Network Address Translation (NAT) and PAT

In a world with billions of internet-connected devices but only a limited pool of public IPv4 addresses, Network Address Translation (NAT) is the fundamental technology that allows our networks to function. It acts as a bridge between private, internal networks and the public internet, translating addresses to enable communication. For any network professional, especially those pursuing the CCNA certification, a deep, practical understanding of NAT and its extension, Port Address Translation (PAT), is non-negotiable. This knowledge is critical for configuring internet access, conserving public IP addresses, and securing network perimeters.

Understanding the Core Problem and NAT Types

At its heart, NAT is a process that modifies IP address information in packet headers while in transit across a traffic routing device, typically a router or firewall. The original purpose, and its most significant benefit, is the conservation of public IPv4 addresses. Organizations use private IP addresses (from ranges like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) defined in RFC 1918 for their internal networks. These addresses are not routable on the public internet. NAT solves this by mapping these private addresses to one or more public addresses when traffic needs to exit the local network.

There are three primary types of NAT you must understand:

1. Static NAT: This creates a one-to-one, fixed mapping between a single private IP address and a single public IP address. It is often used for servers that need to be accessible from the internet, like a web or email server. For example, you might statically map your internal web server at 192.168.1.10 to the public IP address 203.0.113.10. Any internet request to 203.0.113.10 is translated and forwarded to 192.168.1.10.

1. Dynamic NAT: This maps a private IP address to a public IP address from a predefined pool of public addresses. The mapping is not fixed but is established dynamically when a host initiates a connection to the internet. The mapping lasts for the duration of the connection and is then returned to the pool for reuse. It is still a one-to-one mapping, so if you have a pool of 5 public addresses, only 5 internal hosts can have simultaneous outbound translations.

1. PAT (Port Address Translation), also called NAT Overload: This is the most common form of NAT used in homes and businesses. PAT allows many private IP addresses to be mapped to a single public IP address (or a small pool) by using unique source port numbers. When an internal host (e.g., 192.168.1.5) sends a packet, the NAT device translates not just the IP address but also the source TCP/UDP port. It tracks these translations in a table using the protocol, source IP, source port, and translated port. This is what enables an entire office network to access the internet using just one public IP from their ISP.

Configuring NAT and PAT on Cisco IOS

Configuration is a critical, hands-on skill for the CCNA. The process involves identifying interfaces and defining translation rules. Here is a step-by-step guide for a common PAT configuration, which overloads a single public IP address on the router's outside interface.

Step 1: Designate Inside and Outside Interfaces. You must tell the router which interfaces connect to your private network (inside) and which connect to the public internet (outside). This is done in interface configuration mode.

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat inside
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat outside

Step 2: Define the Access Control List (ACL). Create a standard or extended ACL that identifies the private IP addresses eligible for translation. This ACL does not permit or deny traffic; it simply "matches" the addresses to be translated.

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

This ACL matches any address in the 192.168.1.0/24 network.

Step 3: Configure the NAT Overload (PAT) Rule. This command establishes the PAT rule, linking the ACL (what to translate) to the outside interface's IP address (what to translate it to).

Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

The keyword overload is what enables PAT. For static NAT, the command would look like ip nat inside source static 192.168.1.10 203.0.113.10. For dynamic NAT, you would first create a pool of public addresses (ip nat pool MYPOOL 203.0.113.1 203.0.113.5 netmask 255.255.255.0) and then apply it (ip nat inside source list 1 pool MYPOOL).

Verifying and Troubleshooting NAT Operations

After configuration, you must verify that NAT is working correctly. The primary verification command is show ip nat translations. This displays the active translation table.

Router# show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
tcp  203.0.113.1:1024  192.168.1.5:1024   198.51.100.10:80   198.51.100.10:80

You can see PAT in action: Inside local host 192.168.1.5 with source port 1024 is translated to the router's outside IP (203.0.113.1) using the same port (1024) to communicate with a web server.

To see dynamic translations being created and destroyed in real-time, use the debug ip nat command. This is a powerful troubleshooting tool but generates significant output, so use it cautiously on production networks. To clear the dynamic translation table and start fresh, use clear ip nat translation *.

Common Pitfalls and Troubleshooting Issues

Even with correct configuration, NAT can present challenges. Recognizing these common pitfalls is essential for both real-world operations and the CCNA exam.

1. Misconfigured Inside/Outside Interfaces: This is the most fundamental error. If you accidentally label your LAN interface as outside and your WAN interface as inside, no translations will occur for outbound traffic. Always double-check your interface designations with show ip nat statistics.

1. Overlapping IP Address Spaces: This occurs when the private IP network you use internally is already in use on the external network you're trying to reach. For example, if your company uses 10.1.1.0/24 internally and merges with another company that also uses 10.1.1.0/24, standard NAT will fail because the router cannot distinguish between local and remote hosts. The solution often involves using NAT twice—once to translate your original overlapping addresses to a unique, non-overlapping private range, and then again for normal internet access.

1. Incorrect or Missing ACL: The ACL in your ip nat inside source command must correctly permit the subnet you intend to translate. A typo in the ACL or wildcard mask will result in hosts being unable to get a translation. Verify your ACL with show access-lists.

1. Applications That Break with NAT: Some applications, like certain VPN protocols or older FTP modes, embed IP address information inside the data payload of the packet. Since NAT only modifies the packet header, these embedded addresses become incorrect. This requires Application Layer Gateway (ALG) services on the router to inspect and fix the payload. Understanding which applications may have issues is key to advanced troubleshooting.

Summary

• NAT conserves public IPv4 addresses by translating private, non-routable addresses into public addresses for internet communication.
• The three main types are Static NAT (fixed one-to-one mapping for servers), Dynamic NAT (one-to-one mapping from a pool), and PAT/NAT Overload (many-to-one mapping using port numbers, the most common type).
• Configuration on Cisco routers requires correctly designating inside and outside interfaces, creating an ACL to identify translatable traffic, and applying the NAT rule with the ip nat inside source command, using the overload keyword for PAT.
• Use show ip nat translations and debug ip nat to verify and troubleshoot active translations. Common issues stem from interface mislabeling, overlapping address spaces, and ACL errors.