4.1 NAT (Network Address Translation)
Key Takeaways
- NAT rewrites IP addresses in packet headers so private RFC 1918 hosts can reach the public internet.
- Static NAT is a permanent 1:1 mapping used for internet-facing servers; dynamic NAT draws from a pool first-come first-served.
- PAT (NAT overload) maps many inside hosts to one public IP using unique source ports — the form CCNA tests most.
- The four NAT address types are inside local, inside global, outside local, and outside global.
- ip nat inside/outside must be set on the correct interfaces or translation silently fails.
What NAT Does
Network Address Translation (NAT) rewrites the source and/or destination IP address (and, for PAT, the port) in a packet header as it crosses a router. Its primary job on CCNA is to let hosts using private RFC 1918 address space — 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 — communicate across the public internet, which routes only globally unique addresses. NAT has extended the life of the roughly 4.3 billion IPv4 addresses by letting many private hosts share a handful of public ones.
The Four Address Types (Memorize These)
CCNA loves to give you a topology and ask you to label an address. Split each term into two halves: inside/outside = whose host it is, local/global = where you are standing when you look at the address.
| Term | Whose host | Viewed from | Typical value |
|---|---|---|---|
| Inside local | Your internal host | Inside the LAN | 192.168.1.10 (private) |
| Inside global | Your internal host | The internet | 203.0.113.5 (public, post-translation) |
| Outside local | The remote host | Inside the LAN | 8.8.8.8 |
| Outside global | The remote host | The internet | 8.8.8.8 |
For basic NAT the outside local and outside global are usually identical, so the exam-distinguishing pair is inside local vs inside global — private before translation, public after.
The Three NAT Types
Static NAT (1:1, permanent)
Maps one inside local to one inside global forever. Use it for a web or mail server that must always be reachable at the same public IP.
R1(config)# ip nat inside source static 192.168.1.100 203.0.113.5
R1(config)# interface g0/0
R1(config-if)# ip nat inside ! LAN-facing
R1(config)# interface g0/1
R1(config-if)# ip nat outside ! WAN-facing
Dynamic NAT (many : pool)
Inside hosts borrow a public address from a pool on a first-come, first-served basis and release it when the session ends. If the pool empties, new sessions are dropped — there is no port sharing.
R1(config)# ip nat pool POOL1 203.0.113.1 203.0.113.10 netmask 255.255.255.0
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 pool POOL1
PAT / NAT Overload (many : one)
The single most tested type. Many inside hosts share one public IP; the router tells sessions apart by assigning each a unique source port. The magic word is overload.
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface g0/1 overload
How it differentiates two hosts that both used source port 50000 to reach 8.8.8.8:443 — the router rewrites them to 203.0.113.1:60001 and 203.0.113.1:60002. One public IP can carry tens of thousands of concurrent sessions this way.
Verifying and Troubleshooting
R1# show ip nat translations ! the translation table
R1# show ip nat statistics ! hit counts, pool usage, which ACL/interfaces
R1# clear ip nat translation * ! wipe dynamic entries
R1# debug ip nat ! per-packet, use sparingly
A show ip nat translations line looks like:
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.1:60001 192.168.1.10:50000 8.8.8.8:443 8.8.8.8:443
--- 203.0.113.5 192.168.1.100 --- ---
The dashed --- protocol line is a static mapping (no Layer 4 port); the tcp lines are PAT entries.
NAT Comparison and Exam Traps
| Type | Mapping | Public IPs | Survives pool exhaustion? |
|---|---|---|---|
| Static | 1:1 | 1 per host | n/a |
| Dynamic | many:pool | a pool | No — drops new sessions |
| PAT (overload) | many:1 | 1 | Yes — port multiplexing |
Trap 1 — reversed interfaces. The most common reason NAT "doesn't work" in a lab: ip nat inside and ip nat outside are on the wrong interfaces, or one is missing. NAT only translates traffic flowing inside-to-outside.
Trap 2 — forgetting overload. Without it, ip nat inside source list 1 interface g0/1 is dynamic NAT bound to a single address, so only one inside host can be active at a time.
Trap 3 — ACL too narrow or denying. The ACL referenced by inside source list selects which hosts get translated; if a host's subnet is not permitted, its traffic leaves untranslated and is dropped upstream.
Static vs Dynamic vs PAT in Practice
Think about when each type is the right answer, because the exam phrases NAT questions around a business need rather than syntax. Static NAT is correct whenever an inside device must be reachable from the internet at a predictable address — a public web server, a VPN concentrator, or a mail gateway whose MX record points at a fixed public IP. Because the mapping is permanent and bidirectional, outside hosts can initiate connections inward, which dynamic NAT and PAT do not allow on their own.
Dynamic NAT fits an organization that owns a block of public addresses and wants outbound sessions to use real, one-per-host translations without permanently dedicating an address to each device. Its weakness is hard capacity: ten pool addresses serve at most ten simultaneous inside hosts, and the eleventh is refused until one frees up. That makes pure dynamic NAT rare today.
PAT dominates real networks precisely because it removes that ceiling. A home router with a single ISP-assigned public address runs PAT so that phones, laptops, and smart devices all browse at once. Each TCP or UDP session is tracked by the tuple of inside address, inside port, translated address, translated port, and destination — the router keeps this in the translation table and ages entries out after an idle timeout (roughly 24 hours for established TCP, much shorter for UDP and half-open sessions).
Order of Operations Detail
A subtle but testable point: a router applies NAT at a specific moment relative to routing. For traffic moving inside to outside, the router routes the packet first, then translates the source. For traffic moving outside to inside, it translates the destination first, then routes. This is why your NAT ACL describes the original inside-local source addresses, not the post-translation ones, and why a routing problem and a NAT problem can look identical from the client — both leave the host unable to reach the internet, so you confirm show ip nat translations is populating before blaming NAT.
On the exam: PAT/overload, the four address types, and the
ip nat inside/outsideinterface placement are the highest-yield NAT facts. Expect at least one drag-and-drop labeling the four address types, and a scenario that asks which NAT type suits an internet-facing server (static).
Which NAT type allows many internal hosts to share a single public IP address by assigning each session a unique source port?
In NAT terminology, what is the 'inside global' address?
A lab router is configured for NAT but no inside hosts can reach the internet, and 'show ip nat translations' is empty. What should you check first?