Dynamic NAT – Configuration, Address Terminology, and Troubleshooting

1. What Is Dynamic NAT?

Dynamic NAT (Network Address Translation) is the process by which a router automatically assigns a public IP address from a pre-configured pool to an internal private-address host the first time that host initiates outbound traffic. The mapping is temporary — it exists only for the duration of the active session and is released back to the pool when the session ends or times out.

Dynamic NAT provides a many-to-many relationship: many internal hosts can use NAT, but the number of simultaneous sessions is limited by the size of the public IP pool. Once all pool addresses are in use, new connection attempts are dropped until an existing mapping expires.

  Internal Network (192.168.1.0/24)        Internet
  ┌──────────────────────────────┐
  │ PC-A  192.168.1.10           │──→ NAT Router ──→ 203.0.113.3 ──→ 8.8.8.8
  │ PC-B  192.168.1.11           │──→ NAT Router ──→ 203.0.113.7 ──→ 8.8.8.8
  │ PC-C  192.168.1.12  (waiting)│    [Pool full – 10 IPs in use]
  │  ...  192.168.1.x            │
  └──────────────────────────────┘

  Dynamic NAT pool: 203.0.113.1 – 203.0.113.10  (10 addresses)
  Maximum simultaneous internet sessions: 10

2. The Four NAT Address Terms

Understanding the four NAT address terms is critical for the CCNA exam. The terms are defined from the perspective of the NAT router, not the host. Each term combines a location (Inside / Outside) with how the address appears to that side (Local = as seen locally, Global = as seen on the internet).

Term	Definition	Example Value	Where Seen
Inside Local	The real private IP address of the internal host, as assigned in the LAN — the address before NAT translates it	`192.168.1.10`	Inside the network only; this address appears in the IP source field of packets before they reach the NAT router
Inside Global	The public IP address assigned to the internal host by the NAT router — drawn from the NAT pool; what the internet sees as the source of the traffic	`203.0.113.5`	Outside the network; this replaces the Inside Local address in the IP source field after NAT translation
Outside Local	The IP address of the external destination as seen from inside the network. In most configurations without Destination NAT, this equals the Outside Global.	`8.8.8.8`	The destination IP in the internal host's packet — usually the real internet IP of the server being reached
Outside Global	The real, routable IP address of the external destination host — the actual internet address of the server	`8.8.8.8`	The destination IP as seen on the internet; typically the same as Outside Local in standard Dynamic NAT deployments

  ┌── Inside ────────────────────────┐    ┌── Outside ──────────────────────┐
  │                                  │    │                                  │
  │  PC-A                NAT Router  │    │  NAT Router          Google DNS  │
  │  Src: 192.168.1.10 ──→ [NAT] ───→│────│→ Src: 203.0.113.5 ──→ 8.8.8.8   │
  │  (Inside Local)     translates   │    │   (Inside Global)  (Outside      │
  │                                  │    │                     Global/Local) │
  └──────────────────────────────────┘    └──────────────────────────────────┘

  NAT Translation Table entry:
  Inside Local    Inside Global    Outside Local    Outside Global
  192.168.1.10    203.0.113.5      8.8.8.8          8.8.8.8

3. How Dynamic NAT Works — Step by Step

Dynamic NAT translation is triggered by the first outbound packet from an internal host and is maintained for the duration of the session. Here is the complete flow:

  Step 1 — Internal host sends a packet
  PC-A (192.168.1.10) sends to 8.8.8.8:53 (DNS query)
  Packet: Src=192.168.1.10  Dst=8.8.8.8  arrives at NAT router's inside interface

  Step 2 — Router checks the NAT ACL
  ACL 1 permits 192.168.1.0/24 → 192.168.1.10 matches ✓

  Step 3 — Router allocates a pool address
  NAT pool MY_POOL has 203.0.113.1–10
  203.0.113.1 is next available → assigned to 192.168.1.10

  Step 4 — NAT table entry created
  Inside Local: 192.168.1.10
  Inside Global: 203.0.113.1
  Outside Local: 8.8.8.8
  Outside Global: 8.8.8.8

