NAT – Network Address Translation Overview

1. What Is NAT and Why Is It Needed?

Network Address Translation (NAT) is a process performed by a router (or firewall) that modifies the IP address information in packet headers as traffic passes through it. NAT was introduced primarily to conserve IPv4 address space — but it also provides a degree of security by hiding internal network addressing from external networks.

The IPv4 address space (approximately 4.3 billion addresses) was exhausted at the regional registry level years ago. NAT allows an entire organisation to share one or a small pool of public IP addresses while using private IP addresses internally. Without NAT, every device that needs to reach the internet would require its own unique public IPv4 address — an impossibility at today's scale.

Problem NAT Solves How NAT Addresses It
IPv4 address exhaustion Many private addresses map to one (or few) public addresses, multiplying effective address capacity enormously
Internal address exposure Private RFC 1918 addresses are never routed on the internet; external hosts only see the public NAT address
Renumbering when changing ISPs Only the public NAT address needs to change; internal private addressing remains untouched
Overlapping address spaces NAT can translate between networks that use the same private address range (common in mergers and VPNs)
NAT and IPv6: NAT is largely a workaround for IPv4 scarcity. IPv6 provides enough addresses (340 undecillion) so that every device in the world can have a globally unique address — making NAT unnecessary in pure IPv6 environments. However, NAT remains ubiquitous in real-world networks because IPv4 is still dominant. See: IPv6 Overview

Related pages: Static NAT Lab | Dynamic NAT Lab | PAT (Port Address Translation) Lab | IPv6 & Private IP Overview | Static NAT Configuration Lab | Dynamic NAT & PAT Lab

2. NAT Terminology — Inside/Outside Local/Global

NAT uses four address terms that often cause confusion in CCNA study. It is essential to understand what each term means before studying the NAT types. The key is that "local" means the address as seen from inside the network, and "global" means the address as seen from the internet (outside). "Inside" refers to the private/internal side; "outside" refers to the internet/external side.

Term Definition Typical Address Where It Appears
Inside Local The IP address assigned to an inside host — the private address configured on the host's NIC RFC 1918 private (e.g., 192.168.1.10) Source address of packets before NAT translation (on the inside network)
Inside Global The public IP address that represents an inside host to the outside world — what the internet sees as the source Public IP (e.g., 203.0.113.5) Source address of packets after NAT translation (on the outside network)
Outside Local The IP address of an external host as seen from inside the network. In most standard NAT deployments this equals the Outside Global (no translation on the outside address) Usually the same as Outside Global Destination address of packets before NAT (on the inside)
Outside Global The actual IP address assigned to the external host (the real internet address of the destination server) Public IP (e.g., 8.8.8.8) Destination address of packets on the outside network 
  Address flow — inside host (192.168.1.10) reaching Google DNS (8.8.8.8):

  Inside network                  Router (NAT)               Outside (Internet)
  ─────────────                  ────────────               ──────────────────
  Src: 192.168.1.10  ──────────► Src: 192.168.1.10          Src: 203.0.113.5
  Dst: 8.8.8.8                   Dst: 8.8.8.8      ───────► Dst: 8.8.8.8
                                 (NAT translates source)

  Address labels:
  192.168.1.10  = Inside Local    (private address of inside host)
  203.0.113.5   = Inside Global   (public address NAT substitutes)
  8.8.8.8       = Outside Global  (real address of external server)
  8.8.8.8       = Outside Local   (same — no translation on outside address)

  Memory tip:
  "Inside" = describes the host that lives inside your network
  "Local"  = address as seen locally (inside the organisation)
  "Global" = address as seen globally (on the internet)
CCNA exam tip: The most tested pair is Inside Local (the private RFC 1918 address on the host) and Inside Global (the public address that appears on the internet). Outside Local and Outside Global are typically the same unless Double NAT or policy-based NAT is in use.

3. NAT Inside and Outside Interfaces

NAT must know which router interfaces face the inside (private) network and which face the outside (internet/public) network. This is configured with two interface-level commands: 

  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# ip address 192.168.1.1 255.255.255.0
  Router(config-if)# ip nat inside          ← faces the private LAN

  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip address 203.0.113.1 255.255.255.252
  Router(config-if)# ip nat outside         ← faces the ISP / internet
Critical requirement: If you omit ip nat inside or ip nat outside, NAT will not function even if the NAT rule is correctly defined. Both interface designations are mandatory. 
  Typical NAT topology:

  [PC 192.168.1.10]  ──┐
  [PC 192.168.1.11]  ──┼──  [Gi0/0 — ip nat inside]
  [PC 192.168.1.12]  ──┘          │
                              [Router]
                                   │
                          [Gi0/1 — ip nat outside]
                                   │
                            [ISP — Internet]
                          Public IP: 203.0.113.1

4. Static NAT

Static NAT creates a permanent, one-to-one mapping between a specific Inside Local (private) address and a specific Inside Global (public) address. The mapping is manually configured and never changes. Traffic can be initiated from either side — making Static NAT suitable for servers that must be reachable from the internet.

