PAT (Port Address Translation) – NAT Overload, Packet Flow & Cisco Configuration

1. What Is PAT (NAT Overload)?

PAT (Port Address Translation), also known as NAT Overload, is the most widely deployed form of Network Address Translation. It allows multiple internal devices to share a single public IP address simultaneously by using unique Layer 4 port numbers to track each individual session. PAT is the technology behind virtually every home router and most enterprise internet edge devices — without it, every device on the internet would require its own public IPv4 address, which would have exhausted the IPv4 address space long ago.

  Why PAT exists — IPv4 address conservation:

  IPv4 address space: ~4.3 billion addresses (2³²)
  Global internet-connected devices: ~15 billion (2024)
  → More devices than addresses — impossible without NAT/PAT

  PAT solution: One public IP can serve thousands of private devices
  simultaneously by using port numbers as a "session identifier"

  Home network without PAT (impossible at scale):
  PC1 needs public IP → gets 203.0.113.1
  PC2 needs public IP → gets 203.0.113.2
  Phone needs public IP → gets 203.0.113.3
  ... (requires one public IP per device)

  Home network with PAT (the reality):
  PC1, PC2, Phone, Tablet, TV → ALL share 203.0.113.1
  Each session tracked by a unique port number

2. NAT Terminology — Inside Local, Inside Global, Outside

Understanding NAT terminology is critical for reading show ip nat translations output and for CCNA exam questions. The terms are defined from the router's perspective.

Term	Definition	Example	Where It Appears
Inside Local	The private IP address assigned to an internal host — the address as seen from inside the network	192.168.1.10:3000	Source IP in packets before they leave the inside interface; what the internal device thinks its address is
Inside Global	The public IP address (+ port in PAT) that represents the internal host to the outside world — what the internet sees as the source	203.0.113.1:5000	Source IP in packets after NAT translation; what external servers see as the source address
Outside Local	The IP address of an external destination as seen from inside — usually the same as Outside Global unless Destination NAT is configured	142.250.190.46:80	Destination IP in packets leaving the router (usually unchanged in basic PAT)
Outside Global	The actual IP address of the external destination — the real public IP of the server on the internet	142.250.190.46:80	The destination address as seen from outside; for basic PAT this equals Outside Local

Memory tip: "Inside" = on the LAN side. "Outside" = on the internet side. "Local" = as seen from that side. "Global" = the address visible on the other side. In PAT, only the Inside Local → Inside Global translation is modified; the outside addresses are generally unchanged.

3. How PAT Works — Step-by-Step Packet Flow

  Network topology:
  LAN: 192.168.1.0/24        Router         Internet
  PC1 (192.168.1.10) ──┐                    Google (142.250.190.46)
  PC2 (192.168.1.11) ──┤── Gi0/0 ── Gi0/1 ────────────────────────
  PC3 (192.168.1.12) ──┘  (inside) (outside)
                          192.168.1.1  203.0.113.1 (public IP from ISP)

  ─────────────────────────────────────────────────────────────────
  OUTBOUND — PC1 requests google.com (HTTP on port 80):
  ─────────────────────────────────────────────────────────────────

  Step 1: PC1 sends packet to router (Gi0/0, ip nat inside):
          Src: 192.168.1.10:49200   Dst: 142.250.190.46:80

  Step 2: Router checks ACL — 192.168.1.10 matches "permit 192.168.1.0/24"
          → Translation required

  Step 3: Router creates NAT table entry:
          Inside Local: 192.168.1.10:49200
          Inside Global: 203.0.113.1:1024  (assigns unique port)

  Step 4: Router rewrites the packet header:
          Src: 203.0.113.1:1024    Dst: 142.250.190.46:80
          Forwards out Gi0/1 (ip nat outside) to internet

  ─────────────────────────────────────────────────────────────────
  INBOUND — Google responds:
  ─────────────────────────────────────────────────────────────────

  Step 5: Response arrives at Gi0/1:
          Src: 142.250.190.46:80   Dst: 203.0.113.1:1024

  Step 6: Router looks up 203.0.113.1:1024 in NAT table
          → Matches entry: translate back to 192.168.1.10:49200

  Step 7: Router rewrites destination:
          Src: 142.250.190.46:80   Dst: 192.168.1.10:49200
          Forwards to PC1 on inside interface — PC1 receives response

  ─────────────────────────────────────────────────────────────────
  SIMULTANEOUS — PC2 also requests youtube.com:
  ─────────────────────────────────────────────────────────────────
  PC2: 192.168.1.11:51000 → 208.65.153.238:80
  Router assigns: 203.0.113.1:1025 (different port!)

  NAT table now has TWO entries for the same public IP:
  203.0.113.1:1024 ↔ 192.168.1.10:49200  (PC1's Google session)
  203.0.113.1:1025 ↔ 192.168.1.11:51000  (PC2's YouTube session)

  When responses arrive at 203.0.113.1, the router uses the PORT
  to determine WHICH internal device gets each response.

4. The NAT Translation Table

The NAT translation table is the router's in-memory database of all active PAT sessions. Each entry maps an inside local (private IP + port) to an inside global (public IP + port). The table is bidirectional — used for both translating outbound packets and reverse-translating inbound responses.

  Router# show ip nat translations

  Pro  Inside global          Inside local           Outside local          Outside global
  tcp  203.0.113.1:1024       192.168.1.10:49200     142.250.190.46:80      142.250.190.46:80
  tcp  203.0.113.1:1025       192.168.1.11:51000     208.65.153.238:443     208.65.153.238:443
  tcp  203.0.113.1:1026       192.168.1.12:52100     1.1.1.1:443            1.1.1.1:443
  tcp  203.0.113.1:1027       192.168.1.10:49350     172.217.0.46:443       172.217.0.46:443
  udp  203.0.113.1:5000       192.168.1.10:49201     8.8.8.8:53             8.8.8.8:53
  udp  203.0.113.1:5001       192.168.1.11:51001     8.8.4.4:53             8.8.4.4:53
  icmp 203.0.113.1:512        192.168.1.10:512        8.8.8.8:512            8.8.8.8:512

  Key observations:
  • Same public IP (203.0.113.1) appears in every entry — PAT in action
  • Each entry has a UNIQUE port on the public IP side
  • Multiple entries for the same inside local (192.168.1.10) — one PC,
    multiple simultaneous sessions (Google + Cloudflare DNS + ping)
  • UDP entries (DNS) have shorter timeouts than TCP entries
  • ICMP uses query ID instead of port number (shown as pseudo-port)

Translation Table Entry Lifecycle

Protocol	Default Timeout	When Entry is Created	When Entry is Removed
TCP (established)	86400 sec (24 hours)	On first SYN packet matching ACL	After TCP FIN/RST exchange, OR timeout expiry
TCP (half-open)	60 sec	On SYN before connection established	On timeout or when connection completes
UDP	300 sec (5 min)	On first UDP packet matching ACL	After inactivity timeout (no stateful teardown)
ICMP	60 sec	On first ICMP echo matching ACL	After short inactivity timeout
DNS	15 sec	On DNS query	Very short timeout — DNS is quick request/response

5. PAT Protocol Handling — TCP, UDP, and ICMP

PAT works differently for each Layer 4 protocol because each protocol has a different mechanism for session identification.

Protocol	Session Identifier Used	PAT Behaviour	Port Range Available
TCP	Source port (16-bit field in TCP header)	Maps inside local src port to an inside global src port; tracks connection state (SYN, established, FIN); entry removed on teardown	Up to 65,535 ports (well-known 0–1023 reserved; PAT typically uses 1024–65535)
UDP	Source port (16-bit field in UDP header)	Same port-based mapping as TCP; no connection state — entry expires on inactivity timer (UDP has no teardown)	Up to 65,535 ports
ICMP	Query ID (16-bit identifier in ICMP Echo header)	Uses the ICMP Query ID as a pseudo-port for mapping. Each `ping` has a unique Query ID. Router rewrites Query ID in outgoing ICMP and uses it to demultiplex replies back to the correct host	Up to 65,535 unique query IDs
FTP (Active mode)	Separate control (port 21) and data (port 20) connections	Requires NAT Application Layer Gateway (ALG) — the FTP control connection carries the data port number in the payload; the router must inspect and rewrite the payload to fix the embedded port; enabled with `ip nat service ftp`	Standard ports
IPsec ESP	No port number (Layer 3 protocol)	ESP (Protocol 50) has no port — PAT cannot track it by default; requires NAT-T (UDP encapsulation, port 4500) — see IPsec Basics	N/A without NAT-T

ICMP and PAT detail: When PC1 pings 8.8.8.8, the ICMP Echo packet has a Query ID (e.g., 512). The router maps this as if it were a port: 192.168.1.10 [ICMP ID 512] → 203.0.113.1 [ICMP ID 512]. The Google server copies the Query ID into its Echo Reply; the router uses it to route the reply back to PC1. This is why ICMP appears in the PAT table even though ICMP has no ports.

6. Cisco IOS PAT Configuration — Complete Guide

Option A — PAT Using Interface IP (Most Common)

This is the standard home/small office configuration. The router uses whatever public IP the ISP assigned to the outside interface — ideal when you have a single dynamic IP from your ISP.

! ── Step 1: Define which internal IPs are translated ─────────────────────
! Standard ACL: permits the inside network(s) that will use PAT
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

! For multiple subnets, add additional ACL statements:
! Router(config)# access-list 1 permit 10.0.0.0 0.0.0.255
! Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255

! ── Step 2: Enable PAT — overload the outside interface IP ───────────────
! "list 1" = use ACL 1 to select inside hosts
! "interface Gi0/1" = use this interface's IP as the public IP
! "overload" = enable PAT (many-to-one) instead of Dynamic NAT (many-to-many)
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

! ── Step 3: Mark interfaces as inside or outside ─────────────────────────
! CRITICAL: Must be configured or NAT will not work
Router(config)# interface GigabitEthernet0/0     ! LAN interface
Router(config-if)# ip nat inside                 ! ← packets FROM here get translated
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/1     ! WAN/internet interface
Router(config-if)# ip nat outside                ! ← translated packets leave HERE
Router(config-if)# exit

Option B — PAT Using a Pool of Public IPs

When you have multiple public IPs (e.g., a /29 subnet from your ISP), you can configure a pool. Adding overload to a pool enables PAT across all pool IPs — each pool IP can carry up to ~64,000 sessions.

! Define the pool of public IPs:
Router(config)# ip nat pool PAT_POOL 203.0.113.1 203.0.113.3 netmask 255.255.255.248

! Enable PAT using the pool (overload = enable port translation):
Router(config)# ip nat inside source list 1 pool PAT_POOL overload
! Without "overload": this would be Dynamic NAT (one public IP per session)
! With "overload": PAT — all pool IPs can be shared across thousands of sessions

Complete Working Configuration — 50-Host Office

! Topology:
! LAN subnet: 192.168.1.0/24 (50 PCs + servers)
! Router inside interface Gi0/0: 192.168.1.1/24
! Router outside interface Gi0/1: 203.0.113.1/30 (from ISP)

hostname Edge-Router
!
! ACL: allow all hosts in 192.168.1.0/24 to use PAT
access-list 1 permit 192.168.1.0 0.0.0.255
!
! Enable PAT using the outside interface IP
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
! Configure interfaces
interface GigabitEthernet0/0
 description LAN-Inside
 ip address 192.168.1.1 255.255.255.0
 ip nat inside            ! ← mark as inside
 no shutdown
!
interface GigabitEthernet0/1
 description WAN-Outside-ISP
 ip address 203.0.113.1 255.255.255.252
 ip nat outside           ! ← mark as outside
 no shutdown
!
! Default route pointing to ISP gateway
ip route 0.0.0.0 0.0.0.0 203.0.113.2

7. Verification Commands — Reading the Output

! ── View active NAT translations ─────────────────────────────────────────
Router# show ip nat translations

Pro  Inside global          Inside local           Outside local          Outside global
tcp  203.0.113.1:1024       192.168.1.10:49200     142.250.190.46:80      142.250.190.46:80
tcp  203.0.113.1:1025       192.168.1.11:51000     208.65.153.238:443     208.65.153.238:443
udp  203.0.113.1:5000       192.168.1.10:53247     8.8.8.8:53             8.8.8.8:53

! ── View all translations including static ───────────────────────────────
Router# show ip nat translations verbose
! Adds: create time, use count, flags for each entry

! ── View NAT statistics ───────────────────────────────────────────────────
Router# show ip nat statistics

Total active translations: 47 (0 static, 47 dynamic; 47 extended)
Peak translations: 312, occurred 00:45:22 ago
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 28543  Misses: 47
CEF Translated packets: 28543, CEF Punted packets: 0
Expired translations: 1203
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/1 refcount 47

! Key fields:
! Hits: packets that matched an existing translation entry (fast path)
! Misses: new sessions requiring a new table entry (first packet)
! Expired translations: how many sessions have timed out and been removed

! ── Clear all dynamic NAT translations (useful for troubleshooting) ───────
Router# clear ip nat translation *
! WARNING: This drops ALL active sessions momentarily

! ── Clear a specific translation ──────────────────────────────────────────
Router# clear ip nat translation inside 192.168.1.10

! ── Real-time NAT debugging (use carefully in production) ────────────────
Router# debug ip nat
! Shows each translation event in real time
! Example output:
! NAT: s=192.168.1.10->203.0.113.1, d=8.8.8.8 [55]
! NAT*: s=8.8.8.8, d=203.0.113.1->192.168.1.10 [55]
! (asterisk = fast-switching path)
Router# undebug all   ! Always disable debugging when done

8. Port Exhaustion — Causes and Fixes

Each public IP address has a theoretical maximum of 65,535 ports, but the usable PAT range is typically ports 1024–65535 (approximately 64,512 per public IP). Under normal conditions this is more than sufficient, but certain scenarios can cause exhaustion.

