NAT (Network Address Translation)

NAT translates IP addresses in packet headers as they pass through a router, typically to allow devices with private (RFC 1918) addresses to communicate on the public internet.

Why NAT Exists

IPv4 address space (4.3 billion addresses) was never enough for every device to have a public IP. NAT is the primary mechanism that has extended the life of IPv4 by allowing millions of private-addressed devices to share a small number of public addresses.

NAT Terminology

Memory trick: "Inside" = your network. "Outside" = the internet. "Local" = the address as seen from inside. "Global" = the address as seen from outside.

Types of NAT

Static NAT (1:1 Mapping)

Maps one private IP to one public IP permanently. Used when an internal server needs to be reachable from the internet.

Router(config)# ip nat inside source static 192.168.1.10 203.0.113.5

Router(config)# interface GigabitEthernet0/0        ! Inside interface (LAN)
Router(config-if)# ip nat inside

Router(config)# interface GigabitEthernet0/1        ! Outside interface (WAN)
Router(config-if)# ip nat outside

Use cases: Web servers, mail servers, any device that needs a permanent public IP

Dynamic NAT (Many:Pool)

Maps private IPs to a pool of public IPs dynamically. IPs are assigned on a first-come, first-served basis and released when the session ends.

Router(config)# ip nat pool PUBLIC-POOL 203.0.113.1 203.0.113.10 netmask 255.255.255.0
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 pool PUBLIC-POOL

Limitation: If all public IPs in the pool are in use, new connections are denied.

PAT (Port Address Translation / NAT Overload)

Maps many private IPs to one public IP using unique port numbers to distinguish connections. PAT is by far the most common form of NAT.

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

The overload keyword enables PAT. With PAT, one public IP can support thousands of simultaneous connections by using different source port numbers.

How PAT works:

1. Host 192.168.1.10 sends a packet to 8.8.8.8 using source port 50000
2. Router translates source IP to 203.0.113.1 and source port to 60001
3. Host 192.168.1.11 sends a packet to 8.8.8.8 using source port 50000
4. Router translates source IP to 203.0.113.1 and source port to 60002
5. Both hosts share the same public IP but use different translated port numbers

NAT Verification Commands

Router# show ip nat translations           ! View the NAT translation table
Router# show ip nat statistics              ! NAT hit counts and pool usage
Router# clear ip nat translation *          ! Clear all dynamic translations
Router# debug ip nat                        ! Real-time NAT activity (use carefully)

Sample "show ip nat translations" Output

Pro  Inside global      Inside local       Outside local      Outside global
tcp  203.0.113.1:60001  192.168.1.10:50000 8.8.8.8:443       8.8.8.8:443
tcp  203.0.113.1:60002  192.168.1.11:50000 8.8.8.8:443       8.8.8.8:443
---  203.0.113.5        192.168.1.100      ---                ---

NAT Comparison

On the Exam: PAT is the most commonly tested NAT type. Know the "overload" keyword, understand how port numbers differentiate connections, and be able to identify inside local, inside global, outside local, and outside global addresses.