CCNA Cisco NAT PAT: Complete Study Guide

Q: What is the difference between inside local and inside global addresses?

Inside local address is the actual private IP assigned to a host on your internal network. Inside global address is the public IP representing that host after NAT translation. Example: A computer with private IP 192.168.1.100 (inside local) translates to public IP 203.0.113.50 (inside global) when reaching external networks. The inside local address only has meaning within your private network. The inside global address is how external hosts see your internal device. This distinction is crucial for understanding translation tables and how return traffic routes back to the original internal host.

Q: When should you use static NAT versus dynamic NAT or PAT?

Use static NAT when you have servers that must keep permanent, unchanging public IPs accessible from the internet. Examples include web servers, mail servers, and DNS servers. Static NAT creates one-to-one mappings that remain constant. Use dynamic NAT when you have a moderate pool of public addresses and want internal hosts to randomly receive addresses from that pool for temporary connections. This works when public address availability is limited but not extremely restricted. Use PAT (dynamic NAT with overload) when you need many internal hosts with very few public addresses, often just one. PAT is most common in branch offices, small businesses, and home networks where conserving public IPs is critical.

Q: What is the 'overload' keyword and why is it essential for PAT?

The 'overload' keyword enables Port Address Translation by instructing the router to translate both IP addresses and port numbers. This allows multiple internal hosts to share a single public IP address. Without the overload keyword, dynamic NAT is configured instead, requiring one public IP for each internal host. With overload, the router reuses port numbers to map multiple internal connections through a single outside interface IP. Example command: `ip nat inside source list 1 interface GigabitEthernet0/1 overload` This transforms basic dynamic NAT into the more powerful PAT. The overload keyword is critical for modern networking and forgetting it is a common mistake on CCNA exams.

By FluentFlash Research Team·Updated 2026-04-30

Network Address Translation (NAT) and Port Address Translation (PAT) are critical for CCNA certification. NAT translates private IP addresses to public ones, enabling internal networks to communicate across the internet while saving public IP space.

PAT (also called NAT overload) takes this further by allowing multiple devices to share a single public IP address through port translation. Mastering these technologies is essential for network administrators and CCNA exam success.

Key Takeaways

•NAT translates private IPs to public IPs. PAT extends this by using port numbers, letting multiple devices share a single public IP.
•Master the four address types: inside local, inside global, outside local, and outside global. They are fundamental to understanding NAT operation.
•Static NAT creates permanent mappings for servers. Dynamic NAT uses address pools. PAT (NAT overload) is the most common implementation for conserving public addresses.
•Cisco configuration requires marking inside and outside interfaces, defining traffic with ACLs, specifying address pools, and applying the overload keyword for PAT.
•FTP, SIP, VoIP, and applications embedding IPs in packets need NAT Protocol Translators or special configuration to function properly.
•Troubleshooting requires verifying interface configuration, ACL rules, translation statistics, and understanding protocol-specific limitations.

Understanding Network Address Translation (NAT)

Network Address Translation converts IP addresses from one address space to another. It typically translates private IPs to public IPs, allowing internal networks to access external networks efficiently.

Core Purpose of NAT

NAT solves two major problems. First, it allows devices using RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to reach external networks. Second, it conserves public IP addresses by letting multiple devices share fewer public IPs.

NAT operates at Layer 3 (Network Layer) of the OSI model. It modifies source and destination IP addresses in packet headers as traffic passes through the router.

Three Main NAT Types

Static NAT: Creates permanent one-to-one mappings between private and public IPs. Perfect for hosting servers accessible from the internet.
Dynamic NAT: Creates temporary mappings from a pool of public addresses. The specific public IP assigned depends on availability.
PAT (NAT Overload): Allows multiple private hosts to share a single public IP by using different port numbers.

Key NAT Components

Understanding these four address types is fundamental. Inside local address is the actual private IP on your network. Inside global address is the translated public IP. Outside local address is how you see external hosts. Outside global address is the external host's real address.

Routers maintain translation tables that store mappings between original and translated addresses. These tables allow return traffic to route back to the correct internal device.

