NAT
Network Address Translation
Fundamental concepts to configuration — what you need to know about NAT.
🌐 What is Network Address Translation?
Network Address Translation (NAT) is a networking technique that modifies IP address information in packet headers as traffic passes through a routing device — typically a border router or firewall. Defined in RFC 3022, NAT was originally conceived as a practical stopgap to the exhaustion of IPv4 address space, but it has since become a foundational component of virtually every enterprise, campus, and home network deployed worldwide.
At its core, Network Address Translation allows an organisation to use a single registered public IP address (or a small pool of them) to represent an entire private address space on the internet. Internal hosts are assigned private IP addresses — ranges such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 — which are not globally routable. When those hosts need to communicate across the internet, NAT translates their private source addresses into one or more public addresses before the packets leave the local network.
The NAT device maintains a translation table, mapping internal address-and-port pairs to external address-and-port pairs. This stateful record allows the router to correctly reverse-translate inbound replies and deliver them to the appropriate internal host, even though the internet-side destination of those replies is the router’s own public IP address.
Beyond address conservation, NAT provides a natural boundary between the internal and external network. Because internal hosts are not directly reachable by external parties (unless explicit inbound mappings are configured), NAT creates an implicit layer of obscurity. This is frequently — and somewhat inaccurately — characterised as a security feature; the reality is more nuanced, as discussed in the Pros and Cons section below.
Network Address Translation is implemented at Layer 3 of the OSI model (the Network layer), but in its most common form — Port Address Translation (PAT) — it also modifies Layer 4 (Transport layer) TCP/UDP port numbers. This multi-layer manipulation allows a single public IP address to service thousands of simultaneous internal connections, making PAT the technology behind virtually every broadband router in use today.
Understanding NAT thoroughly is essential for any networking professional. It is integral to troubleshooting connectivity issues in virtually any environment, and it intersects with a wide range of related technologies including ACLs, route maps, VPNs, and IPv6 transition mechanisms.
🧩 Key Components
To configure and troubleshoot Network Address Translation effectively, engineers must have a precise understanding of the four address designations that Cisco uses to describe NAT topology, as well as the fundamental table structures and interface roles that underpin NAT operation. These terms have exact, specific meanings that differ from casual usage.
Inside Local Address
The IP address assigned to a host on the inside (private) network. This is the address as seen from within the internal network — typically a private address (e.g., 192.168.1.10). It is the source address in outbound packets before NAT translation occurs.
Inside Global Address
The public, routable IP address that represents an inside host on the outside (internet-facing) network. This is the translated source address that appears in outbound packets after NAT has been applied — the address the internet “sees” as the source.
Outside Global Address
The publicly routable IP address assigned to an external host, as known by the outside world. This is the destination address that internal hosts use to reach external servers — for example, a web server’s public IP address on the internet.
Outside Local Address
The IP address of an external host as it appears to the inside network. In most common NAT deployments, the outside local and outside global addresses are identical. This designation becomes relevant in Twice NAT (double NAT) scenarios where both source and destination addresses are translated simultaneously.
NAT Translation Table
A stateful database maintained by the NAT device that maps inside local address-port pairs to inside global address-port pairs. Each entry has a configurable timeout value. The router uses this table to correctly forward both outbound and inbound traffic to the right endpoints.
Inside & Outside Interfaces
NAT is directional. An interface designated ip nat inside connects to the private network; one designated ip nat outside connects to the public network. Correct interface assignment is a prerequisite for NAT to function — packets traversing from inside to outside trigger the translation process.
Access Control Lists (ACLs)
Standard or extended ACLs are used in dynamic and PAT NAT configurations to define which inside local addresses are eligible for translation. Only traffic matching the permit statements in the referenced ACL will be subject to NAT processing by the router.
NAT Pool
A named, administrator-defined range of public IP addresses that the router draws from when performing dynamic NAT. Each inside host that initiates a connection is assigned an address from this pool for the duration of that session, up to the pool’s capacity.
show ip nat translations output will be incorrect.⚙️ How It Works
Network Address Translation operates by intercepting IP packets as they pass through the NAT-enabled router and modifying specific header fields before forwarding the packet onward. The precise fields that are modified — and the logic used to determine the substituted values — depend on the NAT type in use. The following walkthrough covers the most common scenario: a PAT (NAT overload) translation of an outbound TCP connection.