How Static NAT Works

  Static NAT mapping: 192.168.1.10  ←→  203.0.113.10  (permanent)

  Outbound (inside → outside):
  PC sends:      Src 192.168.1.10 → Dst 8.8.8.8
  Router NAT:    Src 203.0.113.10 → Dst 8.8.8.8   (Inside Local → Inside Global)

  Inbound (outside → inside):
  Internet sends: Src 8.8.8.8 → Dst 203.0.113.10
  Router NAT:     Src 8.8.8.8 → Dst 192.168.1.10  (Inside Global → Inside Local)

  The mapping is always active — no session needs to be initiated first.

Static NAT Configuration

  ! Define the static one-to-one mapping:
  Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10

  ! Apply NAT direction to interfaces:
  Router(config-if)# ip nat inside   (on LAN-facing interface)
  Router(config-if)# ip nat outside  (on WAN-facing interface)

  ! Verify:
  Router# show ip nat translations
  Pro  Inside global     Inside local       Outside local    Outside global
  ---  203.0.113.10      192.168.1.10       ---              ---

  Router# show ip nat statistics

When to Use Static NAT

  • Web servers, mail servers, or any server that must accept inbound connections from the internet
  • When a device needs a predictable, fixed public IP
  • VPN endpoints that require a known peer address
  • Requires one public IP address per mapped internal host
Limitation: Static NAT does not conserve public IP addresses — each inside host requires its own dedicated public IP. It is best suited for a small number of servers that need internet-reachable fixed addresses.

See full detail: Static NAT Configuration Lab | Static NAT Configuration Lab

5. Dynamic NAT

Dynamic NAT maps inside private addresses to a pool of public IP addresses on a first-come, first-served basis. Mappings are created automatically when an inside host initiates traffic outbound, and released back to the pool when the session ends (or the NAT translation timeout expires).

Unlike Static NAT, Dynamic NAT mappings are temporary and traffic can only be initiated from the inside — an external host cannot initiate a session to a dynamically-NATted inside host because there is no guaranteed stable mapping.

How Dynamic NAT Works

  NAT pool: 203.0.113.10 – 203.0.113.14  (5 public addresses)
  ACL permits: 192.168.1.0/24

  PC-1 (192.168.1.10) initiates traffic → assigned 203.0.113.10
  PC-2 (192.168.1.11) initiates traffic → assigned 203.0.113.11
  PC-3 (192.168.1.12) initiates traffic → assigned 203.0.113.12

  If a 6th host tries to connect while all 5 pool addresses are in use:
  → Translation FAILS — the 6th host cannot reach the internet until
    a pool address is released. This is a key limitation of Dynamic NAT.

Dynamic NAT Configuration

  ! Step 1 — Define the pool of public addresses:
  Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.14
                  netmask 255.255.255.248

  ! Step 2 — Define which inside hosts are eligible (ACL):
  Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

  ! Step 3 — Link the ACL to the NAT pool:
  Router(config)# ip nat inside source list 1 pool PUBLIC_POOL

  ! Step 4 — Apply NAT direction to interfaces:
  Router(config-if)# ip nat inside   (LAN interface)
  Router(config-if)# ip nat outside  (WAN interface)

  ! Verify:
  Router# show ip nat translations
  Pro  Inside global     Inside local       Outside local    Outside global
  ---  203.0.113.10      192.168.1.10       ---              ---
  ---  203.0.113.11      192.168.1.11       ---              ---

  ! Clear dynamic translations manually:
  Router# clear ip nat translation *

When to Use Dynamic NAT

  • You have a pool of public IPs and want to share them among a larger group of inside hosts
  • Inside hosts only need outbound internet access (no inbound connections required)
  • The number of simultaneous active sessions is predictable and fits within the pool size
Limitation: Dynamic NAT still requires one public IP per simultaneously active inside host. If the pool is exhausted, new connections are dropped. PAT (overload) solves this by multiplexing many hosts onto a single IP using port numbers.

