SkarpSkarp

Chapter 18 of 29

Network Address Translation (NAT) and IPv4 Private Addressing

Bridge private IPv4 address spaces to the public internet with NAT, mastering how translations work and where they appear in real exam scenarios.

27 min readen

Private IPv4 Addressing: Why It Exists and How It Works

Why Private IPv4 Exists

IPv4 has about 4.3 billion addresses. As the internet grew, organizations could not get enough public IPv4 addresses for all their devices, so internal vs global addressing was introduced.

RFC 1918 Ranges

RFC 1918 defines three private ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These addresses are not routed on the public internet and are meant for internal networks.

Why Enterprises Use Them

Enterprises use private addresses to conserve public IPs, reuse the same ranges in many sites, and avoid renumbering hosts when changing ISPs. In CCNA questions, these ranges hint that NAT is needed.

Other Non-routable Ranges

You may also see 169.254.0.0/16 (link-local/APIPA) and 127.0.0.0/8 (loopback). These are non-routable but are not used as general enterprise addressing like RFC 1918 space.

What NAT Is and Where It Lives in the Network

NAT: The Official Definition

Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.

Where NAT Runs

NAT typically runs on the edge router or firewall between a private LAN and the public internet. On Cisco IOS, interfaces are tagged as `ip nat inside` or `ip nat outside`.

Inside vs Outside Terms

Inside local = internal private address. Inside global = public address representing that host. Outside global = internet host address. Outside local = usually same as outside global at CCNA level.

Static NAT, Dynamic NAT, and PAT: Conceptual Differences

Static NAT

Static NAT creates a permanent 1:1 mapping between a private and a public IP, often used for internal servers that must be reachable from the internet.

Dynamic NAT

Dynamic NAT uses a pool of public addresses and assigns them to internal hosts as needed. It is still 1:1, but the specific public IP can change.

PAT (NAT Overload)

Port Address Translation lets many private hosts share one public IP by using different TCP/UDP source ports. This is what most home routers use.

Exam Shortcut

Static = fixed 1:1. Dynamic = pool-based 1:1. PAT = many:1 using ports. If you see `overload` in Cisco configs, you are looking at PAT.

Visualizing NAT Translations: Packet Walkthroughs

Topology Overview

PC1 (192.168.10.10) uses R1 (inside 192.168.10.1, outside 203.0.113.1) to reach a web server 198.51.100.5. R1 is configured for NAT between inside and outside.

Dynamic NAT Packet Flow

PC1 sends to 198.51.100.5. R1 picks a free public IP, e.g., 203.0.113.10, rewrites the source, and forwards. Replies to 203.0.113.10 are translated back to 192.168.10.10.

PAT with Many Hosts

With PAT, many PCs share one public IP. R1 rewrites both address and source port, like 192.168.10.10:12345 → 203.0.113.10:40001 and 192.168.10.11:23456 → 203.0.113.10:40002.

How Return Traffic Works

Return packets arrive at 203.0.113.10 on different ports. R1 uses the NAT table to map each flow back to the correct internal IP and port.

Cisco NAT Building Blocks: Inside/Outside and ACLs

Inside vs Outside Interfaces

Cisco NAT requires you to mark interfaces as `ip nat inside` (toward private LAN) and `ip nat outside` (toward ISP). If you swap them, translations fail.

ACL Role in NAT

An ACL defines which traffic is eligible for NAT. It usually matches inside source IPs only. It does not block traffic; it just selects addresses for translation.

Typical NAT ACL Example

`access-list 1 permit 192.168.10.0 0.0.0.255` selects the 192.168.10.0/24 network for NAT. Standard ACLs use wildcard masks, not subnet masks.

Troubleshooting Tip

If some hosts cannot reach the internet, check that interfaces are correctly labeled inside/outside and that the NAT ACL actually matches their source addresses.

Configuring Static NAT and Dynamic NAT on a Cisco Router

Now you will see the exact IOS commands used to configure static and dynamic NAT in a simple edge scenario.

Configuring PAT (NAT Overload) and Verifying Translations

PAT is the most common form of NAT in CCNA scenarios. Here is how to configure and verify it on Cisco IOS.

Thought Exercise: Identify the Correct NAT Type

Scenario A: Mixed Needs

A company has 4 public-facing web servers and 100 employees who only need outbound access, plus a /29 public block. Decide which NAT type each use case needs.

Scenario A: Suggested Design

Use static NAT for the 4 servers (fixed, reachable IPs). Use PAT on the router for 100 users to share a single public IP. Reserve 4 IPs for servers, 1 for PAT, 1 spare.

