Network Address Translation (NAT) is a critical technology used to translate private IP addresses (defined in RFC 1918) into public routable IPs. Without NAT, the global IPv4 address pool would have run out decades ago. On edge routers, engineers deploy either **Dynamic NAT** or **Port Address Translation (PAT)** to manage outgoing connections.
NAT Address Terminology
- Inside Local: The private IP address assigned to a host on the local network (e.g.
192.168.1.10). - Inside Global: The public routable IP address used to represent the inside local host to the external internet.
- Outside Global: The public IP address assigned to the external destination host (e.g. web server).
1. Dynamic NAT
Dynamic NAT maps private inside local addresses to public inside global addresses from a defined pool. It establishes a **1-to-1 dynamic mapping**:
- Process: The router receives a packet, grabs an unused public IP from the pool, creates a translation entry, and forwards the packet.
- Limitation: If the pool contains 5 public IPs, only 5 local hosts can access the internet concurrently. If a 6th host tries to connect, its packets are dropped until one of the active sessions times out.
2. Port Address Translation (PAT)
Also known as NAT Overload, PAT maps multiple inside local private addresses to a **single public IP address** by utilizing TCP and UDP source ports:
- How it works: The router modifies both the source IP and the source port number of the outgoing packet. Since a single IP address has
65,536transport-layer ports available, PAT theoretically allows thousands of local hosts to share one public IP simultaneously. - Use Case: Standard on home routers (which get one dynamic public IP from the ISP) and enterprise borders.
3. Configuring PAT (Overload) on Cisco IOS
To configure PAT with a single exit interface IP, follow these steps:
Step 1: Define Interface Boundaries
Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# exit Router(config)# interface GigabitEthernet0/1 Router(config-if)# ip address 203.0.113.1 255.255.255.252 Router(config-if)# ip nat outside Router(config-if)# exit
Step 2: Match Inside Private Addresses (Access List)
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Step 3: Bind ACL to Exit Interface with Overload Keyword
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload
The Overload Keyword
If you omit the keyword overload at the end of the ip nat inside source command, the router will configure standard Dynamic NAT. This will lock up the public IP for the first host that connects and block all other hosts from accessing the internet.
4. Verification Commands
Confirm translation status using diagnostic show commands:
- Show Active Translations:
show ip nat translationsRouter# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 203.0.113.1:1052 192.168.1.10:1052 8.8.8.8:80 8.8.8.8:80
- Show NAT Statistics:
show ip nat statistics(displays hit count, active translation totals, and pool allocations).