Home > Networking > Cisco > NAT/PAT Study Guide: Static, Dynamic, Port Forwarding, and Troubleshooting Essentials

NAT/PAT Study Guide: Static, Dynamic, Port Forwarding, and Troubleshooting Essentials

By /

As a seasoned networking administrator with extensive experience in IP address conservation and security implementations, I regularly revisit Network Address Translation (NAT) and Port Address Translation (PAT) to address IPv4 exhaustion and firewalling needs. NAT/PAT enables private networks to access the public internet via address mapping, but misconfigurations can lead to connectivity blackholes. This guide delivers a detailed yet concise reference on static/dynamic NAT, PAT (overload), port forwarding, Cisco IOS configurations, and troubleshooting—perfect for edge routing, DMZ setups, or certification refresh. For new learners, I’ve added simple line diagrams (using ASCII art) to visualize packet flows.

NAT/PAT Fundamentals

NAT (RFC 3022) translates IP addresses between private (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and public ranges, conserving IPv4 addresses while hiding internal topology. PAT extends NAT by multiplexing multiple private IPs to a single public IP using ports.

  • Key Concepts:
  • Inside Local: Private source/destination in the internal network.
  • Inside Global: Public representation of inside local.
  • Outside Local: Internal view of external address.
  • Outside Global: Actual public source/destination.
  • Direction: Inside-to-outside (outbound) or outside-to-inside (inbound, e.g., servers).
  • Overloads: Dynamic NAT uses a pool; PAT uses ports (TCP/UDP/ICMP).
  • Limitations: Breaks end-to-end connectivity (e.g., IPsec without NAT-T); IPv6 uses NPTv6.

NAT occurs in the translation table, inspected by ACLs for traffic selection.

Line Diagram: Basic NAT Flow (Outbound Traffic)

[Private Host: 192.168.1.10:1234]  -->  [Router (Inside Local: 192.168.1.10:1234)]
                                      |
                                      | NAT Translation
                                      |
[Internet Server: 8.8.8.8:80]  <--  [Router (Inside Global: 203.0.113.1:5678)]
                                      |
[Internet Server sees: 203.0.113.1:5678]  <--  Reply flows back via NAT table

Explanation: The router rewrites the source IP/port outbound and reverses it inbound, using the NAT table to match sessions.

NAT Types: Static, Dynamic, and PAT

NAT variants suit different scenarios—static for 1:1 mapping, dynamic/PAT for many-to-few.

TypeDescriptionUse CaseProsCons
Static NATFixed 1:1 mapping (bidirectional).Servers/DMZ (e.g., web).Persistent, inbound access.Wastes public IPs.
Dynamic NATPool-based 1:1 mapping (temporary).Temporary public access.Efficient for bursts.Pool exhaustion; no inbound.
PAT (Overload)Many:1 using ports (dynamic by default).Internet access for LAN.Maximizes one public IP.Port conflicts; limited sessions (~65k).
  • Static: ip nat inside source static <local> <global>.
  • Dynamic: Define pool (ip nat pool), ACL (access-list), and map (ip nat inside source list ACL pool POOL).
  • PAT: Add overload to dynamic map for port translation.

Port forwarding is static NAT with TCP/UDP port specification for inbound services.

Line Diagram: Static vs. Dynamic NAT

Static NAT (1:1 Fixed):
[Private Server: 192.168.1.10]  <-->  [Router]  <-->  [Public: 203.0.113.10]
                                       | 
                                       | Always maps 192.168.1.10 to 203.0.113.10

Dynamic NAT (Pool-Based):
[Host A: 192.168.1.20]  -->  [Router]  -->  [Pool: 203.0.113.2 (temp)]
[Host B: 192.168.1.21]  -->  [Router]  -->  [Pool: 203.0.113.3 (temp)]  (if available)
                                       |
                                       | Exhaustion if pool full

Explanation: Static is persistent (good for servers); dynamic assigns temporarily from a pool (risk of depletion during peaks).

Port Forwarding: Inbound Service Access

Port forwarding (static PAT) maps a public IP/port to a private IP/port, enabling external access to internal services (e.g., RDP on 3389).