Port Address Translation (PAT) and NAT Overload

Port Address Translation (PAT) is an advanced form of NAT that solves IP address scarcity. It lets multiple internal hosts share a single public IP by using different source port numbers to distinguish between connections.

How PAT Works

When PAT translates outgoing packets, it changes both the source IP address and the source port number. This creates unique combinations that identify individual connections. For example, 254 internal hosts can communicate through the internet using one public IP if the router assigns each a different source port.

The translation table maps the combination of inside local IP plus port to a unique inside global IP plus port. When return traffic arrives, the router matches the destination IP and port to identify which internal host receives the packets.

PAT Protocol Support

PAT handles both TCP and UDP protocols. TCP connections are tracked based on established and temporary connection states. UDP mappings rely on idle timeout values to determine when entries expire.

Real-World Advantage

PAT enables unlimited scalability for internal networks without purchasing additional public IPs. A branch office with 200 devices needs only one public IP address. However, PAT complicates troubleshooting and some applications like VoIP require special configuration such as port triggering or port forwarding to function properly.

Configuring NAT and PAT on Cisco Routers

Cisco IOS NAT configuration follows a consistent, step-by-step pattern. Begin by identifying interfaces, then define traffic, then apply translation rules.

Step 1: Configure Inside and Outside Interfaces

Mark interfaces facing your private network with ip nat inside. Mark interfaces facing the public network with ip nat outside.

Step 2: Define Traffic with ACLs

Create an access control list specifying which traffic should be translated. For example:

access-list 1 permit 192.168.1.0 0.0.0.255

This permits all traffic from the 192.168.1.0/24 network for translation.

Step 3: Choose Your NAT Type

For static NAT, use:

ip nat inside source static [inside-local] [inside-global]

For dynamic NAT, first create an address pool:

ip nat pool [pool-name] [start-ip] [end-ip] netmask [netmask]

Then apply it:

ip nat inside source list [acl] pool [pool-name]

For PAT configuration, use either:

ip nat inside source list [acl] pool [pool-name] (with single-address pool)

Or more commonly:

ip nat inside source list [acl] interface [outside-interface] overload

Step 4: Verify Configuration

Check active translations:

show ip nat translations

View statistics:

show ip nat statistics

Debug in real time:

debug ip nat

Common Configuration Mistakes

Forgetting to configure both inside and outside interfaces
Using incorrect ACL syntax or logic
Failing to include the overload keyword when PAT is intended

NAT and PAT: Practical Applications and Troubleshooting

NAT and PAT exist in nearly every modern network, from small branch offices to large enterprises. Real-world deployments teach valuable lessons for exam preparation and professional work.

Common Use Cases

Branch office scenario: A branch with 50 internal hosts connects to headquarters through one public IP. PAT is the ideal solution.

Web server scenario: Web servers on private networks must remain accessible from the internet. Static NAT provides permanent, unchanging mappings.

Security scenario: Organizations use NAT for network segmentation and security. It hides internal IP structures from external observers.

Systematic Troubleshooting Approach

If hosts cannot reach external networks, check these in order:

Verify interfaces are correctly marked as inside or outside
Confirm ACLs permit the necessary traffic
Check pool configuration if using dynamic NAT
Review translation statistics with show ip nat statistics

If some traffic works but other traffic fails, you may have protocol embedding issues. FTP, SIP, and DNS embed IP addresses in their payload. These require NAT Protocol Translators or special configuration.

Resetting Translations

Use clear ip nat translation to reset specific translation entries when needed.

Performance Considerations

High connection volumes can overload translation tables. Routers doing NAT for thousands of simultaneous connections consume significant processing resources. When this happens, upgrading hardware or implementing dedicated NAT appliances becomes necessary.

Application-Specific Issues

Applications that detect source IP addresses for security (certain VPNs or firewalls) may require configuration adjustments to function properly behind NAT.

Why Flashcards Are Essential for Mastering NAT and PAT

NAT and PAT require memorizing numerous terms, commands, address types, and behaviors. Flashcards are exceptionally effective because they force active recall rather than passive reading.

How Flashcards Improve Learning

Spaced repetition is proven to improve long-term retention. Flashcard apps show difficult cards more frequently while spending less time on material you've mastered. This targets knowledge gaps directly and is more efficient than traditional study methods.

Flashcards let you practice essential skills:

Identify differences between static NAT, dynamic NAT, and PAT at a glance
Memorize command syntax with precise keywords
Reinforce the purpose of each configuration step

Organize Cards by Difficulty

Beginner cards cover basic definitions (inside local vs inside global). Intermediate cards test command syntax and configuration steps. Advanced cards require diagnosing translation table entries or troubleshooting broken configurations.

Scenario-Based Cards Deepen Understanding

Instead of simple memorization, create realistic scenarios: "A company needs 200 internal hosts to access the internet through one public IP. Which NAT type should they use?" These cards develop practical problem-solving skills.

Study Schedule That Works

15-20 minute study sessions are more effective than cramming. Flashcards accommodate this by enabling quick, focused review whenever you have available time. Regular short sessions beat marathon study sessions for long-term retention.

Mastering NAT and PAT through flashcards builds exam confidence and prepares you for real-world network administration.

Start Studying NAT and PAT for CCNA

Master Network Address Translation and Port Address Translation with interactive flashcards. Practice configuration commands, address types, troubleshooting scenarios, and exam questions. Study on your schedule with spaced repetition to achieve CCNA certification.

Create Free Flashcards

Frequently Asked Questions

What is the difference between inside local and inside global addresses?

Inside local address is the actual private IP assigned to a host on your internal network. Inside global address is the public IP representing that host after NAT translation.

Example: A computer with private IP 192.168.1.100 (inside local) translates to public IP 203.0.113.50 (inside global) when reaching external networks.

The inside local address only has meaning within your private network. The inside global address is how external hosts see your internal device. This distinction is crucial for understanding translation tables and how return traffic routes back to the original internal host.

When should you use static NAT versus dynamic NAT or PAT?

Use static NAT when you have servers that must keep permanent, unchanging public IPs accessible from the internet. Examples include web servers, mail servers, and DNS servers. Static NAT creates one-to-one mappings that remain constant.

Use dynamic NAT when you have a moderate pool of public addresses and want internal hosts to randomly receive addresses from that pool for temporary connections. This works when public address availability is limited but not extremely restricted.

Use PAT (dynamic NAT with overload) when you need many internal hosts with very few public addresses, often just one. PAT is most common in branch offices, small businesses, and home networks where conserving public IPs is critical.

What are some common applications that have problems with NAT and PAT?

Applications embedding IP addresses in their data payload struggle with NAT and PAT. The router translates the source IP address but misses addresses within the packet content.

Problematic applications include:

Older FTP implementations that embed IPs in commands
Session Initiation Protocol (SIP) used for VoIP, which embeds IPs for call setup
Certain peer-to-peer applications
Some gaming protocols
IPsec VPN which authenticates source IP addresses

Modern solutions include NAT Protocol Translators for specific protocols, port triggering for applications, and application-aware firewalls. Understanding these limitations helps you design networks properly.

How many translation entries can a Cisco router typically handle?

The number of translation entries depends on router model and available memory. Older routers handle thousands to tens of thousands. Modern high-end routers handle hundreds of thousands or millions of simultaneous translations.

Each translation entry consumes memory, so routers with limited RAM reach capacity faster. For CCNA exam purposes, understand that translation table size is a finite resource and becomes a performance bottleneck under heavy loads.

In real deployments with high connection volumes, monitor translation table utilization using show ip nat statistics. If capacity limits are approached, upgrade hardware or implement dedicated NAT appliances. Always choose appropriate hardware for your expected concurrent connections.

What is the 'overload' keyword and why is it essential for PAT?

The 'overload' keyword enables Port Address Translation by instructing the router to translate both IP addresses and port numbers. This allows multiple internal hosts to share a single public IP address.

Without the overload keyword, dynamic NAT is configured instead, requiring one public IP for each internal host. With overload, the router reuses port numbers to map multiple internal connections through a single outside interface IP.

Example command:

ip nat inside source list 1 interface GigabitEthernet0/1 overload

This transforms basic dynamic NAT into the more powerful PAT. The overload keyword is critical for modern networking and forgetting it is a common mistake on CCNA exams.