What is NAT? Complete Guide to Network Address Translation with All Types and Configuration Examples

Last updated: 21-01-2026

What is NAT (Network Address Translation)?

NAT (Network Address Translation) is a process that modifies IP address information in packet headers while in transit across a routing device. NAT was primarily developed to address IPv4 address exhaustion by allowing multiple devices on a private network to share a single or small pool of public IP addresses for Internet access.

NAT operates on a router or firewall, translating private (RFC 1918) IP addresses used internally to public IP addresses used on the Internet. This translation happens transparently to end devices.

Why Use NAT?

  • IP Address Conservation: Multiple private IPs share few public IPs
  • Security: Hides internal network structure from external networks
  • Flexibility: Change ISP without renumbering internal network
  • Network Merging: Prevents IP address conflicts when merging networks
  • Cost Savings: Reduces need for public IP addresses

Private IP Address Ranges (RFC 1918)

  • Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
  • Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
  • Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)

These private addresses cannot be routed on the Internet and must be translated to public IPs.

NAT Terminology

  • Inside Local: Private IP address of internal device
  • Inside Global: Public IP address representing internal device
  • Outside Local: IP address of external device as seen from inside
  • Outside Global: Public IP address of external device
  • Inside Network: Your internal/private network
  • Outside Network: External/public network (Internet)

Example Scenario:

  • Inside Local: 192.168.1.10 (PC in your network)
  • Inside Global: 203.0.113.5 (Public IP assigned by NAT)
  • Outside Global: 8.8.8.8 (Google DNS server)

Types of NAT

There are four main types of NAT, each serving different use cases:

1. Static NAT

One-to-one mapping between a private IP and a public IP. The mapping is permanent and always uses the same public IP for a specific private IP.

Use Case: Servers that need to be accessible from Internet (web servers, mail servers)

Example: 192.168.1.10 always translates to 203.0.113.10

2. Dynamic NAT

Maps private IP addresses to a pool of public IP addresses on a first-come, first-served basis. The mapping is temporary and changes.

Use Case: When you have fewer public IPs than internal devices, but not all devices access Internet simultaneously

Example: 192.168.1.10 might translate to 203.0.113.10 now, but 203.0.113.11 later

3. PAT (Port Address Translation) / NAT Overload

Maps multiple private IP addresses to a single public IP address using different port numbers. This is the most common type of NAT.

Use Case: Home networks, small businesses with one public IP

Example: Multiple devices (192.168.1.10, 192.168.1.11, 192.168.1.12) all share 203.0.113.5 but use different source ports

4. Policy NAT / Policy-Based NAT

Translation based on specific criteria such as source IP, destination IP, source port, or destination port. Allows granular control.

Use Case: Complex networks requiring different translation rules for different traffic types

1. Static NAT Configuration

Static NAT provides a permanent one-to-one mapping between a private IP address and a public IP address.

Scenario

  • Inside Network: 192.168.1.0/24
  • Web Server Private IP: 192.168.1.10
  • Public IP for Web Server: 203.0.113.10
  • Inside Interface: GigabitEthernet 0/0
  • Outside Interface: GigabitEthernet 0/1

Configuration

configure terminal

! Define inside and outside interfaces
interface GigabitEthernet 0/0
 description *** Inside Interface ***
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no shutdown
exit

interface GigabitEthernet 0/1
 description *** Outside Interface (ISP) ***
 ip address 203.0.113.1 255.255.255.252
 ip nat outside
 no shutdown
exit

! Create static NAT mapping
ip nat inside source static 192.168.1.10 203.0.113.10

end
write memory

How It Works

When external users access 203.0.113.10, router translates it to 192.168.1.10. When the web server (192.168.1.10) sends traffic out, source IP is translated to 203.0.113.10.

Multiple Static NAT Entries

! Map multiple servers
ip nat inside source static 192.168.1.10 203.0.113.10
ip nat inside source static 192.168.1.11 203.0.113.11
ip nat inside source static 192.168.1.12 203.0.113.12

2. Dynamic NAT Configuration

Dynamic NAT uses a pool of public IP addresses and assigns them dynamically to inside devices as needed.

Scenario

  • Inside Network: 192.168.1.0/24
  • Public IP Pool: 203.0.113.10 to 203.0.113.20 (11 addresses)
  • Inside Interface: GigabitEthernet 0/0
  • Outside Interface: GigabitEthernet 0/1

Configuration

configure terminal

! Define inside and outside interfaces
interface GigabitEthernet 0/0
 description *** Inside Interface ***
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no shutdown
exit

interface GigabitEthernet 0/1
 description *** Outside Interface (ISP) ***
 ip address 203.0.113.1 255.255.255.252
 ip nat outside
 no shutdown
exit

! Create access list to define which internal IPs can use NAT
access-list 1 permit 192.168.1.0 0.0.0.255

! Define NAT pool
ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0

! Link access list to NAT pool
ip nat inside source list 1 pool PUBLIC_POOL

end
write memory

How It Works

When a device from 192.168.1.0/24 tries to access the Internet, router assigns an available IP from the pool (203.0.113.10-20). If all 11 IPs are in use, the 12th device cannot access Internet until one IP becomes available.