Scenario B: Lab Environment

A lab has a /28 public block and many VMs. Inbound access is not important, but each VM can have its own public IP. Choose between dynamic NAT and PAT.

Scenario B: Reasoning

Dynamic NAT is a good fit: it uses a pool of public IPs and gives each VM a 1:1 mapping while traffic is active. PAT would also work but is not necessary here.

Quiz 1: NAT Concepts and Private Addressing

Answer this question to check your understanding of NAT types and private addressing.

Which statement is MOST accurate for a typical enterprise edge using Port Address Translation (PAT) for internet access?

  1. Each internal host gets a unique public IP from a pool, and source ports are preserved.
  2. Many internal hosts share a single public IP, and the NAT device uses different source ports to distinguish flows.
  3. Each internal server has a fixed one-to-one mapping to a public IP, and client PCs cannot use NAT.
  4. Internal hosts use RFC 1918 addresses that are directly routable on the public internet without translation.
Show Answer

Answer: B) Many internal hosts share a single public IP, and the NAT device uses different source ports to distinguish flows.

PAT (also called NAT overload) allows many internal hosts to share a single public IP by translating both IP address and source port. Option 1 describes dynamic NAT without overload. Option 3 describes static NAT for servers only. Option 4 is incorrect because RFC 1918 addresses are not routable on the public internet and require translation.

Quiz 2: Cisco NAT Configuration and Troubleshooting

This question focuses on IOS commands and common misconfigurations.

You configured PAT on R1 with `ip nat inside source list 10 interface GigabitEthernet0/0 overload`. G0/0 connects to the LAN, and G0/1 connects to the ISP. Inside hosts cannot reach the internet. What is the MOST likely issue?

  1. The ACL 10 must be a named ACL, not a numbered ACL.
  2. PAT must use a NAT pool, not an interface, so the command is invalid.
  3. G0/0 should be configured as `ip nat inside`, and PAT should use the outside interface G0/1 instead.
  4. You must add `ip nat outside` to all LAN interfaces.
Show Answer

Answer: C) G0/0 should be configured as `ip nat inside`, and PAT should use the outside interface G0/1 instead.

In typical designs, the LAN-facing interface is `ip nat inside` and the ISP-facing interface is `ip nat outside`. PAT should reference the outside interface. The given command uses G0/0 (LAN) as the overload interface, so translations will not work correctly. Numbered ACLs are valid, and PAT does not require a pool.

Key NAT and Addressing Terms Review

Flip through these cards to reinforce core NAT and addressing terminology that frequently appears in CCNA questions.

Private IPv4 address ranges (RFC 1918)
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These ranges are reserved for internal use and are not routable on the public internet.
NAT (definition)
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
Static NAT
A fixed one-to-one mapping between a private (inside local) address and a public (inside global) address, often used for servers that must be reachable from the internet.
Dynamic NAT
Uses a pool of public addresses and maps inside local addresses to available inside global addresses on a first-come, first-served basis. Still one-to-one while active.
Port Address Translation (PAT)
Also called NAT overload. Many inside hosts share a single public IP by translating both IP address and source port, allowing thousands of sessions per public IP.
Inside local vs inside global
Inside local: private address of an internal host (e.g., 192.168.1.10). Inside global: public address representing that host on the internet (e.g., 203.0.113.10).
ACL in NAT context
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol. In NAT, a standard ACL usually selects inside source addresses to be translated.
Commands: mark NAT interfaces
`ip nat inside` on interfaces toward the private LAN; `ip nat outside` on interfaces toward the ISP/public internet.
Command: PAT using interface address
`ip nat inside source list <ACL> interface <outside-interface> overload` – enables PAT so many inside hosts share the outside interface IP.
Verify NAT translations
`show ip nat translations` displays current mappings; `show ip nat statistics` shows hits, misses, and interface roles.

Key Terms

ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
Static NAT
A NAT configuration that creates a permanent one-to-one mapping between a private (inside local) address and a public (inside global) address.
Dynamic NAT
A NAT method that uses a pool of public addresses and assigns them to inside local addresses dynamically on a first-come, first-served basis.
ip nat inside
Cisco IOS interface command that marks an interface as belonging to the inside (private) NAT domain.
ip nat outside
Cisco IOS interface command that marks an interface as belonging to the outside (public) NAT domain.
Inside local address
The IP address assigned to a host on the inside network, usually a private RFC 1918 address.
Private IPv4 address
An IPv4 address from the RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that is intended for internal use and not routable on the public internet.
Inside global address
The public IP address that represents one or more inside hosts to the outside world after NAT translation.
Port Address Translation (PAT)
A NAT variant, also called NAT overload, that allows many private hosts to share a single public IP by translating both IP address and transport-layer port numbers.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself