SkarpSkarp

Chapter 16 of 27

NAT and IPv4 Internet Edge Fundamentals

Conserve IPv4 addresses and safely connect private networks to the internet using NAT and related edge design concepts.

27 min readen

Why NAT Exists: IPv4 at the Internet Edge

NAT: Canonical Definition

Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.

Why NAT Exists

IPv4 addresses are scarce, private RFC 1918 ranges are not routable on the internet, and NAT lets many private hosts share limited public addresses at the internet edge.

NAT at the Internet Edge

NAT runs on your edge router or firewall between internal VLANs and the ISP. It rewrites source or destination IPs (and often ports) as traffic crosses between inside and outside.

Relationship to Previous Modules

You already built inter-VLAN routing and resilient default gateways. NAT is added on that same router so those VLANs can now reach the public internet.

Inside vs Outside: NAT Terminology and Translation Types

Inside vs Outside Interfaces

Inside interface faces the LAN with private addresses. Outside interface faces the ISP with public addresses. NAT translations occur as packets cross between these sides.

NAT Address Terms

Inside local: private address of an internal host. Inside global: public address representing that host. Outside global: public address of an external host.

Three NAT Types

Static NAT: 1:1 fixed mapping. Dynamic NAT: many-to-many from a pool. PAT (overload): many-to-one using port numbers so many hosts share one public IP.

Key Concept

Static/dynamic NAT change only IP addresses; PAT changes IP addresses and TCP/UDP port numbers to multiplex many sessions over one public IP.

Static NAT and Dynamic NAT: Concepts and Packet Walks

Static NAT Use Case

Static NAT maps one private host, like 192.168.10.50, to one public IP, like 203.0.113.50, so that internet users can reach an internal server.

Static NAT Packet Walk

Incoming packet to 203.0.113.50:80 is translated to 192.168.10.50:80. Replies from 192.168.10.50 are translated back to 203.0.113.50.

Dynamic NAT with a Pool

Dynamic NAT uses a pool of public IPs, such as 203.0.113.100–110. Each internal host that goes out gets temporarily mapped to one address from the pool.

Pool Exhaustion

If all pool addresses are in use, additional internal hosts cannot get translated. Their new connections fail until an existing translation times out.

PAT (Overload): How One Public IP Serves Many Users

PAT Scenario

LAN 192.168.10.0/24, one public IP 203.0.113.10. All internal users must share that single public address to reach the internet.

How PAT Works

PAT changes both source IP and source port. Many internal flows are mapped to the same public IP but with different port numbers.

NAT Table Entry Example

192.168.10.11:50000 becomes 203.0.113.10:30001. Another host 192.168.10.12 might become 203.0.113.10:30002, and so on.

CCNA Exam Angles

Remember: PAT is enabled with the `overload` keyword, uses ports to multiplex flows, and allows thousands of sessions over a single public IP.

Configuring NAT Overload for Internet Access (Cisco IOS)

Now you will configure the most common CCNA NAT scenario: a router providing internet access for internal VLANs using PAT on the outside interface.

Topology (text-based):

  • Inside VLAN 10: 192.168.10.0/24
  • Default gateway: 192.168.10.1 on router subinterface G0/0.10
  • Outside: G0/1 connected to ISP
  • IP: 203.0.113.10/30
  • ISP next-hop: 203.0.113.9

Goal: All 192.168.10.0/24 hosts access the internet using 203.0.113.10 with PAT.

Key configuration steps:

  1. Mark inside and outside interfaces.
  2. Define which traffic is allowed to be translated (ACL for inside sources).
  3. Configure NAT overload using the outside interface.
  4. Add a default route toward the ISP.

Study the config and comments carefully; this pattern appears often in the exam and labs.

Configuring Static NAT and Dynamic NAT Pools

Static NAT Config Pattern

Mark inside/outside interfaces, then use `ip nat inside source static inside-local inside-global` to create a permanent 1:1 mapping.

Static NAT for Servers

Example: map 192.168.10.50 to 203.0.113.50 so internet clients can reach your internal web server using the public address.

Dynamic NAT Pool Definition

Use `ip nat pool NAME start-ip end-ip netmask MASK` to define a range of public addresses for dynamic NAT.

Binding ACL to Pool

An ACL selects inside local addresses, then `ip nat inside source list ACL pool NAME` links them to the pool for translation.

Verifying NAT: show and debug Commands

show ip nat translations

This command shows active NAT entries: inside local/global and outside local/global. For PAT, you will see IP:port pairs.

show ip nat statistics

Displays total active translations, hits/misses, and information about pools. Helps you spot pool exhaustion or confirm traffic is using NAT.

Checking the Config

Use `show running-config | section nat` to quickly review NAT pools, ACL bindings, and inside/outside interface statements.

Using debug ip nat

`debug ip nat` shows real-time translation events. Great for labs, but be cautious in production because it can be very verbose.

Thought Exercise: Classifying NAT Scenarios

Apply what you have learned by classifying scenarios and mentally designing the right NAT type.

Scenario 1

Your company has one public IP address from the ISP. 200 employees need outbound internet access, but no public-facing servers.

  • Question: Which NAT type is appropriate, and why?
  • Hint: Think about how many internal hosts need to share a single public IP.

Scenario 2

You host an internal web server that must be reachable from the internet on a fixed IP for DNS and SSL certificates.

  • Question: Which NAT type do you use for this server, and what does the mapping look like?
  • Hint: Consider a permanent 1:1 relationship.

Scenario 3

Your ISP gives you a /27 block of public IPs. You want each of 20 internal servers to have its own public IP for outbound connections, without port overloading, but you do not care which specific public IP each server gets.

  • Question: Which NAT type best fits, and why is it different from static NAT?

Pause and answer these before revealing the explanations in your head or notes. Then compare:

  • Scenario 1: PAT (overload) on the outside interface.
  • Scenario 2: Static NAT mapping inside local to inside global.
  • Scenario 3: Dynamic NAT using a pool of public addresses.

Quiz 1: NAT Concepts and Types

Check your understanding of NAT fundamentals before we move to troubleshooting.

Which statement best describes Port Address Translation (PAT) as implemented on a Cisco router for internet access?

  1. PAT maps each inside local address to a unique inside global address from a pool without using ports.
  2. PAT maps multiple inside local addresses to a single inside global address by using different TCP/UDP source ports.
  3. PAT maps one inside local address to one inside global address for inbound connections only.
  4. PAT maps outside global addresses to inside local addresses using a static ACL.
Show Answer

Answer: B) PAT maps multiple inside local addresses to a single inside global address by using different TCP/UDP source ports.

PAT (also called NAT overload) allows many internal hosts to share a single public IP by translating both the source IP and the source port. Each flow gets a unique port on the public address. Option 1 describes dynamic NAT without overload; option 3 describes static NAT; option 4 mixes terminology incorrectly.

Quiz 2: Inside/Outside and Verification

Test your understanding of NAT interface roles and verification commands.

A router is configured with `ip nat inside` on G0/0 (192.168.1.1/24) and `ip nat outside` on G0/1 (203.0.113.2/30). Hosts on 192.168.1.0/24 cannot reach the internet. Which command is MOST useful first to confirm whether translations are being created?

  1. show ip nat translations
  2. show ip interface brief
  3. show ip route
  4. show access-lists
Show Answer

Answer: A) show ip nat translations

`show ip nat translations` directly displays whether NAT entries are being created when inside hosts generate traffic. The other commands are useful for general troubleshooting, but this one targets NAT operation specifically.

Common NAT Troubleshooting Patterns and Exam Traps

Inside/Outside Mislabeling

If inside and outside are swapped, no translations appear. Always verify `ip nat inside` is on the LAN side and `ip nat outside` is on the ISP side.

ACL Issues with NAT

The ACL used by NAT must match inside source addresses. A wrong subnet or deny statement can prevent translations from being created.

Default Route and NAT

NAT can work locally, but without a correct default route to the ISP, translated packets have nowhere to go. Always verify the 0.0.0.0/0 route.

Exam Checklist

In exam configs, quickly check: inside/outside roles, ACL match, NAT statements, pools, and the default route before drawing conclusions.

Key NAT Terms and Patterns Review

Flip through these cards to reinforce terminology and core NAT patterns before moving on.

NAT (Network Address Translation)
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
Inside interface vs Outside interface
Inside interface faces the internal network (usually using private RFC 1918 addresses). Outside interface faces the external network or ISP (using public addresses).
Inside local vs Inside global
Inside local: private IP of an internal host (for example 192.168.10.10). Inside global: public IP that represents that host on the internet (for example 203.0.113.10).
Static NAT
A 1:1, fixed mapping between a single inside local address and a single inside global address. Often used to publish internal servers to the internet.
Dynamic NAT
Uses a pool of public addresses. Inside local addresses are mapped to available inside global addresses from the pool on demand, without overloading ports.
PAT (NAT overload)
Many-to-one NAT that maps multiple inside local addresses to a single inside global address by using different TCP/UDP source ports. Enabled with the `overload` keyword.
Command: mark interfaces for NAT
`ip nat inside` is applied to LAN-facing interfaces or subinterfaces; `ip nat outside` is applied to ISP-facing interfaces.
Command: PAT using interface address
`ip nat inside source list <acl> interface <outside-if> overload` enables PAT, translating sources matched by the ACL to the outside interface IP with port overloading.
Verify NAT translations
`show ip nat translations` displays current NAT entries, including inside local/global and outside local/global addresses and ports.
Verify NAT statistics
`show ip nat statistics` shows active translations, hits/misses, and pool usage, helping detect issues like pool exhaustion.

Key Terms

NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
NAT pool
A configured range of public IP addresses used by dynamic NAT to allocate inside global addresses.
Static NAT
A 1:1, fixed mapping between a single inside local IP address and a single inside global IP address.
Dynamic NAT
A NAT method that uses a pool of public addresses and dynamically maps inside local addresses to available inside global addresses.
Inside interface
A router interface configured with `ip nat inside`, facing the internal network that uses private addresses.
Outside interface
A router interface configured with `ip nat outside`, facing the external network or ISP that uses public addresses.
Inside local address
The private IP address assigned to an internal host, visible only within the local network.
Inside global address
The public IP address that represents an internal host on external networks such as the internet.
show ip nat statistics
Cisco IOS command that displays summary information about NAT operation, including active translations and pool usage.
show ip nat translations
Cisco IOS command that displays the current NAT translation table, including inside and outside addresses and ports.
PAT (Port Address Translation)
A NAT variant that allows multiple internal hosts to share a single public IP by translating both IP addresses and TCP/UDP port numbers; also called NAT overload.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself