NAT and PAT Explained: Network Address Translation for CCNA Students

1. Why NAT Exists: The IPv4 Address Crisis

When the engineers who designed TCP/IP allocated the IPv4 address space, they settled on a 32-bit addressing scheme that provides approximately 4.3 billion unique addresses. In the early 1980s, that seemed impossibly large — far more addresses than there could ever be computers. By the mid-1990s it was obvious they had been wrong. The explosive growth of the internet, combined with inefficient early address allocations (organizations received enormous /8 blocks they would never fully use), made IPv4 exhaustion a certainty. The Internet Assigned Numbers Authority (IANA) distributed its last IPv4 address blocks to regional registries in February 2011.

The solution that bought the internet another two decades was Network Address Translation (NAT), defined in RFC 3022. NAT allows an entire organization — or an entire country — to use a small set of private IP address ranges internally, translating them to one or more public IP addresses when communicating with the outside world.

RFC 1918 Private Address Space

RFC 1918 reserves three address ranges specifically for private use. These addresses are not routable on the public internet — any router on the internet backbone that receives a packet with a private source or destination address is expected to drop it. The private ranges are:

Because these ranges are non-routable on the internet, millions of different organizations can use the same private addresses simultaneously without conflict. Your home network at 192.168.1.0/24 and your employer's network at 192.168.1.0/24 can both exist simultaneously — NAT ensures that when either network communicates with the internet, the private addresses are translated to unique public addresses.

Secondary Benefits of NAT

Beyond address conservation, NAT offers some secondary advantages:

• Security through obscurity: External hosts cannot directly initiate connections to internal hosts because the private IP addresses are hidden. Unsolicited inbound traffic is dropped by default since there is no translation entry for it. This is not a replacement for a proper firewall, but it does provide a basic layer of protection.
• Internal renumbering flexibility: If your organization switches ISPs and receives a different public IP block, you only need to change NAT pool addresses — all internal hosts keep their private IPs unchanged. Without NAT, renumbering every host would be a significant project.
• Provider independence: Organizations using private addressing can maintain the same internal addressing scheme regardless of which ISP they use.

Drawbacks of NAT

NAT is not without significant problems. Engineers and architects should understand these tradeoffs:

• Breaks end-to-end connectivity: The fundamental design principle of the internet is that any host can communicate directly with any other host. NAT violates this. Hosts behind NAT cannot receive unsolicited inbound connections without special configuration (port forwarding). Peer-to-peer applications, VoIP, and online gaming all struggle with NAT.
• Protocol incompatibility: Some protocols embed IP addresses inside the application payload (not just in the IP header). FTP active mode, SIP (Session Initiation Protocol for VoIP), and H.323 all do this. A NAT device that translates the IP header does not automatically update the embedded addresses, breaking these protocols. Application Layer Gateways (ALGs) are required to handle them.
• Performance overhead: Every packet must have its IP address (and sometimes port number) rewritten. On high-throughput links, this processing load is measurable. Modern hardware NAT implementations mitigate this, but it remains a theoretical concern at very high traffic volumes.
• Troubleshooting complexity: When a problem occurs, you must track whether the issue is on the inside (private) or outside (public) side of the NAT boundary. The same connection appears with different IP addresses on each side, making end-to-end troubleshooting with tools like ping and traceroute more difficult.

2. NAT Terminology: The Four Address Types

NAT terminology is one of the most frequently tested and most frequently confused topics in CCNA. Cisco uses four specific terms to describe addresses in a NAT environment, and many students mix them up on the exam. Let's break this down carefully.

The terminology is built around two dimensions: location (inside or outside the NAT boundary) and scope of meaningfulness (local scope or global/public scope).

How to Remember the Terminology

Here is the mental model that makes this click: Think of "inside" and "outside" as your physical location — are you standing inside the private network or outside on the public internet? Think of "local" and "global" as which address is meaningful from where you are standing.