  Step 5 — Packet is translated and forwarded
  Src IP is rewritten: 192.168.1.10 → 203.0.113.1
  Packet forwarded out the outside interface to 8.8.8.8

  Step 6 — Reply arrives
  Reply from 8.8.8.8 arrives with Dst=203.0.113.1
  Router looks up 203.0.113.1 in NAT table → maps to 192.168.1.10
  Dst IP is rewritten: 203.0.113.1 → 192.168.1.10
  Packet delivered to PC-A ✓

  Step 7 — Session ends / timeout expires
  NAT table entry is cleared
  203.0.113.1 is returned to the pool for reuse

Key behaviour: Dynamic NAT is unidirectional by default — translations are only created by traffic flowing from the inside to the outside. An external host cannot initiate a connection to an inside host through dynamic NAT (unlike Static NAT, where the mapping is permanent and bidirectional). This provides an implicit security benefit.

4. Cisco IOS Configuration — Step by Step

Dynamic NAT requires four configuration elements: a NAT pool, an ACL defining eligible inside hosts, a binding between them, and interface role assignments.

Step 1 — Define the NAT Pool

  Router(config)# ip nat pool MY_POOL 203.0.113.1 203.0.113.10 netmask 255.255.255.0

  ! MY_POOL    = name; used in the binding command
  ! 203.0.113.1  = first address in the pool (inclusive)
  ! 203.0.113.10 = last address in the pool (inclusive)
  ! netmask      = subnet mask of the public range
  ! This pool provides 10 public addresses

Alternatively, prefix-length can replace netmask: ip nat pool MY_POOL 203.0.113.1 203.0.113.10 prefix-length 24

Step 2 — Create an ACL Identifying Inside Hosts

  Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

  ! ACL 1 is a standard numbered ACL
  ! permit = these source addresses are eligible for NAT
  ! 192.168.1.0 0.0.0.255 = the entire 192.168.1.0/24 subnet
  ! The implicit deny at the end of the ACL excludes all other sources

  ! Named ACL alternative (preferred):
  Router(config)# ip access-list standard INSIDE_HOSTS
  Router(config-std-nacl)# 10 permit 192.168.1.0 0.0.0.255

Step 3 — Bind the ACL to the NAT Pool

  Router(config)# ip nat inside source list 1 pool MY_POOL

  ! inside source = translate inside-to-outside traffic
  ! list 1        = use ACL 1 to identify eligible inside hosts
  ! pool MY_POOL  = allocate from the MY_POOL address range

Step 4 — Assign Interface Roles

  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# ip nat inside          ! LAN-facing interface
  Router(config-if)# exit

  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip nat outside         ! WAN/internet-facing interface
  Router(config-if)# exit

  ! CRITICAL: Both roles MUST be assigned.
  ! If either is missing, NAT will not translate any traffic.
  ! "ip nat inside"  = packets arriving here may need translation (outbound)
  ! "ip nat outside" = translated packets leave through here

Complete Configuration at a Glance

  ! ── NAT pool ──────────────────────────────────────────────────────
  ip nat pool MY_POOL 203.0.113.1 203.0.113.10 netmask 255.255.255.0

  ! ── ACL: identify eligible inside hosts ──────────────────────────
  access-list 1 permit 192.168.1.0 0.0.0.255

  ! ── Bind ACL to pool ─────────────────────────────────────────────
  ip nat inside source list 1 pool MY_POOL

  ! ── Interface roles ──────────────────────────────────────────────
  interface GigabitEthernet0/0
   ip nat inside

  interface GigabitEthernet0/1
   ip nat outside

See: ACL Configuration | Named ACLs | Wildcard Masks | Dynamic NAT & PAT Lab

5. Verifying Dynamic NAT

After configuring Dynamic NAT, always verify that translations are being created correctly before testing with live traffic.

show ip nat translations

  Router# show ip nat translations

  Pro  Inside global    Inside local     Outside local    Outside global
  ---  203.0.113.1      192.168.1.10     8.8.8.8          8.8.8.8
  ---  203.0.113.2      192.168.1.11     1.1.1.1          1.1.1.1
  tcp  203.0.113.3      192.168.1.12     172.217.3.110    172.217.3.110
       (49301)          (49301)          (443)            (443)

  ! Pro          = protocol (--- = generic, tcp/udp = port-specific)
  ! Inside global  = public IP from the pool (what internet sees)
  ! Inside local   = private IP of the internal host
  ! Outside local/global = destination (same in basic Dynamic NAT)

show ip nat statistics

  Router# show ip nat statistics

  Total active translations: 2 (0 static, 2 dynamic; 2 extended)
  Outside interfaces: GigabitEthernet0/1
  Inside interfaces:  GigabitEthernet0/0
  Hits: 47    Misses: 3
  CEF Translated packets: 47, CEF Punted packets: 0
  Expired translations: 12
  Dynamic mappings:
  -- Inside Source
     access-list 1 pool MY_POOL refcount 2
      pool MY_POOL: netmask 255.255.255.0
             start 203.0.113.1 end 203.0.113.10
             type generic, total addresses 10
             allocated 2, misses 0

  ! "Hits"    = packets matched a NAT translation
  ! "Misses"  = packets that needed NAT but found no free pool address
  ! "allocated 2" = 2 pool IPs currently in use

Command	What It Shows	When to Use It
`show ip nat translations`	All active translation entries with Inside Local, Inside Global, Outside Local, Outside Global, and protocol/port	Confirm translations are being created; identify which pool IPs are assigned to which hosts
`show ip nat translations verbose`	Same as above plus creation timestamp and idle timer for each entry	Diagnose stale entries or verify timeout behaviour
`show ip nat statistics`	Hit/miss counters, interface roles, pool allocation status (total / allocated / misses)	Confirm interface roles are set; check pool exhaustion (misses counter); verify the pool-to-ACL binding
`show running-config \| include nat`	All NAT-related configuration lines	Quick check that pool, ACL binding, and interface roles are all present
`clear ip nat translation *`	Removes all dynamic NAT entries from the table	Force release of all pool addresses; reset after a config change; use during troubleshooting
`clear ip nat translation inside <local> <global>`	Removes the specific entry for one host	Release a single pool IP without disrupting all other active sessions

See: show running-config | show interfaces | ping

6. Pool Exhaustion — What Happens and How to Manage It

Pool exhaustion is the central operational limitation of Dynamic NAT. When every address in the pool is actively mapped to an inside host, any new outbound connection attempt from an un-translated host is silently dropped — the host receives no internet connectivity and no error message.

  Pool: 203.0.113.1 – 203.0.113.10  (10 addresses)

  Current state: all 10 addresses allocated ← pool exhausted
  Host 192.168.1.50 initiates new outbound connection

  Router checks ACL → 192.168.1.50 is permitted ✓
  Router tries to allocate from pool → no free address ✗
  Packet is DROPPED — no translation created
  192.168.1.50 cannot reach the internet

  "Misses" counter in show ip nat statistics increments

Managing Timeouts

Dynamic NAT entries expire after a configurable idle period. Reducing the timeout allows pool addresses to be reclaimed faster when sessions are idle.

  ! Default translation timeout is 86400 seconds (24 hours) — very long
  ! Reduce to reclaim unused pool addresses sooner:

  Router(config)# ip nat translation timeout 3600
  ! Sets general translation timeout to 1 hour

  Router(config)# ip nat translation tcp-timeout 7200
  ! TCP-specific timeout (default: 86400s)

  Router(config)# ip nat translation udp-timeout 300
  ! UDP-specific timeout (default: 300s — much shorter than TCP)

  Router(config)# ip nat translation icmp-timeout 60
  ! ICMP ping timeout (default: 60s)