See full detail: Dynamic NAT & PAT Lab | Dynamic NAT & PAT Lab

6. PAT — Port Address Translation (NAT Overload)

PAT (Port Address Translation), also called NAT Overload, is the most widely deployed form of NAT. It maps many inside private addresses to a single public IP address by tracking connections using source port numbers in addition to IP addresses. This is how home routers and most enterprise edge routers work — hundreds or thousands of devices share a single public IP.

How PAT Works — Port Multiplexing

  Single public IP: 203.0.113.1

  Inside hosts initiate outbound connections simultaneously:

  PC-1 (192.168.1.10:1025) → Google (8.8.8.8:443)
  PC-2 (192.168.1.11:1026) → YouTube (142.250.80.46:443)
  PC-3 (192.168.1.12:1027) → Google (8.8.8.8:443)

  PAT translation table:
  ┌──────────────────────┬──────────────────────┬──────────────────────┐
  │  Inside Local        │  Inside Global        │  Outside Global      │
  ├──────────────────────┼──────────────────────┼──────────────────────┤
  │  192.168.1.10:1025   │  203.0.113.1:1025    │  8.8.8.8:443         │
  │  192.168.1.11:1026   │  203.0.113.1:1026    │  142.250.80.46:443   │
  │  192.168.1.12:1027   │  203.0.113.1:1027    │  8.8.8.8:443         │
  └──────────────────────┴──────────────────────┴──────────────────────┘

  All three hosts appear as 203.0.113.1 to the internet.
  The router distinguishes return traffic by unique source port numbers.
  PC-1 and PC-3 both reach 8.8.8.8:443 but with different source ports —
  the router uses those ports to demultiplex return traffic correctly.

PAT Configuration — Using the Outside Interface Address

  ! Most common PAT configuration — overload the outside interface IP:

  ! Step 1 — ACL to define inside hosts:
  Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

  ! Step 2 — Link ACL to NAT with 'overload' keyword (enables PAT):
  Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

  ! Step 3 — Interface designations:
  Router(config-if)# ip nat inside   (LAN interface Gi0/0)
  Router(config-if)# ip nat outside  (WAN interface Gi0/1)

  ! The 'overload' keyword is what distinguishes PAT from Dynamic NAT.
  ! Without 'overload': one host uses one pool address.
  ! With    'overload': many hosts share one address via port tracking.

PAT Configuration — Using a Pool

  ! PAT with a pool of public addresses (still uses port multiplexing):
  Router(config)# ip nat pool PAT_POOL 203.0.113.10 203.0.113.14
                  netmask 255.255.255.248
  Router(config)# ip nat inside source list 1 pool PAT_POOL overload

When to Use PAT

  • Home networks — single ISP-assigned public IP shared by all household devices (the default for every home router)
  • Small and medium businesses — entire office on one or a few public IPs
  • Any scenario where you need maximum address conservation
  • Inside hosts need outbound internet access only (PAT does not support inbound-initiated connections without additional port forwarding configuration)
CCNA exam tip: The single keyword that enables PAT is overload at the end of the ip nat inside source command. Without overload, you get Dynamic NAT (one-to-one from a pool). With overload, you get PAT (many-to-one with port tracking). This distinction is frequently tested.

See full detail: PAT Lab | Dynamic NAT & PAT Lab

7. Comparing the Three NAT Types

Feature Static NAT Dynamic NAT PAT (Overload)
Mapping type One-to-one (permanent) One-to-one (temporary, from pool) Many-to-one (using port numbers)
Public IPs required One per inside host One per simultaneously active host One (or few) for all hosts
Mapping persistence Always active — never expires Timeout-based — released when idle Timeout-based — released when session ends
Inbound connections Supported — mapping is always known Not supported — no guaranteed mapping Not directly — requires port forwarding
Address conservation None — 1:1 ratio Moderate — pool must cover peak usage Maximum — entire network behind one IP
Typical use case Servers (web, mail, DNS) needing fixed public IP Networks with a pool of public IPs to share Home networks, SMB, enterprise outbound access
Cisco IOS keyword ip nat inside source static ip nat inside source list … pool ip nat inside source list … overload
Port translation used? No No Yes — source port number is translated

8. NAT Translation Table — How the Router Tracks Sessions

The router maintains a NAT translation table in memory that records all active address mappings. For PAT, the table also tracks port numbers. This table is the mechanism that allows the router to correctly reverse-translate return traffic from the internet back to the right inside host. 

