses counter distinguishes an ACL fault from an interface label fault: misses are zero when NAT is not invoked (no inside label), and non-zero when NAT is invoked but the ACL denies the packet.
Pool exhaustion is confirmed by show ip nat statistics showing "allocated 100%" on the pool. Fix with overload to enable PAT, or expand the address range in the pool definition.
A routing gap produces the most deceptive symptom: show ip nat translations looks healthy with correct entries, but end-to-end connectivity still fails. Always check show ip route when NAT looks correct but traffic does not flow.
Always run clear ip nat translation * after changing NAT configuration — stale entries from the old config persist and continue to be used for up to 24 hours for TCP sessions.
debug ip nat [acl] with a filter ACL is the most granular tool. Complete silence means NAT is not invoked. Seeing s=private->public entries confirms translation is happening. Always undebug all immediately after testing.
Static NAT entries (ip nat inside source static) are not cleared by clear ip nat translation * — they must be removed by deleting the static NAT command itself.
The four categories in order of frequency: interface labels (most common) → ACL mismatch → routing gap → pool exhaustion.
On the CCNA exam: know the output of show ip nat translations (inside local vs inside global), the meaning of the Hits/Misses counters in show ip nat statistics, the overload keyword for PAT, and the four NAT address terms (inside local, inside global, outside local, outside global).

Next Steps: For building the initial NAT/PAT configuration that this lab troubleshoots, see Dynamic NAT & PAT Configuration and Static NAT Configuration. For extended ACLs used in more specific NAT permit rules, see Extended ACL Configuration. For logging NAT translation events to a syslog server, review Syslog Configuration and show logging. For the NAT and PAT theory covered in this lab see NAT Overview. For broader Layer 3 troubleshooting beyond NAT see Troubleshooting Layer 3 Routing. For default route configuration referenced in Scenario D see Default Routes.

TEST WHAT YOU LEARNED

1. A router has a complete NAT configuration but `show ip nat translations` is empty and both Hits and Misses in `show ip nat statistics` are zero. What is the most likely cause?

A. The ACL referenced in the NAT rule is permitting the wrong subnet — NAT is invoked but rejects every packet B. The ip nat inside label is missing from the LAN interface — NAT is never invoked. Packets arrive on the interface and are routed normally without any translation attempt, so neither Hits nor Misses increment C. The NAT pool is exhausted — all addresses are allocated and new requests are silently dropped D. The default route is missing — packets are translated correctly but dropped after translation due to no routing path

Correct answer is B. The key diagnostic clue is that both Hits and Misses are zero. Misses only increment when NAT is invoked but the ACL denies the packet — so zero misses means NAT was never invoked at all. NAT is only invoked when a packet arrives on an interface marked ip nat inside. Without that label, the router processes the packet as ordinary routing — no translation, no counters. Option A (ACL mismatch) would show zero Hits but non-zero Misses. Option C (pool exhaustion) would show some Hits (first host) and growing Misses (subsequent hosts). Option D (no route) would show Hits incrementing because translation succeeds before the routing lookup fails.

2. `show ip nat statistics` shows Hits: 0, Misses: 47. The inside and outside interfaces are correctly labelled. What does this indicate?

A. The NAT pool is exhausted — all 47 requests found no free pool addresses B. The default route is missing — 47 packets were translated but then dropped with no route C. The outside interface label is missing — NAT is invoked on ingress but fails on egress D. The ACL bound to the NAT rule is not matching the inside traffic — 47 packets reached the NAT process but the ACL denied all of them. Zero Hits confirms no translation has ever succeeded. Check the ACL number in the dynamic mappings section and verify the permit statement covers the correct subnet

Correct answer is D. The pattern of zero Hits with non-zero Misses is the definitive signature of an ACL mismatch. The interfaces are labelled (NAT is being invoked — hence the misses counter incrementing), but the ACL is denying every packet before a translation entry is created. Pool exhaustion (Option A) would show some Hits for hosts that translated successfully before the pool emptied — not zero Hits. A missing default route (Option B) would show Hits incrementing because translation succeeds; the routing failure happens after NAT. A missing outside label would produce a more complex symptom where the translation table might have entries but return traffic is not re-written.