  • Mechanics: Matches incoming packets on specified port; translates and forwards.
  • Example: Forward public 80 to private 192.168.1.10:8080.
  • Security: Use ACLs to restrict source IPs; combine with CBAC/ZBF for stateful inspection.

In Cisco, extend static NAT: ip nat inside source static tcp <global-IP> <global-port> <local-IP> <local-port>.

Line Diagram: Port Forwarding Flow

[Internet Client: 198.51.100.50:54321]  -->  [Router (Outside: 203.0.113.1:80)]
                                             |
                                             | Port Forward: tcp 80 -> 192.168.1.10:80
                                             |
[Private Server: 192.168.1.10:80]  <--  Reply: [Router]  -->  [Client (NAT reversed)]

Explanation: Inbound hits public IP/port; router translates to private server. Reply uses NAT table for reverse mapping—no state needed for UDP, but TCP handshakes track sessions.

Cisco IOS Configurations: Practical Examples

Configurations assume a router with inside (Gig0/0: 192.168.1.1/24) and outside (Gig0/1: 203.0.113.1/29) interfaces. Apply ip nat inside/outside to interfaces.

Static NAT (1:1 for Server)

access-list 1 permit 192.168.1.10  ! Server
ip nat inside source static 192.168.1.10 203.0.113.10  ! Map to public
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.248
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 203.0.113.6  ! Default

Dynamic NAT (Pool for Hosts)

access-list 2 permit 192.168.1.0 0.0.0.255  ! Inside hosts
ip nat pool DYN-POOL 203.0.113.2 203.0.113.5 netmask 255.255.255.248  ! 4 public IPs
ip nat inside source list 2 pool DYN-POOL  ! No overload = 1:1
!
! Apply to interfaces as above

PAT (Overload for LAN)

access-list 3 permit 192.168.1.0 0.0.0.255
ip nat inside source list 3 interface GigabitEthernet0/1 overload  ! Use outside IP
!
! Apply to interfaces as above

Port Forwarding (Static PAT for Web Server)

ip nat inside source static tcp 203.0.113.1 80 192.168.1.10 80  ! HTTP
ip nat inside source static tcp 203.0.113.1 443 192.168.1.10 443  ! HTTPS
! Or single: ip nat inside source static tcp 203.0.113.1 80 192.168.1.10 8080
!
! Restrict with ACL (inbound on outside)
access-list 101 permit tcp any host 203.0.113.1 eq 80
access-list 101 permit tcp any host 203.0.113.1 eq 443
interface GigabitEthernet0/1
 ip access-group 101 in

Verify: show ip nat translations, clear ip nat translation * for resets.

Troubleshooting Essentials

  • Commands:
  • show ip nat translations [verbose]: View active mappings (proto, addresses, ports, timeouts: 24h TCP, 5m UDP, 1m ICMP).
  • debug ip nat: Real-time translations (use terminal monitor; caution in prod).
  • show access-lists: Check ACL hits/misses.
  • show ip route: Ensure return paths (e.g., default route).
  • Common Issues:
  • No Translation: ACL mismatch (access-list permit too restrictive); wrong inside/outside on interfaces.
  • Pool Exhaustion: Dynamic/PAT overloads fail; monitor show ip nat statistics for hits/overflows.
  • Port Conflicts: PAT collisions (e.g., same port reused); extend timeouts (ip nat translation tcp-timeout 3600).
  • Inbound Failure: Missing static/port forward; firewall blocks (CBAC: ip inspect name FW http); asymmetric routing.
  • IPv6 Fallback: If NAT-T needed for VPNs, enable crypto isakmp nat-traversal.

Related posts:

  1. Cisco router Qos – CBWFQ
  2. Learning cisco ospf start from zero
  3. How Cisco NDR to discover network activity?
  4. Understanding Shape-Average in Cisco QoS
  5. Cisco Splunk with Secure Network Analytics vs. Darktrace – Comparative Analysis for Network Security Deployments
  6. Network device automation: Fetching VTP Versions from Cisco Switches with Python and Paramiko

Powered by YARPP.

Leave a Comment