Port Address Translation (PAT) / NAT Overload - Complete Guide

1. What is PAT (NAT Overload)?

Definition: PAT (Port Address Translation), also known as NAT Overload, allows multiple internal devices to share a single public IP address by assigning unique port numbers to each connection.

Key Advantages:

✅ Extreme IP Conservation – One public IP supports thousands of internal users.
✅ Supports all transport protocols – TCP, UDP, ICMP.
✅ Widely used in home routers – Default NAT in most consumer-grade routers.

2. How PAT Works (Many-to-One)

Term	Meaning	Example
Inside Local	Private IP of internal device	192.168.1.10
Inside Global	Public IP + port number used externally	203.0.113.1:5000
Port Uniqueness	Each session is tracked by its port	192.168.1.10:3000 → 203.0.113.1:5000

Traffic Flow Example:

Device A (192.168.1.10) → google.com
Device B (192.168.1.11) → youtube.com

Router maintains a NAT table:

192.168.1.10:3000 ↔ 203.0.113.1:5000  
192.168.1.11:4000 ↔ 203.0.113.1:6000

3. PAT Configuration (Cisco IOS)

Step 1: Define ACL

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Step 2: Configure PAT

Option A – Single Public IP (interface assigned by ISP):

Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

Option B – Pool of Public IPs:

Router(config)# ip nat pool PAT_POOL 203.0.113.1 203.0.113.3 netmask 255.255.255.0
Router(config)# ip nat inside source list 1 pool PAT_POOL overload

Step 3: Set Inside/Outside Interfaces

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat outside
Router(config-if)# exit

4. Verifying PAT

Show Translations:

Router# show ip nat translations

Sample Output:

Pro Inside global        Inside local       Outside local      Outside global
tcp 203.0.113.1:5000    192.168.1.10:3000  142.250.190.46:80  142.250.190.46:80
udp 203.0.113.1:6000    192.168.1.11:4000  8.8.8.8:53         8.8.8.8:53

Show NAT Statistics:

Router# show ip nat statistics

5. Testing PAT

From internal clients: Open websites, ping external IPs like 8.8.8.8
From router: Verify translations via show ip nat translations
From outside: All traffic appears from the same public IP with different ports

6. PAT Protocol Support

Protocol	PAT Behavior
TCP / UDP	Uses source port for mapping
ICMP (Ping)	Uses query ID as pseudo-port
FTP / ESP	Requires NAT helpers (e.g., `ip nat service`)

7. Common PAT Issues

⚠ Port Exhaustion:

Each IP has ~64,000 ports. Too many sessions can exhaust them.

Router(config)# ip nat translation timeout 3600

⚠ Translation Failures:

Incorrect ACL
Missing overload keyword

Debug:

Router# debug ip nat

8. PAT vs. Static NAT vs. Dynamic NAT

Feature	PAT (Overload)	Dynamic NAT	Static NAT
Mapping	Many:1 (Port-Based)	Many:Many (IP Pool)	1:1 (Permanent)
Public IPs	1 or few	Requires pool	Dedicated per host
Port Usage	Yes	No	No
Use Case	Home/Office Internet	Legacy apps needing real IPs	Servers, CCTV, Remote Access

9. Practical Example

Scenario:

Internal: 192.168.1.0/24 (50 devices)
Public IP: 203.0.113.1

Configuration:

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload

Result: All 50 internal devices share one public IP using different ports.

10. Summary

PAT = Many-to-One NAT using ports.
Ideal for homes, small offices, and NAT-constrained environments.
Config involves ACL, NAT rule with overload, and proper interface roles.
Test using: ping, nslookup, show ip nat translations.

Port Address Translation (PAT) Quiz

1. What is the main advantage of PAT (Port Address Translation)?

A. One-to-one mapping of IP addresses B. Many internal IPs share a single public IP using unique ports C. Encrypts IP addresses for secure communication D. Allows unlimited public IPs for private networks

Correct answer is B. PAT allows many private IPs to share one public IP by using different port numbers.

2. Which protocols does PAT support?

A. TCP, UDP, and ICMP B. Only TCP C. Only UDP and ICMP D. FTP and HTTP only

Correct answer is A. PAT supports TCP, UDP, and ICMP protocols.

3. What is the purpose of an ACL (Access Control List) in PAT configuration?

A. To block all traffic from private IPs B. To assign public IPs automatically C. To define public IP address range D. To specify which internal IPs are allowed to use PAT

Correct answer is D. ACL defines which internal IP addresses are eligible for PAT translation.

4. Which Cisco IOS command enables PAT using the IP of an interface?

A. ip nat pool PAT_POOL 203.0.113.1 203.0.113.3 overload B. access-list 1 permit 192.168.1.0 0.0.0.255 C. ip nat inside source list 1 interface GigabitEthernet0/1 overload D. interface GigabitEthernet0/0 ip nat inside

Correct answer is C. This command enables PAT using the IP of the specified interface.

5. What does the 'overload' keyword specify in PAT configuration?

A. To allow multiple public IP addresses B. To enable many-to-one NAT using ports C. To disable port translation D. To configure firewall rules

Correct answer is B. 'overload' enables many internal IPs to share a single public IP using port numbers.

6. How does PAT distinguish between different internal hosts sharing one public IP?

A. By IP address only B. By MAC addresses C. By VLAN tags D. By unique source port numbers

Correct answer is D. PAT uses unique source port numbers to distinguish sessions.

7. What is a common cause of port exhaustion in PAT?

A. Too many concurrent connections exceeding available ports B. Insufficient public IP addresses in the pool C. Incorrect ACL configuration D. Network cable failure

Correct answer is A. Port exhaustion happens when available TCP/UDP ports are fully used.

8. Which command can reduce NAT translation timeout to prevent port exhaustion?

A. ip nat pool PAT_POOL 203.0.113.1 203.0.113.3 netmask 255.255.255.0 B. ip nat translation timeout 3600 C. access-list 1 permit 192.168.1.0 0.0.0.255 D. show ip nat translations

Correct answer is B. This command sets NAT translation timeout to 1 hour (3600 seconds).

9. What will external hosts see as the source IP when communicating with devices behind PAT?

A. The private IP of the internal device B. The MAC address of the router C. The single public IP of the NAT device with a unique port D. The broadcast IP address

Correct answer is C. External hosts see the router's public IP with different source ports.

10. In a typical home network using PAT, how many devices can share one public IP?

A. Thousands of devices using unique ports B. Only one device at a time C. Ten devices max D. Unlimited devices

Correct answer is A. PAT supports thousands of devices sharing one public IP using unique port numbers.

← Back to Home