3. What is the difference between the "Inside local" and "Inside global" addresses in `show ip nat translations`?

A. Inside local is the original private IP address of the internal host before translation. Inside global is the public IP address assigned to that host after translation — the address that the internet sees as the source of the packet B. Inside local is the router's LAN interface IP. Inside global is the router's WAN interface IP C. Inside local is the destination IP of packets coming from the internet. Inside global is the source IP of packets going to the internet D. Inside local and inside global are identical for PAT — they only differ for static NAT mappings

Correct answer is A. The four NAT address terms describe the same packet from two perspectives — inside (the private network view) and outside (the public internet view). Inside local: the private IP as it exists inside your network (e.g. 192.168.10.10). Inside global: the public IP that the internet sees for that same host after translation (e.g. 203.0.113.2). Outside local: the destination IP as seen from inside — usually the same as the real server IP. Outside global: the real public IP of the remote server. The "local" vs "global" distinction refers to whether the address is a private (local) or public (global) address, not physical location relative to the router.

4. A network has two inside PCs. PC1 can reach the internet, PC2 cannot. `show ip nat statistics` shows the pool at 100% allocation with misses incrementing. What is the fix?

A. Add ip nat inside to the interface connecting PC2 — it is missing the inside label B. Create a second ACL permitting only PC2's IP and bind it to a second NAT rule C. Add the overload keyword to the NAT rule to enable PAT — multiple inside hosts will share the pool address using unique port numbers, eliminating the one-host-per-IP limitation. Alternatively expand the pool to include more public addresses D. Reduce the NAT translation timeout so PC1's entry expires faster and frees the pool address for PC2

Correct answer is C. The symptom — PC1 works, PC2 does not, pool 100% allocated, misses incrementing — is textbook pool exhaustion from dynamic NAT without overload. Each inside host requires one dedicated pool IP. When the pool has only one address, the first host to generate traffic claims it permanently (until the translation times out or is cleared). Adding overload converts the rule to PAT: all inside hosts share one public IP, distinguished by unique source port numbers. PAT supports up to ~65,535 simultaneous sessions per public IP. Option D (reducing timeout) is a workaround at best — it introduces connection instability for PC1 rather than solving the root cause.

5. `show ip nat translations` shows correct entries with accurate inside local and inside global addresses. But pings from inside PCs to 8.8.8.8 still fail. What should be checked next?

A. The ACL is misconfigured — re-check the wildcard mask against the inside subnet B. The NAT pool is exhausted — the translation entries visible are stale and non-functional C. The ip nat inside label is missing — the entries are artifacts from a previous config D. Run show ip route — the translation table being populated confirms NAT is working correctly. The failure point is after translation. A missing default route or specific route to 8.8.8.8 means the router drops the translated packet with no forwarding path

Correct answer is D. When the translation table contains correct entries, NAT is functioning. The problem is downstream of NAT — in the routing layer. After rewriting the source IP from private to public, the router performs a routing lookup for the destination (8.8.8.8). If no default route or specific route exists for 8.8.8.8, the packet is dropped. This is the most deceptive NAT fault because all NAT-specific commands appear healthy. The fix is to add ip route 0.0.0.0 0.0.0.0 [ISP-next-hop]. Always check show ip route when NAT diagnostics look correct but end-to-end connectivity fails.

6. After fixing a NAT misconfiguration, connectivity is still broken. The config looks correct. What step is frequently overlooked?

A. Saving the configuration with wr — NAT changes are not active until written to NVRAM B. Running clear ip nat translation * — stale entries from the old (broken) configuration remain in the translation table and continue to be used for active sessions until they time out, which can take up to 24 hours for established TCP C. Rebooting the router — NAT configuration changes only take effect after a full reload D. Re-applying the ip nat inside and ip nat outside commands — changing the NAT rule removes interface labels

Correct answer is B. The NAT translation table is built dynamically and entries persist based on their configured timeout — up to 1 minute for ICMP/UDP, and up to 24 hours for established TCP sessions. When you fix a broken NAT rule (e.g. correct the ACL or change the pool), the stale entries created under the old broken config remain active. New traffic may match those stale entries rather than being processed by the corrected rule. clear ip nat translation * instantly removes all dynamic entries, forcing the next packet to create a fresh translation under the corrected configuration. This is a required step after any NAT fix — not optional.

7. What does complete silence from `debug ip nat` indicate when inside hosts are actively sending traffic toward the internet?