Packet Flow Walkthrough

Follow a packet from an internal PC (192.168.1.10) to Google DNS (8.8.8.8) through a NAT router:

3. Static NAT: One-to-One Permanent Mapping

Static NAT creates a permanent, one-to-one mapping between a single inside local address and a single inside global address. This mapping exists regardless of whether any traffic is flowing — it never expires and never changes. Static NAT is essential when you need internal servers to be reachable from the internet, because external hosts need a predictable, permanent public IP address to connect to.

Use Cases for Static NAT

• Web servers: Your web server at 192.168.1.10 needs to be reachable from anyone on the internet. Static NAT gives it a permanent public IP.
• Mail servers: SMTP requires a reliable, known IP address for mail delivery and reverse DNS records. Static NAT provides this stability.
• FTP servers: File servers that must accept inbound connections need a fixed public address.
• Any service that accepts inbound connections: If external clients initiate connections to your service, you need static NAT (or port forwarding, which is a variation).

Static NAT Configuration

The configuration requires two components: the translation statement itself and the interface designations telling the router which interfaces are "inside" and which are "outside." Without the interface designations, NAT will not function.

Understanding Static NAT Output

After configuring static NAT, the translation entry is immediately visible in the NAT table even with no active traffic, because it is permanent. Here is what the verification output looks like:

4. Dynamic NAT: Pool-Based Translation

Dynamic NAT assigns public IP addresses from a defined pool to internal hosts on a first-come, first-served basis. Unlike static NAT, these mappings are created dynamically when a host initiates outbound traffic and are removed after the translation times out. If all pool addresses are in use when a new host tries to initiate a connection, that connection will fail — dynamic NAT does not provide the unlimited scalability that PAT does.

When Dynamic NAT Is Appropriate

Dynamic NAT sits between static NAT and PAT in terms of address efficiency. It is appropriate when:

• You have more internal hosts than public IPs, but not dramatically more
• Not all internal hosts need internet access simultaneously
• You need unique public IPs per active session (some security policies require this)
• Certain applications require one-to-one IP mapping without port translation

Dynamic NAT Configuration

Dynamic NAT requires three components: a pool defining the available public IPs, an ACL defining which inside hosts can be translated, and a statement connecting the ACL to the pool.

Dynamic NAT Timeout Behavior

Dynamic NAT entries are not permanent. They time out after a period of inactivity. Default timeout values:

5. PAT: Port Address Translation (NAT Overload)

Port Address Translation (PAT), also called NAT Overload, is by far the most commonly deployed form of NAT. PAT allows hundreds or thousands of internal hosts to share a single public IP address simultaneously, using TCP/UDP port numbers to track and differentiate individual sessions. Every internet connection you make at home uses PAT — your home router has one public IP address from your ISP, yet every device in your home can simultaneously access the internet.

How PAT Works

When an inside host initiates a connection, PAT records the inside local IP and source port, assigns an inside global IP (the public IP) with a unique translated port number, and stores this mapping in the NAT table. Return traffic is matched against this table to determine which inside host should receive it.

TCP and UDP port numbers range from 0 to 65,535. PAT uses ports 1024 through 65,535 for translated sessions, providing over 64,000 possible simultaneous sessions per public IP address. For practical purposes, PAT effectively provides unlimited scalability for typical office or home use.

PAT Configuration: Two Methods

There are two common ways to configure PAT. The most common in small-to-medium deployments uses the WAN interface IP address directly, which is ideal when your ISP assigns you a single dynamic IP via DHCP.

6. The NAT Translation Table Explained

The NAT translation table is the heart of NAT operation. Every translation the router performs is recorded here, and every return packet is matched against this table to determine its correct inside destination. Understanding how to read and interpret this table is essential for both the CCNA exam and real-world troubleshooting.

Reading show ip nat translations

The command show ip nat translations displays all current entries in the NAT table. Here is a comprehensive example showing all three types of NAT entries simultaneously:

Entry Types and Their Characteristics

Managing the Translation Table

7. Complete Working Configuration Example

This section presents a complete, production-ready PAT configuration for a small office environment. This configuration includes all the components you would deploy in a real network and represents what you should be able to reproduce from memory for the CCNA exam.

Network Scenario

A small office has 50 workstations on the 192.168.1.0/24 subnet. The ISP has provided a /30 subnet (203.0.113.4/30) for the WAN link, giving the router a single public-facing IP address (203.0.113.5). All 50 workstations must be able to access the internet simultaneously using PAT. One internal web server (192.168.1.50) must be reachable from the internet via static NAT on the same router.

Port Forwarding: A Variation of Static NAT

Port forwarding (also called static NAT with port translation) is commonly used to host services from a single public IP address. The syntax allows you to map a specific port on the outside IP to a specific port on an inside host:

8. Troubleshooting NAT

NAT troubleshooting is methodical when you know where to look. Most NAT failures fall into a small number of categories. Developing a systematic approach will save you hours of frustration both on the exam and in real production environments.

The Most Common NAT Mistakes

Troubleshooting Commands and Their Output

9. NAT64 and IPv6 Transition

As IPv6 deployment continues to grow, the networking industry faces an extended transition period during which both IPv4 and IPv6 networks must coexist and communicate. NAT64 is one of the mechanisms designed to bridge this gap.

What Is NAT64

NAT64 is defined in RFC 6146 and allows IPv6-only clients to communicate with IPv4-only servers. A NAT64 gateway sits at the boundary between an IPv6 network and the IPv4 internet. When an IPv6 client sends a packet destined for an IPv4 server, the NAT64 device translates the IPv6 packet headers to IPv4 headers (and vice versa for return traffic). NAT64 is typically combined with DNS64 (RFC 6147), which synthesizes AAAA (IPv6) DNS records for IPv4-only servers by embedding the IPv4 address within a special IPv6 prefix.

IPv6 and the End of NAT

IPv6 with its 128-bit address space provides approximately 3.4 × 10^38 addresses — enough to assign billions of unique addresses to every person on Earth, with addresses left over. With IPv6, every device can have a globally unique, routable public IP address. There is no address exhaustion problem, and therefore no technical need for NAT.

This is why IPv6 restores the original end-to-end connectivity model of the internet. An IPv6 host can be directly reachable from anywhere in the world without address translation. Security is enforced by firewalls and stateful packet inspection, not by the ambiguity of private addressing.

However, NAT has indirectly slowed IPv6 adoption. Because NAT solved the immediate pain of IPv4 exhaustion, organizations feel less pressure to migrate to IPv6. Many argue that NAT has become so embedded in network architectures, security models, and engineer mindsets that its influence will persist even after IPv6 becomes the predominant protocol. For network engineers, this means NAT knowledge will remain relevant for at least another decade.

10. CCNA Exam Tips for NAT

NAT is a significant topic in the CCNA 200-301 exam, particularly under the IP Services domain. Here is a focused review of exactly what you need to know and the most likely question types.

Must-Know Facts

• Four address types: Inside Local (private IP of inside host), Inside Global (public IP representing inside host), Outside Local (external host IP as seen from inside — usually same as Outside Global), Outside Global (actual public IP of external host).
• Three NAT types: Static (permanent 1:1), Dynamic (pool-based), PAT/NAT Overload (many-to-one using ports).
• PAT = NAT Overload: These are exactly the same thing. The "overload" keyword enables PAT.
• Interface commands: ip nat inside on the private-facing interface, ip nat outside on the public-facing interface. Both are required.
• Verification: show ip nat translations shows the NAT table. show ip nat statistics shows counts and pool usage.
• Clear command: clear ip nat translation * removes all dynamic entries (static entries remain).
• RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — memorize these.

Quick Reference: NAT Commands Summary