  Router# show ip nat translations

  For Static NAT (no sessions active):
  Pro  Inside global       Inside local        Outside local     Outside global
  ---  203.0.113.10        192.168.1.10        ---               ---

  For Dynamic NAT and PAT (with active sessions):
  Pro  Inside global           Inside local            Outside local      Outside global
  tcp  203.0.113.1:1025        192.168.1.10:1025       8.8.8.8:443        8.8.8.8:443
  tcp  203.0.113.1:1026        192.168.1.11:1026       142.250.80.46:443  142.250.80.46:443
  udp  203.0.113.1:52341       192.168.1.12:52341      8.8.8.8:53         8.8.8.8:53

  Columns explained:
  Inside global  = public IP (and port for PAT) that the internet sees
  Inside local   = private IP (and port) of the actual inside host
  Outside local  = destination address as seen from inside
  Outside global = actual address of the external server

Useful NAT Verification and Troubleshooting Commands

  ! Show all current NAT translations:
  Router# show ip nat translations

  ! Show verbose translation details (includes timers):
  Router# show ip nat translations verbose

  ! Show NAT statistics (hits, misses, expired translations):
  Router# show ip nat statistics

  ! Clear all dynamic NAT translations (does not affect static):
  Router# clear ip nat translation *

  ! Clear a specific translation:
  Router# clear ip nat translation inside 192.168.1.10 203.0.113.10

  ! Debug NAT in real time (use with caution in production):
  Router# debug ip nat
  Router# debug ip nat detailed
NAT translation timeouts (Cisco defaults):
UDP translations: 300 seconds (5 minutes)
TCP translations: 86400 seconds (24 hours)
TCP SYN-only (half-open): 60 seconds
ICMP translations: 60 seconds
These can be adjusted with ip nat translation timeout commands.

9. NAT Advantages, Disadvantages, and Limitations

Advantages

Advantage Details
IPv4 address conservation PAT allows thousands of hosts to share a single public IP address
Security through obscurity Inside hosts are not directly addressable from the internet; external scans cannot reach private addresses directly
Flexibility when renumbering Internal addressing can remain unchanged when switching ISPs or public IP allocations

Disadvantages and Limitations

Limitation Details
End-to-end connectivity broken NAT violates the end-to-end principle of the internet. External hosts cannot initiate connections to inside hosts without additional configuration (port forwarding, DMZ)
Complexity for some protocols Protocols that embed IP addresses in the payload (FTP active mode, SIP/VoIP, IPsec, H.323) require NAT Application Layer Gateways (ALG) to function correctly
Router CPU overhead Every packet must be inspected and potentially rewritten, increasing processing load on the NAT device
Troubleshooting difficulty Address translation makes packet captures harder to trace end-to-end; logs show the public IP rather than the private IP of the originating host
PAT port exhaustion TCP/UDP port numbers are 16-bit (65,535 ports). Under extreme load a single PAT address can exhaust available ports — though this is rare in practice

10. Choosing the Right NAT Type

  Decision guide — which NAT type should I use?

  Does the inside device need to accept INBOUND connections from the internet?
  (e.g., web server, mail server, game server)
       │
       ├─ YES ──► Use STATIC NAT
       │          One permanent public IP per server.
       │          Mapping is always active; internet hosts can initiate sessions.
       │
       └─ NO ──► Inside hosts only need OUTBOUND internet access.
                 │
                 ├─ Do you have a POOL of public IPs to share?
                 │       │
                 │       ├─ YES, pool is large enough for peak simultaneous users
                 │       │   ──► Use DYNAMIC NAT (pool without overload)
                 │       │
                 │       └─ NO, or pool is small / you have just one public IP
                 │           ──► Use PAT (overload)
                 │               Maximum address conservation.
                 │               Entire network behind one or a few IPs.
                 │               Default for home routers and most enterprise NAT.
                 │
                 └─ In practice: PAT is almost always the right answer for
                    outbound-only access. Dynamic NAT without overload is rarely
                    used today because PAT is more efficient.
Real-world note: In most enterprise and SMB deployments you will see PAT for outbound user access combined with Static NAT for servers that need to be publicly reachable. Dynamic NAT (without overload) is rarely configured in modern networks because PAT is strictly more efficient.