Cause	Detail	Solution
Stale TCP entries	Default TCP timeout is 24 hours — connections that close without proper FIN/RST exchange leave stale entries consuming ports for 24 hours	Reduce TCP timeout: `ip nat translation tcp-timeout 3600` (1 hour); enable TCP half-close tracking with `ip nat translation finrst-timeout 60`
High-connection applications	P2P applications, web scrapers, or malware can open thousands of simultaneous connections per host	Identify source with `show ip nat translations`; apply rate-limiting or ACL to block offending hosts; consider adding more public IPs to the PAT pool
Large user base on single IP	More than ~10,000–30,000 concurrent sessions for a single public IP (e.g., corporate ISP with one IP for hundreds of users)	Add more public IPs to the pool: `ip nat pool PAT_POOL 203.0.113.1 203.0.113.4 netmask 255.255.255.0` → 4 IPs × 64K ports = 256K sessions
Short-lived UDP sessions lingering	DNS queries (UDP/53) have 300-second default timeout — many DNS queries build up quickly on busy networks	Reduce UDP timeout: `ip nat translation udp-timeout 30` (30 seconds is plenty for DNS query/response cycles)

Timeout Tuning Commands

! Reduce TCP established timeout (default: 86400 seconds / 24 hours):
Router(config)# ip nat translation tcp-timeout 3600

! Reduce TCP half-open timeout (default: 60 seconds):
Router(config)# ip nat translation finrst-timeout 60

! Reduce UDP timeout (default: 300 seconds):
Router(config)# ip nat translation udp-timeout 30

! Reduce ICMP timeout (default: 60 seconds):
Router(config)# ip nat translation icmp-timeout 30

! Reduce DNS timeout (default: 15 seconds — already short):
Router(config)# ip nat translation dns-timeout 15

! Set overall timeout for all protocols (legacy global command):
Router(config)# ip nat translation timeout 3600

! Verify configured timeouts:
Router# show ip nat translations verbose   ! Shows age of each entry
Router# show running-config | include nat translation

9. PAT vs Static NAT vs Dynamic NAT

Feature	PAT (NAT Overload)	Dynamic NAT	Static NAT
Mapping type	Many-to-One (port-based)	Many-to-Many (IP pool)	One-to-One (permanent)
Public IPs required	One IP can serve thousands	One public IP per concurrent session	One dedicated public IP per internal host
Port numbers modified	Yes — source port rewritten by router	No — only IP address translated	No — only IP address translated (bidirectionally)
Inbound connections	Not supported by default — external hosts cannot initiate connections to internal devices (no port forwarding)	Not supported — outbound only (session must be initiated from inside)	Fully supported — external hosts can reach the server using its public IP
IOS keyword	`overload`	(no overload keyword)	`ip nat inside source static`
NAT table entry	Dynamic — created on first packet, expires on timeout	Dynamic — created when translation needed, expires after inactivity	Static — always present in table, never expires
IP conservation	Maximum — ideal for environments with few public IPs	Low — requires one public IP per user, not practical today	None — uses one public IP per server
Typical use case	Home internet, office internet access, outbound-only enterprise internet edge	Legacy environments requiring transparent NAT without port translation; rarely used today	Web servers, mail servers, FTP servers, cameras, VPN endpoints needing inbound access

10. Combining PAT and Static NAT

Real enterprise networks typically combine both: PAT for all outbound user traffic, and Static NAT for servers that need to be reachable from the internet.

  Common enterprise edge design:

  Internet ──── Gi0/1 (outside) ──── Router ──── Gi0/0 (inside) ──── LAN
                203.0.113.1                                        192.168.1.0/24

  PAT: All user PCs (192.168.1.10–192.168.1.200) share 203.0.113.1
  Static NAT: Web server (192.168.1.5) mapped permanently to 203.0.113.2
              Mail server (192.168.1.6) mapped permanently to 203.0.113.3

! Static NAT for servers (inbound + outbound):
ip nat inside source static 192.168.1.5 203.0.113.2   ! Web server
ip nat inside source static 192.168.1.6 203.0.113.3   ! Mail server

! PAT for all user workstations (outbound only):
access-list 10 permit 192.168.1.10 0.0.0.190          ! PCs .10 through .200
ip nat inside source list 10 interface GigabitEthernet0/1 overload

! Interface config (same inside/outside applies to both NAT types):
interface GigabitEthernet0/0
 ip nat inside
interface GigabitEthernet0/1
 ip nat outside

See Static NAT for full static NAT configuration and the Static NAT lab for a hands-on walkthrough.

11. PAT and IPv6 — Why PAT Matters Less in IPv6

PAT exists primarily to conserve scarce IPv4 addresses. In IPv6, the address space is so large (2¹²⁸ ≈ 340 undecillion addresses) that every device on earth can have multiple globally unique IPv6 addresses — address scarcity is not a concern.