A. NAT is not being invoked at all — the most likely cause is a missing ip nat inside label on the ingress interface. Packets are being routed without any translation attempt, so no debug events fire B. The ACL is blocking all packets — debug suppresses output when the ACL denies a packet C. The translation is happening so fast that debug output is being dropped by the console buffer D. The NAT pool is exhausted — debug only shows successful translations, not failed attempts

Correct answer is A. debug ip nat fires an event every time the NAT process handles a packet — whether it succeeds or fails to translate. Complete silence means the NAT process is not seeing the packets at all. The NAT process is only invoked when a packet arrives on an ip nat inside interface (for outbound) or an ip nat outside interface (for inbound translation). If neither label is present on the relevant interface, packets pass through the routing engine without touching NAT, and debug produces nothing. This is distinct from an ACL mismatch (where NAT is invoked but rejects the packet — the misses counter increments even though debug may not print a translation event).

8. An engineer configures `ip nat outside source static 203.0.113.5 192.168.10.10` instead of `ip nat inside source static 192.168.10.10 203.0.113.5`. What is the practical effect?

A. No difference — both commands create the same static NAT entry in opposite directions that cancel each other out B. The command fails — IOS rejects ip nat outside source static syntax C. The translation applies to packets arriving from outside (the internet) and rewrites their source address — a destination NAT behaviour rather than the intended source NAT. Inside hosts cannot initiate outbound connections through this rule, and inbound traffic is mis-translated rather than forwarded correctly D. The inside host 192.168.10.10 is given two simultaneous translations — one for inbound and one for outbound — doubling the translation table entries

Correct answer is C. ip nat inside source translates the source address of packets arriving from the inside network — standard outbound NAT used to allow private hosts to reach the internet. ip nat outside source translates the source address of packets arriving from the outside network — a much rarer configuration used in specific scenarios such as overlapping address spaces. Using ip nat outside source static instead of ip nat inside source static means the router is configured to translate traffic coming in from the internet (rewriting the internet source IP to a private IP), which is the opposite of the engineer's intent. The inside hosts still cannot reach the internet because no inside-source translation exists.

9. Which command removes a single stale PAT entry for inside host 192.168.10.10 talking to outside server 8.8.8.8 on TCP port 80, without clearing other active translations?

A. clear ip nat translation * B. no ip nat inside source list 1 interface GigabitEthernet0/0 overload C. clear ip nat translation inside 192.168.10.10 D. clear ip nat translation tcp inside 192.168.10.10 [src-port] outside 8.8.8.8 80 — this targets the specific TCP translation by specifying the inside host, protocol, and outside destination. Other active translations for different hosts or protocols are not affected

Correct answer is D. Cisco IOS supports granular translation clearing. The full syntax is

clear ip nat translation tcp inside [inside-local-IP] [inside-local-port] outside [outside-global-IP] [outside-global-port]

. This precisely targets one entry in the translation table while leaving all other entries intact — important in production when you need to reset a specific stuck session without disrupting other active users. Option A (clear ip nat translation *) clears all dynamic entries — too broad. Option B removes the NAT rule entirely and would break all NAT for all hosts. Option C clears all translations for the inside host 192.168.10.10 — closer, but still removes all of that host's translations, not just the specific TCP/80 entry.

10. An engineer is troubleshooting NAT on a router. `show ip nat statistics` shows the inside interface as GigabitEthernet0/0 and outside interface as GigabitEthernet0/1. The LAN is connected to Gi0/0 and the WAN to Gi0/1. The translation table is empty. What is wrong and how is it fixed?

A. The inside and outside labels are swapped — ip nat inside should be on the LAN interface (Gi0/0) and ip nat outside on the WAN interface (Gi0/1). Fix: remove both labels and re-apply them to the correct interfaces. The router is currently trying to translate internet traffic arriving from Gi0/1 as if it were inside traffic B. The configuration is correct — inside/outside labels are relative to the router, not the network, so the WAN being "outside" and labelled outside is right C. The NAT pool is misconfigured — the interface labels have no effect on whether NAT translates traffic D. The default route is missing — re-add ip route 0.0.0.0 0.0.0.0 to restore NAT functionality

Correct answer is A. ip nat inside must be applied to the interface facing the private network (the LAN — Gi0/0), and ip nat outside must be applied to the interface facing the public network (the WAN — Gi0/1). The output shows the labels are reversed: the LAN interface Gi0/0 is marked as inside-facing in the statistics, meaning it is actually labelled outside — which causes the router to intercept traffic arriving from the internet and attempt to translate it inbound rather than translating private LAN traffic outbound. The fix is to enter each interface and swap the labels: no ip nat outside on Gi0/1 followed by ip nat outside, and no ip nat inside on Gi0/0 followed by ip nat inside. Then clear the translation table.