Step-by-Step PAT Translation Process
An internal host (e.g., 192.168.1.10) initiates a TCP connection to an external server (e.g., 8.8.8.8:443). The IP packet leaves the host with Source IP = 192.168.1.10, Source Port = 54321 (ephemeral), Destination IP = 8.8.8.8, Destination Port = 443. This is the Inside Local address pair.
The packet arrives at the router’s ip nat inside interface (e.g., GigabitEthernet0/0). The router’s NAT process intercepts the packet and checks it against the configured NAT ACL or static mapping. Because the source address 192.168.1.10 matches the permitted range, the NAT process is triggered.
The NAT engine checks its translation table for an existing entry matching the Inside Local pair (192.168.1.10:54321 → TCP). If no entry exists (new connection), the router creates a new entry, assigning the outside interface’s public IP (203.0.113.1) as the Inside Global address and selecting an available source port (e.g., 1024) from its PAT pool.
The router rewrites the packet’s IP header: the Source IP changes from 192.168.1.10 to 203.0.113.1, and the Source Port changes from 54321 to 1024. The TCP/IP checksum fields are recalculated to account for the modified header values. The Destination IP and Port remain unchanged.
The modified packet exits the router’s ip nat outside interface (e.g., GigabitEthernet0/1) and is forwarded toward the internet. From the external server’s perspective, the connection originates from 203.0.113.1:1024 — it has no visibility into the internal 192.168.1.10 address.
The server sends its reply to 203.0.113.1:1024. When this packet arrives on the router’s outside interface, the NAT engine performs a reverse lookup in the translation table, finds the matching entry (203.0.113.1:1024 ↔ 192.168.1.10:54321), and rewrites the Destination IP and Port back to the original inside values. The packet is then forwarded to the internal host.
Each translation table entry has an associated idle timer. For TCP connections, the entry is typically removed after the session is torn down (FIN/RST) or after the configured TCP timeout (default 86,400 seconds on Cisco IOS). For UDP, the default is 300 seconds. Expired entries free up the PAT port for re-use.
Types of NAT
Static NAT creates a fixed, one-to-one mapping between a specific inside local address and a specific inside global address. This mapping persists indefinitely and is entered manually by the administrator. Static NAT is used when an internal server (e.g., a web or mail server) must be consistently reachable from the internet at a known public address.
Dynamic NAT maps inside local addresses to inside global addresses drawn from a pre-defined pool. Each mapping is created on demand and expires after a configurable idle period. Dynamic NAT is a true one-to-one mapping at any given instant — each inside host that is actively translated consumes one address from the pool. If the pool is exhausted, new connections are dropped.
PAT (Port Address Translation), also called NAT Overload, is by far the most widely deployed variant. PAT maps multiple inside local addresses to a single inside global address by differentiating sessions using unique source port numbers. A single public IP can theoretically support over 65,000 simultaneous translated connections, making PAT the mechanism that enables virtually all residential and small-business internet access.
overload at the end of an ip nat inside source command is what enables PAT. Without overload, the command configures dynamic NAT (one-to-one from a pool). The presence or absence of this single keyword has a profound impact on scalability and behaviour.Cisco IOS Configuration — PAT (NAT Overload)
! Step 1: Define which inside addresses should be translated
ip access-list standard NAT_INSIDE_HOSTS
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255! Step 2: Configure PAT using the outside interface IP
ip nat inside source list NAT_INSIDE_HOSTS interface GigabitEthernet0/1 overload
! Step 3: Mark interfaces as inside or outside
interface GigabitEthernet0/0
description LAN - Inside Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/1
description WAN - Outside / Internet
ip address dhcp
ip nat outside
! Step 4: Verify translations
show ip nat translations
show ip nat statistics
Cisco IOS Configuration — Static NAT (Internal Server)
! Map inside local 192.168.1.100 to inside global 203.0.113.10 (one-to-one)
ip nat inside source static 192.168.1.100 203.0.113.10! For port forwarding (Static PAT) — expose only TCP 443
ip nat inside source static tcp 192.168.1.100 443 203.0.113.10 443
! Interface assignments
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
! Verify the static entry is present
show ip nat translations verbose
! Clear dynamic entries only (static entries are preserved)
clear ip nat translation *
📊 Usage and Functions
Network Address Translation serves a diverse range of use cases across enterprise, service provider, and residential environments. The table below summarises the most common deployment scenarios, the specific function NAT performs in each context, and the corresponding Cisco IOS implementation approach.
| Use Case | Function | Cisco IOS |
|---|---|---|
| Internet Access for LAN Hosts | Translates multiple private inside addresses to a single public IP, enabling outbound internet connectivity without requiring public addresses per host. | ip nat inside source list <ACL> interface <IF> overload — PAT using outside interface IP |
| Hosting Internal Servers | Provides a consistent public-facing IP address for an internal server (web, mail, DNS) so it remains reachable from the internet regardless of internal addressing changes. | ip nat inside source static <local> <global> — one-to-one static mapping |
| Port Forwarding / Static PAT | Publishes a specific TCP or UDP port on a public IP to an internal service on a different address or port, allowing granular, service-level access from external clients. | ip nat inside source static tcp <local> <port> <global> <port> |
| Network Mergers / Overlapping Addresses | Resolves IP addressing conflicts when two networks that both use overlapping ranges must communicate — typically via Twice NAT (double NAT), where both source and destination are translated. | Static NAT on both sides, or ip nat outside source for outside-to-inside translation |
| IPv4 Address Conservation | Reduces the number of public IPv4 addresses an organisation must lease from its ISP. A single registered address block can represent hundreds or thousands of internal hosts via PAT. | PAT overload with ISP-assigned IP pool or single DHCP-assigned outside interface address |
| ISP Migration / Renumbering | When changing ISPs, NAT allows the internal addressing scheme to remain unchanged. Only the inside global address pool (mapped to the new ISP’s block) needs updating, avoiding a full internal renumber. | Update NAT pool or change interface reference in ip nat inside source command |
| Load Balancing (Destination NAT) | Distributes inbound connections across multiple internal servers by translating the destination address of incoming packets to different inside hosts in a round-robin or policy-based manner. | Cisco IOS rotary NAT: ip nat inside destination list <ACL> pool <POOL> rotary |
| VPN Hairpinning / NAT Exemption | Traffic destined for VPN-connected remote networks must be excluded from NAT translation, or the encrypted packets will have their headers incorrectly rewritten, breaking the VPN tunnel. | Route-map with match ip address referencing VPN traffic; deny statement in NAT ACL for tunnel traffic |
✅ Best Practices
Deploying Network Address Translation correctly requires more than simply issuing the minimum commands to achieve connectivity. The following best practices reflect patterns observed in production network environments and are aligned with Cisco design guidance for reliable, maintainable NAT deployments.
- Always define NAT ACLs with named, standard ACLs. Use descriptive named ACLs (e.g.,
NAT_INSIDE_HOSTS) rather than numbered ACLs. Named ACLs are easier to identify in the running configuration and can be edited without being deleted and recreated. Ensure the ACL accurately represents only the address ranges that should be translated — an overly broad permit can inadvertently NAT traffic that should be excluded, such as VPN or routing protocol traffic. - Exclude VPN and routing protocol traffic from NAT using a deny statement. If the router also terminates site-to-site VPN tunnels or participates in dynamic routing protocols, ensure that traffic to those destinations is explicitly denied in the NAT ACL. Failing to do so causes NAT to rewrite VPN-bound or routing packet headers, breaking tunnels and adjacencies. Place deny entries at the top of the NAT ACL, before the broader permit statements.
- Use interface references for PAT when the outside IP is DHCP-assigned. If the outside interface receives its IP from the ISP via DHCP, configure PAT using
interface <outside-if>rather than a static pool. Cisco IOS will dynamically use the current IP of that interface as the Inside Global address, preventing PAT failures after DHCP lease renewals that assign a different public IP. - Size NAT pools correctly for dynamic NAT deployments. When using dynamic NAT (not PAT), ensure the pool contains at least as many addresses as the maximum number of hosts that will be simultaneously active. If the pool is undersized, new connection attempts from hosts beyond the pool capacity will be silently dropped. Monitor pool utilisation with
show ip nat statisticsand check the “misses” counter. - Tune NAT translation timeouts based on application behaviour. Default timeout values — 86,400 seconds for TCP, 300 seconds for UDP — are conservative and can cause stale entries to accumulate in the translation table on high-traffic devices. Adjust timeouts with
ip nat translation tcp-timeout <seconds>andip nat translation udp-timeout <seconds>to reflect the actual session durations of your applications and reduce table bloat. - Verify interface NAT direction assignments before testing. One of the most common NAT misconfigurations is assigning
ip nat insideandip nat outsideto the wrong interfaces, or forgetting to apply them at all. Always confirm assignments withshow ip interface <if>which will indicate whether NAT inbound and outbound processing are enabled on each interface. - Use
debug ip natsparingly on production devices. Thedebug ip natcommand provides real-time NAT translation events and is invaluable for troubleshooting. However, on a high-volume router it can generate output at a rate that saturates the CPU and impacts forwarding performance. Always apply an ACL to limit debug output to the specific source address being investigated, usingdebug ip nat <access-list>. - Document all static NAT entries with interface descriptions and comments. Static NAT mappings have no inherent expiry and can persist in configurations for years after the server they serve is decommissioned. Maintain an up-to-date inventory of static entries and use
remarkstatements in ACLs to annotate the purpose and owner of each mapping. Regular audits should confirm that each static entry corresponds to an active service. - Plan for NAT limitations when deploying protocols that embed IP addresses in the payload. Certain application-layer protocols — including FTP (active mode), SIP, H.323, and PPTP — embed IP addresses inside the packet payload, not just in the IP header. Standard NAT cannot translate these embedded addresses, causing failures. Cisco IOS Application Layer Gateways (ALGs) address many of these protocols, but verify ALG support for your specific application before deployment.
- Consider NAT exemption (NAT bypass) requirements from the outset when designing the network. In any environment where NAT coexists with VPNs, multicast, or inter-site routing over leased lines, explicitly design your NAT policy to exclude the appropriate traffic. Attempting to bolt on NAT exemptions after the fact frequently introduces complex troubleshooting scenarios. Use route-maps or carefully ordered ACLs to cleanly separate translated and non-translated traffic flows.
⚖️ Pros and Cons
Network Address Translation delivers tangible operational and security benefits, but it also introduces genuine architectural limitations. Understanding both sides of this trade-off is essential for designing networks that are appropriate for their use case — and for making informed decisions about IPv6 adoption.
✔ Advantages
- IPv4 Address Conservation: PAT allows thousands of hosts to share a single public IP, dramatically reducing the number of registered addresses an organisation must procure and maintain.
- Simplified Internal Addressing: Internal hosts use stable addresses that never change regardless of which ISP or public address block the organisation uses, simplifying internal DNS and DHCP management.
- ISP Independence: Changing ISPs requires updating only the NAT pool or outside interface reference — the entire internal address scheme remains unchanged, eliminating the need to renumber internal hosts.
- Implicit Inbound Filtering: Because stateful PAT creates dynamic table entries only for outbound-initiated connections, unsolicited inbound packets that do not match an existing entry are dropped by default, providing a basic degree of protection.
- Network Boundary Concealment: NAT prevents external parties from directly observing the internal addressing topology, network size, or device distribution of an organisation.
- Flexible Server Publication: Static NAT and static PAT allow administrators to precisely control which internal services are exposed on which public addresses and ports, enabling granular inbound access control.
- Support for Overlapping Address Spaces: Twice NAT (double NAT) enables communication between networks that use identical address ranges — a common challenge in enterprise mergers and acquisitions.
✘ Disadvantages
- End-to-End Transparency Violation: NAT fundamentally breaks the original internet architecture principle of end-to-end addressability, where every device has a unique, globally routable address. This complicates peer-to-peer applications and requires workarounds like STUN, TURN, and ICE.
- Application Layer Protocol Breakage: Protocols that embed IP addresses in the application payload (FTP active mode, SIP, H.323) do not work transparently through NAT without ALG support, and ALG implementations can introduce their own compatibility issues.
- Performance and Scalability Overhead: Every translated packet requires table lookups, header rewrites, and checksum recalculations. On high-traffic devices, the NAT process can become a bottleneck, particularly for large numbers of short-lived UDP flows (e.g., DNS, VoIP).
- Complicates End-to-End Security: IPsec ESP and other encryption mechanisms protect the IP header — NAT’s modification of that header can break cryptographic integrity checks, requiring workarounds like NAT-T (NAT Traversal) that add complexity and overhead.
- Not a True Security Mechanism: NAT is not a firewall. It provides no deep packet inspection, no protection against compromised internal hosts initiating outbound malicious connections, and no defence against application-layer attacks. Treating NAT as a security boundary is a dangerous misconception.
- Troubleshooting Complexity: The address translation layer adds an additional abstraction that can obscure the source of connectivity problems. Engineers must cross-reference translation tables, ACLs, and interface assignments to diagnose NAT-related issues accurately.
- Impedes Adoption of IPv6: The address-conservation benefit of NAT reduces the perceived urgency of migrating to IPv6, contributing to the slow pace of IPv6 adoption and prolonging dependence on an address space that has already been formally exhausted.
🎯 Conclusion
Network Address Translation remains one of the most consequential technologies in the history of the internet. What began as an emergency response to IPv4 address exhaustion has evolved into a deeply embedded, multi-functional tool that underpins internet access for billions of devices and enables a range of essential network engineering functions — from server publication and port forwarding to ISP migration and overlapping address resolution.
A thorough understanding of NAT means more than memorising configuration commands. It requires understanding the precise semantics of the four address designations — Inside Local, Inside Global, Outside Local, and Outside Global — and being able to read and interpret show ip nat translations output accurately. It means knowing when to use static NAT versus PAT, and understanding the critical role of interface direction assignments and ACL design in making NAT function correctly.
From a professional standpoint, Network Address Translation knowledge is indispensable for troubleshooting, network design, VPN integration, and service migration. Equally important is understanding NAT’s limitations: it is not a security mechanism, it breaks end-to-end addressability, and it adds operational complexity that is ultimately resolved by IPv6 deployment — the technology that makes NAT unnecessary by providing a globally routable address for every device.
Whether you are studying for the CCNA exam, designing an enterprise border network, or troubleshooting a mysterious connectivity failure, the concepts covered in this guide provide the foundation you need to work with Network Address Translation accurately and confidently.
📖 Glossary
Network Address Translation. The process of modifying IP address fields in packet headers as they pass through a routing device, typically to map private addresses to public ones.
Port Address Translation, also called NAT Overload. A form of NAT that maps multiple inside local addresses to a single inside global address, differentiated by unique TCP/UDP source port numbers.
The IP address assigned to an internal host as seen from within the private network. Typically a private address (e.g., 192.168.1.10).
The public, routable IP address that represents an internal host on the internet-facing side of the NAT device. This is the translated source address seen by external hosts.
The publicly routable IP address of an external host as known to the internet. In standard NAT deployments, this is also the address used by internal hosts as the destination when initiating external connections.
The IP address of an external host as seen from the inside network. Identical to the Outside Global in standard NAT; differs only in Twice NAT deployments where destination addresses are also translated.
A permanent, manually configured one-to-one mapping between a specific inside local address and a specific inside global address. Used for servers that must be consistently reachable from the internet.
A NAT configuration in which inside local addresses are dynamically mapped to inside global addresses drawn from a configured pool. Mappings are created on demand and expire after an idle period.
An administrator-defined range of public IP addresses configured on a Cisco router for use as Inside Global addresses in dynamic NAT deployments. Defined with the
ip nat pool command.The stateful translation database maintained by the NAT device, mapping inside local address/port pairs to inside global address/port pairs. Viewable with
show ip nat translations.A NAT configuration in which both the source and destination IP addresses in a packet are translated simultaneously. Used to resolve IP address overlaps between two networks, such as during mergers.
Cisco’s term for PAT. Configured by appending the
overload keyword to the ip nat inside source command, enabling multiple inside hosts to share a single inside global address via port differentiation.Application Layer Gateway. A software module that allows NAT to correctly process protocols that embed IP addresses inside the application-layer payload, such as FTP (active mode), SIP, and H.323.
Configuration that explicitly excludes certain traffic flows (e.g., VPN traffic, management traffic) from being subject to NAT processing. Typically implemented via a deny statement in the NAT ACL or a route-map condition.
NAT Traversal. A mechanism (defined in RFC 3948) that encapsulates IPsec ESP packets inside UDP port 4500, allowing them to traverse NAT devices without breaking the ESP integrity check.
The IETF standard defining three private IPv4 address ranges — 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 — reserved for use in private networks and not routed on the public internet.