  ! Force immediate release of all entries:
  Router# clear ip nat translation *

Strategies to Address Pool Exhaustion

Strategy	How	Trade-off
Reduce translation timeout	`ip nat translation timeout <seconds>`	Faster pool address recycling; may interrupt long-lived but idle sessions (e.g., SSH, VPN)
Expand the pool	Add more public IPs to `ip nat pool` and update the pool definition	Requires purchasing or leasing additional public IP addresses — may not be feasible
Switch to PAT (overload)	Add `overload` keyword to the binding: `ip nat inside source list 1 pool MY_POOL overload`	Dramatically increases concurrent users (thousands per IP) but changes to port-based translation; breaks applications that do not work behind PAT
Restrict eligible hosts	Narrow the ACL permit statement to a smaller subnet	Limits which hosts can use NAT — may exclude legitimate users

7. Dynamic NAT vs Static NAT vs PAT — Full Comparison

The three NAT types serve different operational needs. Understanding when to use each is a core CCNA topic.

Feature	Dynamic NAT	Static NAT	PAT / NAT Overload
Mapping type	Many-to-many (temporary)	One-to-one (permanent)	Many-to-one (port-based, temporary)
Public IPs required	Pool of IPs (e.g., 10 addresses)	One dedicated public IP per inside host	Single IP shared by all inside hosts
Mapping duration	Session lifetime; expires on idle timeout	Permanent — survives reboots	Session lifetime; expires on idle timeout
Inbound connections from internet	Not possible — no predictable mapping for outside hosts to initiate to	Fully supported — the fixed mapping acts as a permanent "door" into the inside host	Not possible without additional port forwarding rules
Max simultaneous sessions	Limited by pool size (one IP per session)	One active session per static mapping	~65,535 per public IP (limited by port numbers)
Translation identifier	IP address only	IP address only	IP address + Layer 4 port number
Configuration key command	`ip nat inside source list <acl> pool <name>`	`ip nat inside source static <local> <global>`	`ip nat inside source list <acl> interface <int> overload` or `pool <name> overload`
Typical use case	Medium enterprise with a small block of public IPs and apps that need real (unshared) public IPs	Public-facing servers (web, mail, CCTV, VPN endpoint) that must be reachable from the internet	Home routers; small/medium office with a single ISP IP; the overwhelming majority of real-world NAT deployments
Scalability	Moderate — limited by pool size	Low — requires one public IP per host	Very high — thousands of sessions per public IP

See: Static NAT Guide | PAT (NAT Overload)

8. Security and Operational Considerations

Consideration	Detail
Inside host anonymity	External hosts only see the public pool IP — the private inside address is hidden. This provides a basic layer of obscurity but is not a substitute for a proper firewall.
Asymmetric routing breaks NAT	NAT maintains state on the specific router that created the translation. If return traffic arrives on a different router (asymmetric routing), that router has no matching NAT entry and the packet is dropped or forwarded untranslated. Ensure all traffic for a given session traverses the same NAT router.
Applications that embed IP addresses	Some protocols (FTP active mode, SIP, H.323, PPTP) embed IP addresses inside the application payload. Standard NAT only translates the IP header — not the payload. An ALG (Application Layer Gateway) or a stateful NAT implementation is needed for these applications.
No inbound connection support	Dynamic NAT translations are created only by outbound traffic. An external host cannot reach an inside host unless a static NAT entry or port-forward is configured — this is a deliberate security characteristic.
Pool address conflicts	Ensure that pool IP addresses are not also used for static NAT entries or assigned to router interfaces — duplicate use causes unpredictable translation behaviour.
NAT and IPsec interaction	IPsec ESP (Encapsulating Security Payload) authenticates the IP header, making NAT incompatible with standard IPsec. NAT-Traversal (NAT-T) on UDP port 4500 is required to encapsulate IPsec traffic through a NAT device.