IPv6 does not require NAT or PAT for address conservation
IPv6 devices typically receive a globally routable IPv6 address directly (via SLAAC or DHCPv6)
End-to-end connectivity is restored in IPv6 — no NAT barrier breaking applications
IPv6 privacy extensions (RFC 4941) generate temporary randomised addresses to replace the privacy function that NAT accidentally provided in IPv4
NAT66 (IPv6-to-IPv6 NAT) exists but is considered poor practice in IPv6 design — use firewalls for security instead

Related page: IPv6 Fundamentals

12. Troubleshooting PAT

Symptom	Likely Cause	Diagnostic & Fix
Internal clients cannot reach internet at all; no translations appear in `show ip nat translations`	Missing `ip nat inside` / `ip nat outside` on interfaces; ACL not matching traffic; missing default route	`show ip nat statistics` — check Misses counter is 0 (no packets are being processed); verify interface roles with `show ip nat interface`; verify ACL with `show access-lists`; check default route with `show ip route`
Some internal hosts work but others don't	ACL is too restrictive — only permits a subset of the inside network; hosts outside the permitted range are not translated	`show access-lists 1` — verify permit statement covers all inside hosts; add additional ACL entries or extend the wildcard mask
Connections work briefly then fail; translations disappear quickly	Translation timeout set too short; or `clear ip nat translation *` being run	`show ip nat statistics` — check Expired translations rate; increase timeout values; verify no automation script is clearing the table
FTP connections fail or show garbage data in passive mode	FTP ALG (Application Layer Gateway) not enabled; FTP embeds port numbers in payload that PAT doesn't rewrite	Enable FTP ALG: `ip nat service ftp 21`; consider using passive FTP mode which is easier with NAT
IPsec VPN fails when behind PAT	ESP (Protocol 50) has no port — PAT cannot track it without NAT-T; PAT breaks ESP's integrity check	Enable NAT-T on VPN device (encapsulates ESP in UDP 4500); ensure UDP 500 and UDP 4500 are allowed; see IPsec Basics and IPsec VPN
Network appears slow; users report connection failures sporadically	Port exhaustion — PAT table is full; new sessions are being dropped	`show ip nat translations \| count` — if close to 65,000 entries for one IP, port exhaustion is occurring; reduce timeouts or add more public IPs to pool

13. PAT Advantages and Limitations

	Detail
Advantage: IP conservation	One public IP can support thousands of simultaneous internal users — fundamental to IPv4 sustainability
Advantage: Security by obscurity	Internal private IP addresses are hidden from the internet; external attackers cannot directly address internal hosts; unsolicited inbound connections are dropped (no translation entry = no delivery)
Advantage: Simplicity	Requires only one public IP; minimal configuration; standard in virtually all home and small office routers
Limitation: Breaks end-to-end connectivity	PAT is stateful and outbound-only by default — devices behind PAT cannot be directly reached from the internet without additional configuration (port forwarding / static NAT)
Limitation: Application incompatibility	Applications that embed IP addresses in payloads (FTP active mode, SIP/VoIP, some video conferencing protocols) break with PAT without ALG support; IPsec ESP breaks without NAT-T
Limitation: Logging/forensics difficulty	Multiple internal users appear as the same public IP; logs on external servers only show the public IP + port, making it harder to trace activity to a specific internal host without correlating against the NAT table
Limitation: Port exhaustion	~64,000 ports per public IP — normally sufficient, but high-connection applications or large user populations may exhaust available ports

14. Key Points & Exam Tips

PAT = Port Address Translation = NAT Overload. Many internal private IPs share one public IP using unique port numbers per session.
Inside Local: Private IP of the internal device (192.168.1.10:49200). Inside Global: Public IP + port representing it externally (203.0.113.1:1024). These are the two sides of every PAT translation entry.
The overload keyword in ip nat inside source list 1 interface Gi0/1 overload is what makes this PAT instead of Dynamic NAT. Without overload, only Dynamic NAT (one IP per session) is configured.
ACL purpose in PAT: The ACL identifies which inside hosts are eligible for translation — it does not filter traffic for security; it's a match criteria for the NAT rule.
Both interfaces must be tagged: ip nat inside on LAN interface, ip nat outside on WAN interface. Missing either breaks all translations.
ICMP uses Query ID (not port numbers) as the session identifier for PAT — this is why ping works through PAT.
FTP active mode requires the FTP ALG; IPsec ESP requires NAT-T (UDP 4500 encapsulation) to function through PAT.
Port exhaustion: each public IP supports ~64,000 concurrent sessions. Fix with ip nat translation tcp-timeout 3600 or add more IPs to pool.
Verify with show ip nat translations (active sessions), show ip nat statistics (hit/miss counts, expired entries), and debug ip nat (real-time translation events).
PAT cannot support inbound connections without port forwarding (static NAT). Combine PAT (for users) with Static NAT (for servers) in real deployments.