3. PAT (NAT Overload) Configuration

PAT allows thousands of internal devices to share a single public IP address by using unique port numbers.

Method 1: PAT Using Single Public IP (Interface Overload)

configure terminal

! Define interfaces
interface GigabitEthernet 0/0
 description *** Inside Interface ***
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no shutdown
exit

interface GigabitEthernet 0/1
 description *** Outside Interface (ISP) ***
 ip address 203.0.113.5 255.255.255.252
 ip nat outside
 no shutdown
exit

! Define which internal IPs can use NAT
access-list 1 permit 192.168.1.0 0.0.0.255

! Configure PAT using the outside interface IP
ip nat inside source list 1 interface GigabitEthernet 0/1 overload

end
write memory

Method 2: PAT Using NAT Pool with Overload

configure terminal

! Define access list
access-list 1 permit 192.168.1.0 0.0.0.255

! Create NAT pool (can be just one IP)
ip nat pool PAT_POOL 203.0.113.10 203.0.113.10 netmask 255.255.255.0

! Configure PAT with overload
ip nat inside source list 1 pool PAT_POOL overload

end
write memory

How It Works

Multiple internal devices share the same public IP but use different source ports:

  • 192.168.1.10:50123 → 203.0.113.5:50123
  • 192.168.1.11:50456 → 203.0.113.5:50456
  • 192.168.1.12:51789 → 203.0.113.5:51789

Router maintains a NAT translation table tracking which internal IP:port combination maps to which external port.

4. Port Forwarding (Static PAT)

Forwards external requests on specific ports to internal servers. Essential for hosting services behind NAT.

Scenario

  • Web Server Internal IP: 192.168.1.10
  • SSH Server Internal IP: 192.168.1.11
  • Public IP: 203.0.113.5
  • Forward Port 80 (HTTP) to 192.168.1.10
  • Forward Port 22 (SSH) to 192.168.1.11

Configuration

configure terminal

! Define interfaces
interface GigabitEthernet 0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
exit

interface GigabitEthernet 0/1
 ip address 203.0.113.5 255.255.255.252
 ip nat outside
exit

! Forward HTTP (port 80) to web server
ip nat inside source static tcp 192.168.1.10 80 203.0.113.5 80

! Forward SSH (port 22) to SSH server
ip nat inside source static tcp 192.168.1.11 22 203.0.113.5 22

! Forward HTTPS (port 443) to web server
ip nat inside source static tcp 192.168.1.10 443 203.0.113.5 443

end
write memory

Alternative: Forward to Different External Port

! Forward external port 8080 to internal port 80
ip nat inside source static tcp 192.168.1.10 80 203.0.113.5 8080

Users would access http://203.0.113.5:8080 which routes to 192.168.1.10:80

Complete NAT Configuration Example

Network Topology

  • Inside Network: 192.168.1.0/24
  • Web Server: 192.168.1.10 (needs static NAT)
  • Internal Users: 192.168.1.100-192.168.1.200 (use PAT)
  • Public IPs: 203.0.113.5 (primary), 203.0.113.10 (web server)

Complete Configuration

configure terminal

! Inside Interface
interface GigabitEthernet 0/0
 description *** LAN Interface ***
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no shutdown
exit

! Outside Interface
interface GigabitEthernet 0/1
 description *** WAN Interface (ISP) ***
 ip address 203.0.113.5 255.255.255.252
 ip nat outside
 no shutdown
exit

! Static NAT for Web Server
ip nat inside source static 192.168.1.10 203.0.113.10

! Port Forwarding for Web Server
ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
ip nat inside source static tcp 192.168.1.10 443 203.0.113.10 443

! Access List for internal users
access-list 100 permit ip 192.168.1.100 0.0.0.99 any

! PAT for internal users using primary public IP
ip nat inside source list 100 interface GigabitEthernet 0/1 overload

