Network Administration ยท IT 2450

Network Address Translation
& Port Address Translation

Master NAT and PAT โ€” the technologies that connect billions of private devices to the public internet through address reuse, port multiplexing, and dynamic translation tables.

4.3B
IPv4 Addresses Total
65,535
Available Ports
3
NAT Types
RFC 3022
Standard
Module 1
Why NAT/PAT Exists

The internet uses IPv4 addresses โ€” and there aren't enough to go around. NAT and PAT are engineering solutions that allow organizations to use private (non-routable) addresses internally while sharing a small pool of public addresses for internet access.

๐ŸŒ

IPv4 Exhaustion

IPv4 provides only ~4.3 billion addresses. With billions of devices online, NAT extends the effective address space by allowing multiple private devices to share a single public IP.

๐Ÿ”’

Security by Obscurity

NAT hides internal IP addresses from external networks, adding a layer of protection against direct targeting of internal hosts and reducing the attack surface.

โš™๏ธ

Address Flexibility

Organizations can change ISPs without renumbering internal devices. The internal network remains stable; only the external (public) address changes at the NAT boundary.

๐Ÿ’ก

Cost Reduction

Fewer public IP addresses are needed โ€” and registered IP addresses cost money. PAT allows thousands of hosts to share a single public IP, dramatically reducing costs.

๐Ÿ“Œ RFC 1918 โ€” Private Address Ranges Three blocks are reserved for private use and are non-routable on the public internet: 10.0.0.0/8 (Class A), 172.16.0.0/12 (Class B range), and 192.168.0.0/16 (Class C). These never appear as source addresses in packets routed on the public internet without NAT translation.

Without NAT

Every device needs a public IP
Each host requires a globally unique routable address โ€” quickly depleting the IPv4 pool.
Internal topology exposed
External hosts can directly see and target internal machines by IP address.
ISP changes require renumbering
Switching providers means reassigning all public IPs and updating all DNS records.

With NAT/PAT

Thousands of devices, one public IP
PAT distinguishes sessions by unique port numbers, multiplexing many hosts through one address.
Private addressing inside
RFC 1918 addresses are used internally. External parties see only the NAT router's public IP.
ISP independence
Internal addressing stays constant. Only the NAT pool changes when switching providers.
Module 2
Core Concepts & Terminology

Understanding NAT requires precise vocabulary. Cisco's implementation distinguishes four address types and three operational directions.

Term Location Type Example Routable?
Inside Local Inside network Private 192.168.1.10 โŒ No
Inside Global Outside perspective of inside host Public 203.0.113.1 โœ… Yes
Outside Local Inside perspective of outside host Usually Public 8.8.8.8 โœ… Yes
Outside Global Outside network Public 8.8.8.8 โœ… Yes
โšก Memory Trick Inside/Outside refers to the location relative to NAT. Local/Global refers to the type of address. "Inside Local" = private address of internal host as seen from inside. "Inside Global" = public address assigned to that same internal host as seen from outside.

Step-by-Step Outbound Translation (Inside โ†’ Outside)

When an inside host initiates a session to an outside server, the NAT router intercepts the packet and performs translation:

Packet Translation Flow
192.168.1.10
Port: 1024
Inside Host
(Inside Local)
Original Packet
NAT Router
203.0.113.1
Border Router
(Translates Here)
Translated Packet
8.8.8.8
Port: 53
Outside Server
(Outside Global)

๐Ÿ”„ Return Traffic (Inbound Translation)

When the outside server replies, it sends to 203.0.113.1:49152. The NAT router looks up this Inside Global address and port in its translation table, finds the mapping to 192.168.1.10:1024, replaces the destination with the Inside Local address, and forwards the packet to the internal host.

The NAT translation table (maintained in router memory) is the heart of NAT. Each entry maps an inside session to an outside representation.

Protocol Inside Local (Src) Inside Global (Translated) Outside Global (Dest) State Timeout
TCP 192.168.1.10:1024 203.0.113.1:49152 93.184.216.34:80 ESTABLISHED 86400s
TCP 192.168.1.11:2048 203.0.113.1:49153 93.184.216.34:443 ESTABLISHED 86400s
UDP 192.168.1.12:1025 203.0.113.1:49154 8.8.8.8:53 TRANSIENT 300s
TCP 192.168.1.10:3000 203.0.113.1:49155 151.101.1.140:443 SYN_SENT 120s
โœ… Key Point: Stateful Operation NAT is stateful โ€” the router must maintain this table for the lifetime of each session. Entries are created when an inside host initiates a connection and removed when the session ends or times out. This is why NAT does not natively support unsolicited inbound connections (a firewall benefit).

Port Address Translation (PAT) โ€” Also Called NAT Overload

PAT is the most common form of NAT in home and enterprise networks. It maps multiple Inside Local addresses to a single Inside Global address by using unique source port numbers to distinguish sessions.

TCP and UDP support 65,535 ports each. A single public IP can theoretically support over 65,000 simultaneous PAT sessions โ€” enough for any typical network.

PAT: Many-to-One Mapping
Inside Local IPLocal Portโ†’Inside Global IPGlobal Port
192.168.1.101024โ†’203.0.113.149152
192.168.1.111025โ†’203.0.113.149153
192.168.1.121026โ†’203.0.113.149154
192.168.1.132048โ†’203.0.113.149155
All use the SAME public IP โ€” differentiated by unique port number

โš ๏ธ PAT Port Selection Algorithm

  • The router first tries to preserve the original source port if it is available and > 1024
  • If unavailable, it allocates the next available port in the ephemeral range (1024โ€“65535)
  • Port numbers below 1024 (well-known ports) are generally not used as PAT ports
  • Cisco IOS allocates ports sequentially starting from 1024 within each protocol block
Module 3
Types of NAT

NAT operates in three distinct modes, each suited to different network requirements and administrative goals.

Static NAT: One-to-One Permanent Mapping

Static NAT creates a permanent, fixed mapping between one Inside Local address and one Inside Global address. The mapping exists whether or not any traffic is flowing.

Primary Use Case: Hosting servers that must be reachable from the internet โ€” web servers, mail servers, VPN concentrators, FTP servers.

Characteristics

  • Mapping is administratively configured (not automatic)
  • Bidirectional โ€” inbound connections are supported
  • Requires one public IP per internal server
  • Entry persists until manually removed
  • DNS records can reliably point to the static Inside Global address
Static NAT Table
Inside LocalInside Global
10.0.0.10203.0.113.10
10.0.0.11203.0.113.11
10.0.0.12203.0.113.12
๐Ÿ“‹ Cisco IOS Command ip nat inside source static 10.0.0.10 203.0.113.10

Dynamic NAT: Pool-Based Assignment

Dynamic NAT maps Inside Local addresses to Inside Global addresses from a configured address pool. Mappings are created on-demand when a host initiates traffic and removed after a timeout period.

Primary Use Case: Environments where internal hosts need occasional internet access and the pool is large enough to accommodate simultaneous users.

Characteristics

  • Requires a pool of public IP addresses
  • One-to-one mapping (no port multiplexing)
  • If pool is exhausted, new connections are denied
  • Mappings age out after configurable timeout
  • Does not support unsolicited inbound connections
Dynamic NAT Pool + Bindings
Pool: 203.0.113.20 โ€“ 203.0.113.24 (5 addresses)
Inside LocalInside GlobalStatus
192.168.10.1203.0.113.20IN USE
192.168.10.5203.0.113.21IN USE
โ€”203.0.113.22AVAILABLE
โ€”203.0.113.23AVAILABLE
โ€”203.0.113.24AVAILABLE

PAT (NAT Overload): Many-to-One with Ports

PAT extends dynamic NAT by using port numbers to differentiate sessions, allowing hundreds or thousands of internal hosts to share a single public IP address simultaneously.

Primary Use Case: Home routers, small business networks, enterprise access networks โ€” essentially every network that connects multiple devices through one ISP-assigned IP.

Characteristics

  • Uses source port number as a differentiator
  • Supports 65,535+ simultaneous sessions per IP
  • Most memory- and resource-efficient NAT form
  • Outbound only (no unsolicited inbound)
  • Tracks: protocol + src IP + src port + dest IP + dest port
PAT Translation Table (Abridged)
Inside Local:PortInside Global:Port
192.168.1.10:1500203.0.113.1:49152
192.168.1.11:1500203.0.113.1:49153
192.168.1.10:2000203.0.113.1:49154
192.168.1.12:1500203.0.113.1:49155
๐Ÿ“‹ Cisco IOS Command (PAT using interface) ip nat inside source list 1 interface g0/0 overload
Feature Static NAT Dynamic NAT PAT (Overload)
Mapping Type1:1 Fixed1:1 From PoolMany:1 With Ports
Public IPs Required1 per host1 per concurrent host1 total (minimum)
Inbound Connectionsโœ… SupportedโŒ Not supportedโŒ Not supported
Port TranslationNoNoYes
Mapping PersistencePermanentDynamic (timeout)Dynamic (session)
Best ForServersMedium-size orgsHome/SMB/Enterprise
Cisco IOS Keywordstaticpooloverload
RFC ReferenceRFC 3022RFC 3022RFC 3022 / RFC 4787
Module 4
Live NAT/PAT Simulator

Watch a live simulation of NAT/PAT in action. The simulator shows packet translation events, builds the translation table in real time, and illustrates the difference between outbound and inbound translation.

โšก PAT Simulation โ€” 3 Internal Hosts, 1 Public IP
โ†’ Press "Start Simulation" to begin...
โ†’ Network: 192.168.1.0/24 | NAT Router: 203.0.113.1 | Mode: PAT
INSIDE LOCAL
INSIDE GLOBAL
DESTINATION
STATE
Module 5
NAT/PAT Header Builder

Construct a realistic NAT/PAT translation record by filling in the fields below. The builder generates both the original (pre-translation) and translated (post-translation) packet headers, highlighting what changes during NAT processing.

๐Ÿ“‹ Original (Inside) Packet
๐Ÿ”„ NAT Configuration
๐Ÿ“ฆ Generated Header Output
Fill in the fields and click
"Generate NAT Headers"
to see the output
ORIGINAL TRANSLATED CHANGED FIELD

IPv4 Header โ€” Fields Affected by NAT

Version (4) IHL DSCP/ECN Total Length
Identification Flags Fragment Offset
TTL โšก Protocol Header Checksum ๐Ÿ”„
Source IP Address โ€” CHANGED by NAT ๐Ÿ”„
Destination IP Address (unchanged for outbound)
Source Port โ€” CHANGED by PAT ๐Ÿ”„ Destination Port (unchanged)
๐Ÿ”„ MODIFIED โšก DECREMENTED UNCHANGED
Module 6
Cisco IOS Configuration

Network administrators must be proficient in configuring NAT on Cisco routers. The following examples cover the three primary NAT configurations used in production environments.

! โ”€โ”€ STATIC NAT CONFIGURATION โ”€โ”€
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
ip nat outside
 
! Map inside host to public IP
ip nat inside source static 10.0.0.10 203.0.113.10
ip nat inside source static 10.0.0.11 203.0.113.11

Configuration Steps

  • Identify the inside interface (LAN-facing) with ip nat inside
  • Identify the outside interface (WAN-facing) with ip nat outside
  • Create static entries mapping Inside Local to Inside Global addresses
  • For port-forwarding (Static PAT): add tcp or udp and port numbers
Port Forwarding (Static PAT Example) ip nat inside source static tcp 10.0.0.10 80 203.0.113.10 80
! โ”€โ”€ DYNAMIC NAT CONFIGURATION โ”€โ”€
 
! Step 1: Define the pool of public addresses
ip nat pool PUBLIC_POOL 203.0.113.20 203.0.113.24 netmask 255.255.255.0
 
! Step 2: Define which inside hosts are permitted
access-list 10 permit 192.168.10.0 0.0.0.255
 