15. Port Address Translation (PAT) Quiz

1. A network engineer forgets to add the `overload` keyword to the command `ip nat inside source list 1 interface Gi0/1`. The network has 50 internal hosts but only 1 public IP. What behaviour results, and how does adding `overload` fix it?

A. Nothing changes — overload is optional for PAT B. All 50 hosts get internet access simultaneously C. The router blocks all NAT translations D. Without overload, this is Dynamic NAT — only ONE internal host can use the single public IP at a time; the other 49 are blocked until it disconnects. Adding overload enables PAT, allowing all 50 to share the IP simultaneously via unique port numbers

Correct answer is D. The overload keyword is what distinguishes PAT (NAT Overload) from Dynamic NAT. Without it, ip nat inside source list 1 interface Gi0/1 configures Dynamic NAT — the router tries to use the interface's IP as the sole entry in a one-IP pool. Dynamic NAT allocates one public IP per active session — with only one public IP, only one internal host can be translated at any given moment. The remaining 49 hosts have their packets arrive at the NAT process but find no available public IP, so their connections are dropped. With overload added, the router enables port-level tracking: each internal host's session gets a unique source port on the shared public IP. All 50 hosts (and thousands more) can use internet simultaneously as long as their session's port numbers are unique.

2. An administrator runs `show ip nat translations` and sees the same Inside Global IP (203.0.113.1) appear in 847 different table entries, each with a different port number. Three entries belong to the same Inside Local IP (192.168.1.25). What does this output confirm about PAT operation?

A. PAT is misconfigured — the same public IP should not appear in multiple entries B. PAT is working correctly — the same public IP is being shared by many sessions, each uniquely identified by port number. One host having three entries means it has three simultaneous sessions open (e.g., browser tabs or multiple applications) C. There is a port conflict — the same public IP cannot be used for more than one session D. The public IP pool is being exhausted and needs to be expanded

Correct answer is B. This output perfectly illustrates PAT's core mechanism. 847 entries all using the same Inside Global IP (203.0.113.1) but with different port numbers is exactly what PAT is designed to produce — the public IP is "overloaded" with many sessions, differentiated only by port. The same host (192.168.1.25) appearing three times is completely normal: a modern user has many simultaneous connections open. A browser alone may have 20+ TCP connections open simultaneously (main HTML, CSS, JS files, images, AJAX calls). Each connection generates a separate NAT table entry with a unique source port on the outside. PAT is working exactly as designed. Port conflict (option C) would be impossible — the router assigns unique ports specifically to prevent conflicts. Exhaustion (option D) would only be a concern if entries approached 65,000.

3. A user behind PAT runs `ping 8.8.8.8` from their PC. The ICMP Echo packet has no port number field. How does the router track this ping session in the PAT table to return the reply to the correct internal host?

A. ICMP cannot pass through PAT — ping always fails behind NAT B. The router uses the source MAC address to track ICMP sessions C. The router uses the ICMP Query ID field (a 16-bit identifier in ICMP Echo packets) as a pseudo-port. The same Query ID value that the PC puts in the Echo request is expected in the Echo reply — the router maps this ID to the originating host just as it would a port number D. The router temporarily assigns a random port number to the ICMP packet by inserting it into the IP header

Correct answer is C. ICMP Echo (ping) does not use ports — it is a Layer 3 protocol. However, ICMP Echo packets contain a 16-bit Identifier (Query ID) field that the OS sets when creating a ping request (e.g., Query ID = 512). The ICMP Echo Reply copies this same Identifier value back, allowing the original sender to match replies to requests. Cisco's PAT implementation exploits this: it treats the ICMP Query ID exactly like a port number for NAT table purposes. The NAT table entry looks like: icmp 203.0.113.1:512 → 192.168.1.10:512 (using the Query ID as the "port"). When the reply arrives from 8.8.8.8 destined to 203.0.113.1 with Query ID 512, the router looks up the PAT table, finds the match, and forwards the reply to 192.168.1.10. This is confirmed in the show ip nat translations output where ICMP entries appear with "icmp" protocol and a number in the port field (which is actually the Query ID).

4. An administrator configures PAT but internal hosts still cannot reach the internet. `show ip nat translations` shows no entries. `show ip nat statistics` shows Hits: 0, Misses: 0. What is the most likely configuration problem?

A. The interfaces are not marked with ip nat inside and ip nat outside — without these commands, the router does not process any packets through the NAT engine, resulting in zero hits and zero misses B. The overload keyword is missing from the NAT command C. The ACL number is wrong — use ACL 100 instead of ACL 1 D. The NAT pool has no available addresses

Correct answer is A. The critical diagnostic clue is Hits: 0, Misses: 0 in show ip nat statistics. Misses represents the count of new NAT translation attempts — packets that matched the ACL and needed a new entry created. If Misses is 0, it means zero packets ever reached the NAT engine for processing. This only happens when the NAT interfaces are not marked correctly. The NAT process only examines packets on interfaces that have ip nat inside or ip nat outside configured — if neither is set, NAT ignores all traffic entirely. Missing overload (option B) would show Misses incrementing but the translation failing to create PAT entries. A wrong ACL number would show Misses incrementing but no translations matching. The interface marking is the most fundamental requirement — NAT cannot function without knowing which interfaces are inside and which are outside.