9. Troubleshooting Dynamic NAT

Symptom	Likely Cause	Diagnostic Steps
No translation created — inside host cannot reach internet	Interface roles not set; ACL excludes the host; binding command missing; pool and ACL not bound correctly	Run `show ip nat statistics` — check interfaces listed under "Inside" and "Outside"; verify ACL with `show access-lists 1`; check binding with `show running-config \| include nat`
Translations appear then vanish immediately	Return traffic not arriving back through the NAT router (asymmetric routing); pool address not routed back to the router by the ISP	Check routing with `show ip route`; confirm the ISP routes the pool subnet to this router's WAN IP; trace with `traceroute` from outside
Some hosts get internet; others cannot (pool exhausted)	All pool addresses are in use	`show ip nat statistics` — check "allocated" vs total pool addresses; check "misses" counter; run `show ip nat translations` to see who is holding pool IPs; consider `clear ip nat translation *` during a maintenance window or reduce the timeout
Translation exists but traffic still fails	Firewall or ACL blocking traffic; routing issue beyond the NAT router; DNS resolution failing	Confirm ACL on the outside interface is not blocking the pool IPs; test with `ping` using the pool IP as source; check DNS with `nslookup`
NAT working but FTP / SIP / VoIP failing	Application embeds private IP in payload; NAT only translates the IP header	Enable ALG on the router: `ip nat service sip udp port 5060`; configure FTP passive mode (client-initiated data connections avoid this problem)

Debug Commands

  ! Enable NAT debug — shows every translation event in real time
  Router# debug ip nat

  ! Sample debug output when translation succeeds:
  NAT: s=192.168.1.10->203.0.113.1, d=8.8.8.8 [12345]
  NAT*: s=8.8.8.8, d=203.0.113.1->192.168.1.10 [12345]

  ! WARNING: Use debug ip nat on low-traffic routers only.
  ! On a busy router, the volume of debug output can cause CPU spikes.
  ! Turn off with: no debug ip nat  (or: undebug all)

  ! Clear all dynamic translations (force pool release):
  Router# clear ip nat translation *

  ! Clear a specific entry:
  Router# clear ip nat translation inside 192.168.1.10 203.0.113.1

See: debug ip packet | show ip route | ping | traceroute | Troubleshooting NAT/PAT Lab

10. Complete End-to-End Scenario

A branch office has 50 internal hosts on 192.168.1.0/24. The ISP has provided a block of 5 public IP addresses (203.0.113.1–203.0.113.5). The office needs up to 5 simultaneous internet sessions with real (unshared) public IPs for a legacy application that does not work behind PAT.

  Network diagram:
  192.168.1.0/24 LAN ── Gi0/0 [R1] Gi0/1 ── 203.0.113.0/29 ── Internet

  ! ── Full configuration ──────────────────────────────────────────

  ! Define the public IP pool (5 addresses)
  R1(config)# ip nat pool BRANCH_POOL 203.0.113.1 203.0.113.5 netmask 255.255.255.248

  ! Define eligible inside hosts (all of 192.168.1.0/24)
  R1(config)# ip access-list standard INSIDE_HOSTS
  R1(config-std-nacl)# 10 permit 192.168.1.0 0.0.0.255
  R1(config-std-nacl)# exit

  ! Bind ACL to pool
  R1(config)# ip nat inside source list INSIDE_HOSTS pool BRANCH_POOL

  ! Assign interface roles
  R1(config)# interface GigabitEthernet0/0
  R1(config-if)# ip nat inside
  R1(config-if)# exit

  R1(config)# interface GigabitEthernet0/1
  R1(config-if)# ip nat outside
  R1(config-if)# exit

  ! ── Reduce timeout to reclaim IPs faster (optional) ────────────
  R1(config)# ip nat translation timeout 3600
  R1(config)# ip nat translation tcp-timeout 7200

  ! ── Verify ───────────────────────────────────────────────────────
  R1# show ip nat translations
  R1# show ip nat statistics

Behaviour: The first 5 hosts that initiate outbound traffic each get a dedicated public IP from the pool. Hosts 6–50 cannot reach the internet until one of the 5 translations expires or is cleared. If all 50 hosts need internet simultaneously, the configuration should be changed to PAT (overload).

11. Exam Tips & Key Points

Dynamic NAT is many-to-many: many inside hosts share a pool of public IPs, but only one host per pool IP at any given time — unlike PAT, which shares one IP among thousands using port numbers.
Know all four NAT address terms: Inside Local (private IP of inside host), Inside Global (pool IP seen on internet), Outside Local (destination as seen from inside), Outside Global (real IP of external host). In standard Dynamic NAT, Outside Local = Outside Global.
The four required configuration elements are: NAT pool (ip nat pool), ACL (identifies eligible inside hosts), binding (ip nat inside source list ... pool ...), and interface roles (ip nat inside / ip nat outside). Forgetting either interface role is the most common configuration mistake.
When the pool is exhausted, new connections are silently dropped. The show ip nat statistics "misses" counter reveals this condition.
Dynamic NAT translations are unidirectional — only inside-to-outside traffic creates a translation. External hosts cannot initiate a connection to a dynamically NATted inside host.
The default translation timeout is 24 hours (86400s). Reduce with ip nat translation timeout to reclaim pool addresses faster in high-turnover environments.
show ip nat translations shows active mappings. show ip nat statistics shows hit/miss counts and pool allocation status.
clear ip nat translation * removes all dynamic entries — use during maintenance or after a config change when stale entries persist.
The key difference from Static NAT: Static NAT creates a permanent 1:1 mapping that persists even when no traffic is flowing; Dynamic NAT creates a temporary mapping only when traffic is initiated.

12. Summary Reference Table

Topic	Dynamic NAT Detail
NAT type	Many-to-many (temporary, pool-based)
Define pool	`ip nat pool <name> <start> <end> netmask <mask>`
Define eligible hosts	Standard ACL: `access-list 1 permit <network> <wildcard>`
Bind ACL to pool	`ip nat inside source list <acl> pool <name>`
LAN interface	`ip nat inside`
WAN interface	`ip nat outside`
Verify translations	`show ip nat translations`
Verify pool stats	`show ip nat statistics`
Clear all translations	`clear ip nat translation *`
Adjust timeout	`ip nat translation timeout <seconds>`
Pool exhausted effect	New connections silently dropped; "misses" counter increments
Inbound connections	Not supported — translations only created by inside-to-outside traffic

Dynamic NAT Quiz

1. What type of address mapping does Dynamic NAT provide, and what limits the number of simultaneous sessions?

A. One-to-one permanent mapping — limited only by router memory B. Many-to-one port-based mapping — limited by the number of available TCP/UDP ports C. Many-to-many temporary mapping — limited by the number of public IP addresses in the NAT pool D. One-to-many mapping — one public IP shared by all inside hosts simultaneously

Correct answer is C. Dynamic NAT provides a many-to-many temporary mapping: many inside private IP addresses are eligible for translation, and each is assigned one address from a pool of public IPs for the duration of its session. The critical constraint is the pool size — if the pool contains 10 public IPs, a maximum of 10 inside hosts can have active translations simultaneously. The eleventh host's outbound traffic is dropped until a pool address is freed. This distinguishes Dynamic NAT from PAT (option B, many-to-one using ports) and Static NAT (option A, permanent one-to-one).

2. In Dynamic NAT, what does the term "Inside Local" refer to?

A. The private IP address of the internal host — the real address assigned in the LAN, as it appears before NAT translation B. The public IP assigned from the NAT pool — what the internet sees as the source of the traffic C. The IP address of the external destination as seen from inside the network D. The broadcast address of the inside subnet

Correct answer is A. The four NAT address terms are defined from the router's perspective. Inside Local is the private RFC 1918 IP of the internal host as assigned in the LAN — the address that appears in the IP source field of packets before they reach the NAT router's inside interface. For example, 192.168.1.10. Inside Global (option B) is the public pool IP that replaces it after translation. The terms "Inside" and "Outside" refer to location relative to the NAT boundary; "Local" and "Global" refer to whether the address is private/internal or public/internet-routable.