! Step 3: Link ACL to NAT pool
ip nat inside source list 10 pool PUBLIC_POOL
 
! Step 4: Mark interfaces
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
! โ”€โ”€ PAT (NAT OVERLOAD) โ€” Using Interface Address โ”€โ”€
 
access-list 1 permit 192.168.1.0 0.0.0.255
 
ip nat inside source list 1 interface GigabitEthernet0/1 overload
 
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
 
! โ”€โ”€ PAT โ€” Using Address Pool (Multiple IPs) โ”€โ”€
 
ip nat pool PAT_POOL 203.0.113.1 203.0.113.5 netmask 255.255.255.0
ip nat inside source list 1 pool PAT_POOL overload
โœ… Key: The "overload" keyword Adding overload to the NAT source command enables PAT. Without it, dynamic NAT is configured (one-to-one from pool).
! โ”€โ”€ VERIFICATION COMMANDS โ”€โ”€
 
show ip nat translations
! Displays the NAT translation table (all active entries)
 
show ip nat translations verbose
! Shows timers, create time, use count per entry
 
show ip nat statistics
! Translations: total, active, missed; hit counts
 
debug ip nat
! Real-time translation events (caution: CPU intensive)
 
debug ip nat detailed
! Includes packets that fail to translate
 
clear ip nat translation *
! Clears all dynamic NAT entries (โš ๏ธ drops active sessions)
 
clear ip nat translation inside 192.168.1.10 203.0.113.1
! Clears specific translation entry
โš ๏ธ

NAT Not Translating

Verify inside/outside interface designations. Check the ACL permits the source subnet. Confirm the route to the destination exists out the outside interface.

๐Ÿ”

Pool Exhaustion

Dynamic NAT fails when the pool is full. Use show ip nat statistics to check "miss" count. Switch to PAT (overload) to fix the problem without adding IPs.

๐Ÿ”„

Stale Entries

Old NAT entries can block new connections using the same port. Use clear ip nat translation * to flush the table. Tune timeout values with ip nat translation timeout.

๐Ÿ“ก

ALG Issues

Protocols like FTP, SIP, and H.323 embed IP addresses in the payload. NAT Application Layer Gateways (ALGs) must be enabled to handle these protocols correctly.

๐Ÿ”ง Systematic Troubleshooting Approach 1) Verify interface NAT directionality (show ip interface brief) โ†’ 2) Check ACL matches (show access-lists) โ†’ 3) Inspect translation table (show ip nat translations) โ†’ 4) Use debug (debug ip nat) โ†’ 5) Check routing (show ip route)
Reference
Key Terms & Glossary

A comprehensive reference of NAT/PAT terminology for certification exam preparation and professional reference.

NAT (Network Address Translation)
The process of modifying IP address information in packet headers while in transit, allowing private addresses to communicate on the public internet.
PAT (Port Address Translation)
An extension of NAT that uses port numbers to allow multiple inside hosts to share a single public IP address. Also called NAT Overload.
Inside Local Address
The actual private IP address of an internal host as configured on its NIC. Typically an RFC 1918 address.
Inside Global Address
The public IP address that the NAT router assigns to represent an internal host to the outside world.
Outside Local Address
The IP address of an external host as seen from inside the network. Usually the same as the Outside Global address unless NAT is also applied to the destination.
Outside Global Address
The actual public IP address of an external host as it exists on the internet.
NAT Table / Translation Table
A stateful lookup table maintained by the router containing all current NAT/PAT bindings, including protocol, ports, and IP address mappings.
RFC 1918
IETF standard defining three blocks of non-routable private address space: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
Static NAT
A permanently configured one-to-one mapping between an inside local and inside global address. Supports inbound connections.
Dynamic NAT
Automatically assigns Inside Global addresses from a pool to Inside Local addresses on demand. Entries expire after timeout.
NAT Overload
Cisco term for PAT โ€” enabling multiple hosts to share a single public IP by tracking unique source port numbers. Enabled with the overload keyword.
Ephemeral Port
A temporary port number (typically 1024โ€“65535) assigned by the OS or NAT router for a session. Released when the connection ends.
ALG (Application Layer Gateway)
A NAT component that inspects and modifies application-layer protocols (FTP, SIP, H.323) that embed IP addresses in their payloads.
NAT Traversal
Techniques allowing protocols like IPSec and VoIP to function through NAT devices, which would otherwise block or corrupt their headers.
ip nat inside
Cisco IOS interface command designating the LAN-facing (private) side of NAT operation.
ip nat outside
Cisco IOS interface command designating the WAN-facing (public) side of NAT operation.
Assessment
Knowledge Check

Test your understanding of NAT and PAT concepts. Select the best answer for each question.