5. A company has 500 employees all using PAT through a single public IP. The network team notices intermittent internet failures at peak hours. `show ip nat translations | count` shows 62,000 active entries. What is happening and what are the most effective fixes?

A. The router is overloaded with processing — upgrade the router CPU B. The ACL is blocking too much traffic C. Port exhaustion — 62,000 entries is approaching the ~64,512 port limit. Fix 1: Reduce TCP timeout (default 24 hours is excessive for most sessions). Fix 2: Add more public IPs to the PAT pool — each additional IP adds ~64,000 available port slots D. The public IP needs to be changed to a Class A address to support more connections

Correct answer is C. 62,000 active translations against a maximum of ~64,512 per public IP means the system is within 2,500 ports of exhaustion. When the remaining ports are consumed, new connection attempts are dropped — hence intermittent failures. The default TCP established timeout is 86,400 seconds (24 hours). A user who closes a browser tab doesn't necessarily send FIN/RST — the NAT entry persists for 24 hours consuming a port slot. Reducing the TCP timeout to 3,600 seconds (1 hour) or even 1,800 seconds (30 minutes) would dramatically reduce the number of stale entries. Command: ip nat translation tcp-timeout 3600. Adding a second public IP to the pool doubles capacity:

ip nat pool MY_POOL 203.0.113.1 203.0.113.2
                  netmask 255.255.255.252

. The class of IP address is irrelevant to port capacity — Class A/B/C only affects network size, not port count per IP.

6. A network uses PAT for all internal users. The IT team wants to host a web server (192.168.1.5) that must be accessible from the internet on port 80. Why does PAT alone not support this, and what must be added?

A. PAT supports inbound connections — just point external clients to the public IP B. PAT is outbound-only — it creates translations only when sessions originate from inside. An external client connecting to the public IP on port 80 has no PAT table entry to match, so the router discards the packet. A Static NAT entry must be added: ip nat inside source static tcp 192.168.1.5 80 203.0.113.1 80 C. Add the web server's IP to the ACL to grant it inbound access D. The web server needs a public IP configured directly on its NIC — PAT cannot translate server traffic

Correct answer is B. This is one of the most important PAT limitations. PAT creates translation entries only when a session is initiated from the inside. The table entry contains both the inside host information AND the outside destination — it is a specific session entry. When an external client sends a SYN to 203.0.113.1:80, the router receives it on the outside interface, looks up the PAT table for an entry matching destination 203.0.113.1:80, finds none (no inside host opened a session to this specific external client), and drops the packet. To fix this, a static NAT mapping is required:

ip nat inside source static tcp 192.168.1.5 80
                  203.0.113.1 80

. This creates a permanent table entry: any packet arriving at 203.0.113.1:80 is forwarded to 192.168.1.5:80, regardless of direction. This can coexist with PAT — the static entry takes priority for port 80, while PAT handles all outbound sessions.

7. What is the Inside Local and Inside Global address in the following NAT translation table entry?
`tcp 203.0.113.1:2048 10.0.0.50:54231 93.184.216.34:443 93.184.216.34:443`

A. Inside Local: 203.0.113.1:2048 — Inside Global: 10.0.0.50:54231 B. Inside Local: 93.184.216.34:443 — Inside Global: 203.0.113.1:2048 C. Inside Local: 10.0.0.50:54231 — Inside Global: 93.184.216.34:443 D. Inside Local: 10.0.0.50:54231 (private IP + original source port of the internal device) — Inside Global: 203.0.113.1:2048 (public IP + the translated port assigned by the router)

Correct answer is D. Reading the show ip nat translations output in column order: Column 1 (Inside global): 203.0.113.1:2048 — this is the public IP + translated port. Column 2 (Inside local): 10.0.0.50:54231 — this is the internal device's private IP + its original source port. Column 3 (Outside local): 93.184.216.34:443. Column 4 (Outside global): 93.184.216.34:443. The Inside Local is always the private RFC1918 address (10.0.0.50 is in the 10.0.0.0/8 private range). The Inside Global is always the public/routable IP. The public IP 203.0.113.1 is a TEST-NET address used in documentation — in real deployments this would be an actual ISP-assigned public IP. The destination 93.184.216.34 is example.com's actual IP address. The connection is: internal host 10.0.0.50 accessing example.com over HTTPS (port 443), being PAT-translated to public IP 203.0.113.1 with assigned port 2048.