3. Which Cisco IOS command defines a Dynamic NAT pool named MY_POOL using addresses 203.0.113.1 to 203.0.113.10?

A. ip nat inside source list 1 pool MY_POOL — this binds an ACL to a pool, but does not define the pool B. access-list 1 permit 192.168.1.0 0.0.0.255 — this creates the ACL that identifies inside hosts, not the pool C. ip nat inside on the LAN interface — this marks the interface role, not the pool D. ip nat pool MY_POOL 203.0.113.1 203.0.113.10 netmask 255.255.255.0 — defines the pool name, start and end IPs, and subnet mask

Correct answer is D. The

ip nat pool <name> <start-ip> <end-ip> netmask
                  <mask>

command in global configuration mode creates the named pool of public IP addresses that Dynamic NAT will draw from. The pool name (MY_POOL) is then referenced in the binding command (ip nat inside source list 1 pool MY_POOL). Each of the other options performs a different, equally necessary step in the four-part Dynamic NAT configuration: ACL creation, binding, and interface role assignment.

4. What is the role of the ACL in a Dynamic NAT configuration?

A. To block all incoming traffic from the internet to the inside network B. To define which internal source IP addresses are eligible to have their traffic translated by NAT — only traffic matching a permit entry in the ACL triggers a translation C. To configure OSPF or EIGRP routing protocols on the NAT router D. To authenticate external users before they can connect to inside hosts

Correct answer is B. In Dynamic NAT, a standard ACL acts as a match criterion — it defines the set of inside source IP addresses that the NAT router will translate when they send outbound traffic. When a packet arrives on the inside interface, the router checks the source IP against the ACL. If the source matches a permit entry, NAT allocates a pool address and creates a translation. If the source does not match, the packet is forwarded without translation (or dropped, depending on routing). The ACL is referenced by the binding command: ip nat inside source list <acl> pool <name>.

5. Which interface-level command is applied to the LAN-facing (inside) interface for Dynamic NAT?

A. ip nat inside — marks this interface as the NAT inside boundary; traffic arriving here from the LAN is a candidate for translation B. ip nat outside — this command is applied to the WAN/internet-facing interface, not the LAN interface C. ip nat pool — this is a global config command that defines the pool, not an interface command D. access-list permit — this defines ACL entries in global config mode, not interface configuration

Correct answer is A. The command ip nat inside is entered under the LAN-facing interface (e.g., interface GigabitEthernet0/0) and tells the router that this interface connects to the inside (trusted, private) side of the NAT boundary. The corresponding command ip nat outside is applied to the WAN/internet-facing interface. Both roles must be configured — if either is missing, no NAT translations will be created and all inside hosts will lose internet connectivity. The "Inside" and "Outside" designations together define the NAT domain boundary across which translation occurs.

6. A Dynamic NAT pool contains 10 public IPs. All 10 are currently assigned. What happens when an 11th internal host tries to initiate an outbound connection?

A. The router assigns the host a temporary private IP from the DHCP pool until a public IP is freed B. The router automatically extends the pool by requesting an additional IP from the ISP C. The connection is silently dropped — no translation can be created and the host receives no internet connectivity until a pool address is released D. The router queues the connection request and processes it as soon as a pool IP becomes available

Correct answer is C. When the Dynamic NAT pool is exhausted, new outbound connections from unallocated inside hosts are silently dropped. The router cannot create a translation entry without a free pool address, and Cisco IOS does not queue NAT requests — it simply discards the packet. The "misses" counter in show ip nat statistics increments each time this occurs. The 11th host will receive no error message and will experience a connection timeout. Resolution options include: reducing the translation timeout (ip nat translation timeout) to reclaim idle entries; expanding the pool; or switching to PAT (overload) to allow thousands of sessions per pool IP using port-based multiplexing.

7. Which command displays active Dynamic NAT translations showing Inside Local, Inside Global, Outside Local, and Outside Global addresses?

A. show access-list 1 — shows the ACL entries, not NAT translations B. show ip nat pool — not a valid IOS command; use show ip nat statistics for pool status C. show interfaces status — shows interface link state, not NAT mappings D. show ip nat translations — displays the complete NAT table with all four address fields and the protocol for each active entry

Correct answer is D.

show ip nat
                  translations

is the primary NAT verification command. Its output displays a table with four columns: Inside Global (pool IP), Inside Local (private LAN IP), Outside Local, and Outside Global (internet destination IP). For TCP/UDP entries, the source and destination port numbers are also shown. Adding the verbose keyword (show ip nat translations verbose) adds the creation time and idle timer for each entry — useful for diagnosing timeout issues. show ip nat statistics complements this by showing pool allocation counts, hit/miss counters, and interface role assignments.

8. What is the fundamental operational difference between Dynamic NAT and Static NAT?

A. Dynamic NAT creates a permanent one-to-one mapping; Static NAT creates a temporary mapping from a pool B. Dynamic NAT creates temporary many-to-many mappings from a pool that expire when idle; Static NAT creates a permanent one-to-one mapping that allows inbound connections from the internet C. Static NAT supports many-to-many mapping; Dynamic NAT is limited to one translation at a time D. Dynamic NAT requires ACLs; Static NAT does not use any ACLs or pools

Correct answer is B. The two NAT types differ in both the mapping duration and the ability to support inbound connections. Dynamic NAT creates a temporary mapping only when an inside host initiates outbound traffic — the mapping is drawn from a pool, lasts only as long as the session is active (or the idle timer), and is then returned to the pool. External hosts cannot initiate connections to inside hosts because there is no predictable, persistent mapping. Static NAT creates a permanent one-to-one mapping between a specific inside private IP and a specific public IP. This mapping persists even when no traffic is flowing and allows external hosts to initiate connections to the inside host — making Static NAT the correct choice for internet-facing servers.

9. An engineer notices that the "misses" counter is increasing in show ip nat statistics. What does this indicate, and what is the most scalable long-term solution?

A. The NAT pool is exhausted — outbound connections are being dropped; the most scalable fix is to convert to PAT (overload) which can support thousands of sessions per public IP using port-based multiplexing B. The ACL is blocking too many hosts — the permit statement should be widened C. The interface roles are reversed — ip nat inside and ip nat outside are on the wrong interfaces D. The router cannot find a route to the outside network — a default route is needed

Correct answer is A. The "misses" counter in show ip nat statistics increments every time a packet arrives that should be translated but cannot be — specifically because no free pool address is available. This is the definitive indicator of pool exhaustion. Immediate mitigations include reducing the idle timeout (ip nat translation timeout) to reclaim inactive entries or running clear ip nat translation * to force-release all entries during a maintenance window. The most scalable long-term solution is converting to PAT by adding the overload keyword: ip nat inside source list 1 pool MY_POOL overload — this allows up to ~65,535 simultaneous sessions per pool IP by using unique source port numbers to distinguish flows.

10. After completing the Dynamic NAT configuration and generating traffic from inside hosts, an engineer runs show ip nat translations but the table is empty. What is the most likely cause?

A. The show ip nat translations command requires a reload to display entries B. The NAT pool range does not contain enough addresses for the number of inside hosts C. One or both interface roles (ip nat inside / ip nat outside) are missing — without both roles, the router does not know the NAT boundary and will not translate any traffic D. The ACL is using a named ACL instead of a numbered ACL, which is not supported by Dynamic NAT

Correct answer is C. An empty NAT translation table despite live traffic is the classic symptom of missing interface role assignments. The router uses the ip nat inside and ip nat outside designations to identify the NAT boundary — without them, it does not know which side is "inside" and which is "outside" and therefore does not translate anything. Verify with show ip nat statistics and look for the "Outside interfaces" and "Inside interfaces" lines — if either shows "not set" or a wrong interface, that is the problem. Also verify the binding command is present with show running-config | include nat. Named ACLs (option D) are fully supported by Dynamic NAT — both numbered and named ACLs work identically.

← Back to Home