! Route to Internet
ip route 0.0.0.0 0.0.0.0 203.0.113.6

end
write memory

NAT Verification Commands

Show Active NAT Translations

show ip nat translations

Displays all current NAT translation entries

Show NAT Statistics

show ip nat statistics

Shows NAT statistics including total translations, hits, misses

Show Detailed NAT Information

show ip nat translations verbose

Detailed translation table with timestamps

Clear NAT Translations

clear ip nat translation *

Clears all dynamic NAT translations (static entries remain)

clear ip nat translation inside 192.168.1.10

Clears translations for specific inside address

Debug NAT

debug ip nat
debug ip nat detailed

Warning: Use carefully in production. Stop with:

no debug ip nat
undebug all

Advanced NAT Configuration

NAT with Extended Access List

! Translate only HTTP/HTTPS traffic
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443

ip nat inside source list 101 interface GigabitEthernet 0/1 overload

NAT Timeout Configuration

! Change timeout values
ip nat translation timeout 300
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation finrst-timeout 60

NAT with Route Maps (Policy-Based NAT)

! Different NAT for different destinations
access-list 1 permit 192.168.1.0 0.0.0.255

route-map NAT_ISP1 permit 10
 match ip address 1
 match interface GigabitEthernet 0/1

ip nat inside source route-map NAT_ISP1 interface GigabitEthernet 0/1 overload

Exclude Addresses from NAT

! Don't NAT traffic to specific destinations
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet 0/1 overload

Troubleshooting NAT

Common Issues and Solutions

Issue 1: NAT Not Working

Check:

show ip nat statistics
show ip nat translations
show ip interface brief

Verify:

  • Interfaces marked as "ip nat inside" and "ip nat outside"
  • Access list permits the source IP
  • NAT pool is configured correctly
  • Routing is configured (default route to ISP)

Issue 2: Some Devices Can't Access Internet

Causes:

  • NAT pool exhausted (Dynamic NAT)
  • Access list doesn't include the device IP

Solution:

! Check available translations
show ip nat statistics

! Expand access list or use PAT
access-list 1 permit 192.168.1.0 0.0.0.255

Issue 3: Port Forwarding Not Working

Check:

show ip nat translations | include 192.168.1.10
show access-lists

Verify:

  • Static NAT entry is correct
  • Firewall/ACL allows traffic
  • Server is listening on the port
  • Inside interface is marked "ip nat inside"

Issue 4: Old Translations Not Clearing

Solution:

! Clear all dynamic translations
clear ip nat translation *

! Reduce timeout values
ip nat translation timeout 300

NAT Best Practices

  • Use PAT for general Internet access: Most efficient use of public IPs
  • Use Static NAT for servers: Ensures consistent external IP
  • Document NAT mappings: Keep records of what translates to what
  • Use descriptive access lists: Use named or numbered ACLs consistently
  • Plan IP addressing: Use proper RFC 1918 private addressing
  • Monitor NAT table: Watch for NAT pool exhaustion
  • Secure NAT device: Apply security hardening to NAT router
  • Use extended ACLs for granular control: Specify protocols and ports
  • Test failover: If using multiple public IPs, test failover scenarios
  • Document port forwards: Maintain list of forwarded ports and services
  • Clear unused translations: Periodically clear old entries

NAT Types Comparison

NAT Type Mapping Public IPs Required Best Use Case
Static NAT One-to-one (permanent) Equal to inside hosts Servers accessible from Internet
Dynamic NAT One-to-one (temporary) Pool of IPs (fewer than hosts) Limited public IPs, not all devices simultaneous
PAT (Overload) Many-to-one (with ports) One IP (or small pool) Most common, home/small business
Port Forwarding Port-specific One IP Hosting services behind NAT

Quick Reference Command Summary

! Interface Configuration
interface GigabitEthernet 0/0
 ip nat inside
interface GigabitEthernet 0/1
 ip nat outside

! Static NAT
ip nat inside source static 192.168.1.10 203.0.113.10

! Dynamic NAT
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool POOL_NAME 203.0.113.10 203.0.113.20 netmask 255.255.255.0
ip nat inside source list 1 pool POOL_NAME

! PAT (Overload)
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet 0/1 overload

! Port Forwarding
ip nat inside source static tcp 192.168.1.10 80 203.0.113.5 80

! Verification
show ip nat translations
show ip nat statistics
clear ip nat translation *

! Debug
debug ip nat
undebug all

Conclusion

NAT is a fundamental technology that enables efficient use of public IP addresses while providing security benefits by hiding internal network structure. Understanding the different types of NAT—Static NAT, Dynamic NAT, PAT, and Port Forwarding—allows you to choose the right solution for your specific requirements.

PAT (NAT Overload) is the most commonly used NAT type in modern networks, allowing thousands of internal devices to share a single public IP address. Static NAT and Port Forwarding are essential for hosting services that need to be accessible from the Internet. Dynamic NAT provides a middle ground when you have a limited pool of public IPs.

Proper NAT configuration, combined with thorough testing and monitoring, ensures that your network maintains both Internet connectivity and security. Always document your NAT mappings, especially port forwards, and regularly review NAT translations to identify and resolve potential issues.