8. A user behind PAT complains that FTP file transfers work in passive mode but fail in active mode. The IT team confirms that basic PAT is configured correctly and other traffic works fine. What causes active FTP to fail through PAT, and what resolves it?

A. Active FTP embeds the client's private IP address and data port number in the FTP PORT command payload — the FTP server uses this to open a data connection back to the client. PAT cannot rewrite this embedded information because it only modifies IP/TCP headers, not payload data. The FTP server connects back to the private IP which is unreachable. Fix: enable the FTP ALG with ip nat service ftp 21 B. Active FTP uses port 20 which is not translated by PAT — configure a static NAT entry for port 20 C. The ACL must explicitly permit FTP traffic before PAT can translate it D. Switch the router to Static NAT for all traffic — Active FTP requires Static NAT mode

Correct answer is A. Active FTP has a unique NAT problem related to how the protocol works. In active FTP: (1) Client connects to server port 21 (control connection) — this works through PAT normally. (2) Client sends a PORT command containing its private IP address and a random port in the text payload (e.g., "PORT 192,168,1,10,195,212"). (3) FTP server opens a DATA connection from port 20 to the IP and port specified in the PORT command. The problem: the PORT command contains the client's private IP (192.168.1.10) in the payload text. PAT translates the IP header's source address but does not touch the payload — the FTP server receives instructions to connect to 192.168.1.10 which is an unreachable private address from the internet. The FTP ALG (Application Layer Gateway) solution: the router inspects FTP control sessions, detects PORT commands, rewrites the embedded private IP to the public IP, and dynamically creates a PAT entry for the incoming data connection. Enable with: ip nat service ftp 21. Passive FTP works because in passive mode, it's the CLIENT that opens both connections — the outbound-only PAT handles this naturally.

9. Two branch offices share an MPLS WAN. Branch A has subnet 10.1.0.0/24 and Branch B has 10.2.0.0/24. Both branches use PAT at their internet edge routers to access the internet. An IT manager asks: "Do the branch office users communicating WITH EACH OTHER over the MPLS WAN go through PAT?" Why or why not?

A. Yes — all traffic goes through PAT regardless of destination B. Yes — PAT is required even for internal MPLS traffic to reach the WAN C. No — PAT only translates traffic that matches the ACL and exits the ip nat outside interface (the internet link). MPLS WAN traffic uses a separate interface not marked as nat outside; internal RFC1918 addresses are routable across MPLS and need no translation D. No — PAT only works for UDP traffic, not TCP traffic to other offices

Correct answer is C. PAT's scope is defined by: (1) The ACL — which source addresses to translate. (2) The interface roles — PAT only translates traffic exiting the ip nat outside interface. In a properly designed network, the MPLS WAN interface would be marked ip nat inside (or not marked for NAT at all) and only the internet- facing interface would be ip nat outside. Traffic from Branch A to Branch B travels: Branch A LAN → router → MPLS WAN interface — this interface is not ip nat outside, so PAT is never applied. Additionally, MPLS carriers support RFC1918 private addresses — 10.1.0.0 and 10.2.0.0 are perfectly routable over a private MPLS VPN. NAT is only needed at the internet boundary where private IPs would be invalid. If PAT were accidentally applied to MPLS traffic, it would break communication by translating the source IP and making the return traffic unroutable.

10. A Cisco router running PAT shows this in `show ip nat statistics`:
Hits: 45,230 Misses: 312.
What do these counters specifically indicate about PAT operation?

A. Hits = successful translations; Misses = failed translations due to errors B. Hits = packets that matched an existing translation entry (fast path — no new entry needed); Misses = new sessions where no existing entry existed and a new one had to be created. 312 Misses means 312 new sessions were established; 45,230 Hits means subsequent packets in those sessions used the existing entries C. Hits = number of different internal hosts using NAT; Misses = number of hosts not covered by the ACL D. Hits = bytes translated; Misses = bytes dropped by the NAT engine

Correct answer is B. The Hits/Misses counters in show ip nat statistics are packet-level counters that reveal NAT efficiency. A "Hit" occurs when an incoming packet matches an existing NAT table entry — the router looks up the table, finds the match, and translates immediately (fast path). A "Miss" occurs when a packet arrives that does NOT match any existing entry — this is a new session. The router processes it through the slow path: checks the ACL, creates a new NAT table entry, and then translates. After the entry is created, all subsequent packets in that session produce Hits. In this example: 312 new sessions were opened (Misses = 312); those sessions collectively generated 45,230 packets that were translated using existing entries (Hits = 45,230). A healthy ratio shows many more Hits than Misses — meaning most traffic is ongoing sessions rather than new sessions. Very high Misses (relative to Hits) might indicate a scanning attack or many short-lived connections. Zero Misses (as in Question 4's scenario) indicates NAT is not processing any traffic at all — typically because interfaces aren't marked correctly.

← Back to Home