Introduction to NAT
Network Address Translation (NAT) is a technology that allows a router or firewall to modify IP address information in packet headers as traffic passes through it. This enables devices using private IP addresses inside a network to communicate with external networks such as the internet.
The primary reason NAT exists is IPv4 address conservation. Because public IPv4 addresses are limited, most organizations assign private address space to internal devices and translate those addresses to public ones when traffic leaves the network.
NAT is typically implemented at the edge of a network, usually on a router or firewall that connects the internal network to the internet. When an internal host sends traffic externally, the device performing NAT replaces the private source address with a public address. When return traffic arrives, the device uses a translation table to map the traffic back to the correct internal host.
Types of NAT
Static NAT
Static NAT creates a permanent one-to-one mapping between a private IP address and a public IP address. The translation is manually configured and does not change.
This is commonly used for internal servers that must be reachable from external networks. Because the mapping is static, the public address always translates to the same internal host.
Example idea:
Private IP → Public IP
192.168.1.10 → 203.0.113.10
Dynamic NAT
Dynamic NAT also performs one-to-one translations, but the public address is selected from a pool of available public IP addresses.
When an internal device needs to reach an external network, the router assigns it an available public address from the pool. Once the session ends, the address can be reused for another device.
This allows multiple internal devices to use NAT, but it still requires a pool of public IP addresses.
NAT Overloading (PAT)
NAT Overloading, commonly called Port Address Translation (PAT), allows many internal devices to share a single public IP address.
Instead of only translating the IP address, the router can also modify the source port number so it can uniquely identify each connection.
Important detail: PAT does not always translate the source port.
If the original source port is available, the router will keep it the same. The port is only changed if another translation is already using that port on the public address.
Example concept:
192.168.1.10:5000 → 203.0.113.5:5000
192.168.1.11:5000 → 203.0.113.5:30001
PAT is the most common form of NAT used today because it allows thousands of internal devices to access the internet using only a small number of public IP addresses.
NAT Matching and Translation Behavior
ACLs Define What Gets NATed
In many NAT configurations, access control lists (ACLs) are used to define which traffic should be translated and which should not. The ACL does not block traffic; it simply identifies traffic that is eligible for NAT.
If traffic matches the ACL, the router applies NAT. If it does not match, the traffic passes through without being translated.
Because of this behavior, ACL design is important when configuring NAT policies.
Core NAT Address Terminology
Understanding NAT requires knowing how Cisco describes addresses during translation.
Inside Local (IL)
The actual IP address assigned to a host on the internal private network.
Example:
192.168.1.10
This address is used only inside the private network and is typically from RFC1918 address space.
Inside Global (IG)
The public IP address that represents the inside host to external networks.
Example:
203.0.113.10
When NAT occurs, the router replaces the Inside Local address with the Inside Global address before the packet is sent to the internet.
Outside Global (OG)
The real public IP address of an external host.
Example:
8.8.8.8 (public DNS server)
This is the actual address assigned to the external device on the internet.
Outside Local (OL)
The address of the outside host as it appears to the internal network.
In most NAT scenarios, the Outside Local and Outside Global addresses are the same, but they can differ if additional NAT translations are applied.
Inside vs Outside
Inside Network
The private network managed by your organization.
Outside Network
The external network, usually the public internet.
Routers performing NAT must define which interfaces are inside and which are outside so the router knows where translations should occur.
Local vs Global
Local Address
An address used internally within a network.
Global Address
An address that is visible externally on the public internet.
These terms are combined to describe how NAT translates addresses as packets move between internal and external networks.
ACL Required to Match Traffic
For many NAT configurations, an ACL is required to match the traffic that should be translated. The NAT rule references the ACL, and the router uses it to determine which packets should create NAT translations.
NAT Timeout Values
NAT translations are not permanent for most traffic. The router keeps entries in the NAT table only while they are active.
Different protocols have different default timeout values on Cisco routers:
- TCP – 24 hours (86400 seconds)
- UDP – 5 minutes (300 seconds)
- ICMP – 60 seconds
These timers exist because different protocols behave differently. TCP sessions are stateful and may remain open for long periods of time, while UDP and ICMP traffic are typically short-lived.
If a session becomes inactive and the timeout expires, the router removes the translation from the NAT table, freeing resources for new connections.
Verification Commands
When troubleshooting NAT, Cisco routers provide several commands that allow you to view translations, statistics, and active NAT configurations.
Show NAT Translations
This command displays the current NAT translation table, showing how internal addresses are mapped to external addresses.
show ip nat translations
Example output will show entries such as:
Inside Local → Inside Global
192.168.1.10 → 203.0.113.5
For PAT, you will also see port translations included in the output.
This command is useful for verifying that NAT translations are actually being created.
Show NAT Statistics
This command provides general information about NAT operation, including translation counts and hit statistics.
show ip nat statistics
Useful information in this output includes:
- Total active translations
- Number of hits and misses
- NAT pool usage
- Interfaces configured for inside and outside NAT
This helps confirm whether NAT is actively being used on the router.
Show Running Configuration
You can also verify NAT configuration directly in the running configuration.
show running-config | section nat
This helps confirm:
- NAT rules
- ACLs used for NAT matching
- Inside and outside interface assignments
Using these commands together makes it easier to confirm that NAT is configured correctly and that translations are being created as expected.
Conclusion
Network Address Translation (NAT) is a fundamental technology used in almost every modern network. While it is often introduced as a simple way to conserve IPv4 addresses, there is more happening under the hood than just replacing one IP address with another.
Understanding the different types of NAT, how ACLs determine which traffic is translated, and how routers track translations with timers and tables makes troubleshooting much easier. Concepts like Inside Local, Inside Global, and PAT behavior become especially important when diagnosing connectivity problems.
From a CCNP perspective, the goal is not just knowing how to configure NAT, but understanding how the router processes and tracks translations internally. Once you understand those mechanics, NAT becomes much easier to reason about when something in the network is not working the way you expect.