See also: Static NAT Lab | Dynamic NAT Lab | PAT (Port Address Translation) Lab | ACL Overview | Static NAT Lab | Dynamic NAT & PAT Lab | Troubleshooting NAT & PAT Lab

Test Your Knowledge — NAT Quiz

1. What is the primary reason NAT was introduced in IPv4 networks?

Correct answer is B. NAT was created primarily to address IPv4 exhaustion. By mapping many private (RFC 1918) addresses to a small number of public IPs — especially with PAT — NAT has extended the usable life of IPv4 by decades. It does not encrypt traffic (that is the role of protocols like IPsec/TLS) and does not remove the need for default gateways. See: IPv6 Overview

2. A host with IP address 10.1.1.5 sends traffic to the internet. After NAT, the source address in the packet appears as 198.51.100.1. Which NAT terms correctly label these two addresses?

Correct answer is C. The private address assigned to the internal host (10.1.1.5) is the Inside Local address — it exists locally on the inside network. After NAT translation, the packet's source becomes 198.51.100.1, which is the Inside Global address — the public address that represents the inside host to the outside world (globally).

3. Which type of NAT is best suited for a web server that must be reachable from the internet at a fixed, predictable public IP address?

Correct answer is A. Static NAT creates a permanent, always-active mapping between the server's private IP and a fixed public IP. This allows external hosts to initiate connections to the server at any time. Dynamic NAT and PAT only create mappings when the inside host initiates traffic outbound — external parties cannot reach an inside host through Dynamic NAT or basic PAT. See: Static NAT Lab

4. What single keyword in Cisco IOS converts a Dynamic NAT configuration into PAT (NAT overload)?

Correct answer is D. The overload keyword appended to the ip nat inside source list command enables PAT. Without it, each inside host requires its own unique pool address (Dynamic NAT). With it, multiple hosts share one address differentiated by unique source port numbers. Example: ip nat inside source list 1 interface Gi0/1 overload See: Dynamic NAT & PAT Lab

5. How does PAT distinguish return traffic destined for different inside hosts when they all share the same public IP address?

Correct answer is B. PAT works at Layer 4. When an inside host sends a packet, the router assigns a unique source port number (or preserves the host's source port if it is unique) and records the mapping in the NAT table: inside private IP:port ↔ public IP:port. When the return packet arrives, the router looks up the destination port in the NAT table to find the correct private IP and forwards it inbound.

6. Which two interface-level commands are mandatory for NAT to function on a Cisco router?

Correct answer is C. NAT requires the router to know which side is "inside" (private) and which is "outside" (public). This is configured with ip nat inside under the LAN interface and ip nat outside under the WAN/internet-facing interface. Without both commands, NAT will not translate packets even if a valid NAT rule exists. See: Static NAT Lab

7. What happens in a Dynamic NAT deployment if all addresses in the NAT pool are in use and a new inside host attempts to access the internet?

Correct answer is A. Dynamic NAT has no fallback mechanism. If the pool is exhausted, the router simply drops the translation request and the host cannot reach the internet. This is a fundamental limitation of Dynamic NAT compared to PAT, which can theoretically support over 65,000 sessions per public IP address. See: Dynamic NAT Lab

8. Which command displays the active NAT translation table on a Cisco router, showing Inside Local, Inside Global, Outside Local, and Outside Global addresses?

Correct answer is D. show ip nat translations displays all entries currently in the NAT table, including the four address columns: Inside Local, Inside Global, Outside Local, and Outside Global. For Static NAT entries the outside columns show dashes when no session is active. Add verbose to see translation timers and flags.

9. A network engineer configures the command ip nat inside source list 10 interface Gi0/1 overload. What type of NAT does this implement, and what does the interface Gi0/1 portion specify?

Correct answer is B. The overload keyword makes this PAT. Using interface Gi0/1 instead of pool tells the router to use the IP address currently assigned to that interface as the Inside Global address. This is the most common PAT configuration in small and medium networks — the outside interface's public IP is shared by all inside hosts. See: Dynamic NAT & PAT Lab

10. Why does NAT create challenges for protocols like FTP (active mode) and SIP (VoIP)?

Correct answer is C. NAT operates on IP and TCP/UDP headers. Protocols like FTP (active mode) and SIP embed IP addresses in their application-layer data (e.g., FTP PORT command, SIP Contact header). NAT does not inspect these payloads by default, so the embedded private address is sent to the remote host unchanged — which cannot route back to a private IP. NAT Application Layer Gateways (ALG) or helper functions are required to inspect and rewrite these payload addresses. See: Troubleshooting NAT & PAT

← Back to Home