Back to Home

Troubleshooting NAT/PAT Issues

1. NAT/PAT Failure Categories — Overview

How the Router Processes a NAT Packet

The Four NAT Failure Categories

NAT Address Terminology

2. Lab Topology & Broken Scenarios

3. Step 1 — Establish the Correct Baseline Configuration

4. Step 2 — Primary Diagnostic Commands

show ip nat translations

show ip nat translations verbose

show ip nat statistics

debug ip nat

Diagnostic Command Summary

5. Scenario A — Missing or Swapped Inside/Outside Labels

Introducing the Fault

Symptom — show ip nat statistics

Symptom — debug ip nat

Diagnosis — show ip interface

Fix

6. Scenario B — ACL Does Not Match the Traffic

Introducing the Fault — Wrong Subnet in ACL

Symptom — show ip nat statistics

Symptom — debug ip nat

Diagnosis — Verify the ACL

Fix

7. Scenario C — Pool Exhaustion (Dynamic NAT Without Overload)

Introducing the Fault — Single-Address Pool Without Overload

Symptom — show ip nat translations

Symptom — show ip nat statistics

Fix — Add Overload (PAT)

Fix — Expand the Pool

8. Scenario D — Routing Gap After Translation

Introducing the Fault — Remove the Default Route

Symptom — show ip nat translations

Symptom — show ip nat statistics

Diagnosis — show ip route

Fix

9. Additional NAT/PAT Issues

Static NAT — Translation in Wrong Direction

Clearing the Translation Table

NAT Pool Subnet Mismatch

PAT Port Block Exhaustion (High-Volume)

10. Structured Troubleshooting Workflow

Key Points & Exam Tips

TEST WHAT YOU LEARNED

1. A router has a complete NAT configuration but show ip nat translations is empty and both Hits and Misses in show ip nat statistics are zero. What is the most likely cause?

2. show ip nat statistics shows Hits: 0, Misses: 47. The inside and outside interfaces are correctly labelled. What does this indicate?

3. What is the difference between the "Inside local" and "Inside global" addresses in show ip nat translations?

4. A network has two inside PCs. PC1 can reach the internet, PC2 cannot. show ip nat statistics shows the pool at 100% allocation with misses incrementing. What is the fix?

5. show ip nat translations shows correct entries with accurate inside local and inside global addresses. But pings from inside PCs to 8.8.8.8 still fail. What should be checked next?

6. After fixing a NAT misconfiguration, connectivity is still broken. The config looks correct. What step is frequently overlooked?

7. What does complete silence from debug ip nat indicate when inside hosts are actively sending traffic toward the internet?

8. An engineer configures ip nat outside source static 203.0.113.5 192.168.10.10 instead of ip nat inside source static 192.168.10.10 203.0.113.5. What is the practical effect?

9. Which command removes a single stale PAT entry for inside host 192.168.10.10 talking to outside server 8.8.8.8 on TCP port 80, without clearing other active translations?

10. An engineer is troubleshooting NAT on a router. show ip nat statistics shows the inside interface as GigabitEthernet0/0 and outside interface as GigabitEthernet0/1. The LAN is connected to Gi0/0 and the WAN to Gi0/1. The translation table is empty. What is wrong and how is it fixed?

1. A router has a complete NAT configuration but `show ip nat translations` is empty and both Hits and Misses in `show ip nat statistics` are zero. What is the most likely cause?

2. `show ip nat statistics` shows Hits: 0, Misses: 47. The inside and outside interfaces are correctly labelled. What does this indicate?

3. What is the difference between the "Inside local" and "Inside global" addresses in `show ip nat translations`?

4. A network has two inside PCs. PC1 can reach the internet, PC2 cannot. `show ip nat statistics` shows the pool at 100% allocation with misses incrementing. What is the fix?

5. `show ip nat translations` shows correct entries with accurate inside local and inside global addresses. But pings from inside PCs to 8.8.8.8 still fail. What should be checked next?

7. What does complete silence from `debug ip nat` indicate when inside hosts are actively sending traffic toward the internet?

8. An engineer configures `ip nat outside source static 203.0.113.5 192.168.10.10` instead of `ip nat inside source static 192.168.10.10 203.0.113.5`. What is the practical effect?

10. An engineer is troubleshooting NAT on a router. `show ip nat statistics` shows the inside interface as GigabitEthernet0/0 and outside interface as GigabitEthernet0/1. The LAN is connected to Gi0/0 and the WAN to Gi0/1. The translation table is empty. What is wrong and how is it fixed?