NAT and PAT Configuration

NAT and PAT Configuration Guide for CCNP ENCOR

Understanding NAT and PAT

Network Address Translation (NAT) and Port Address Translation (PAT) are fundamental networking concepts that form the backbone of modern internet connectivity and security architectures. These technologies enable organizations to efficiently manage IP addresses, enhance security, and facilitate seamless communication between different networks.

Why NAT and PAT Are Important

In today's interconnected world, the importance of NAT and PAT cannot be overstated:

• IP Address Conservation: With the exhaustion of IPv4 addresses, NAT allows multiple devices on a private network to share a single public IP address, dramatically extending the usable address space.
• Security Enhancement: NAT creates a barrier between internal networks and the external internet by hiding internal IP addresses, providing a form of network obfuscation that deters basic reconnaissance attacks.
• Network Flexibility: Organizations can change their internal addressing scheme without affecting external connectivity, providing tremendous flexibility in network design.
• Scalability: PAT enables thousands of internal users to access external resources through a single public IP address, making it essential for enterprise and small business operations.
• Cost Efficiency: Reduced need for public IP addresses translates directly into cost savings for organizations.

What is NAT?

Network Address Translation (NAT) is a networking technique that modifies network address information in datagram packet headers while in transit across a traffic routing device. It allows a single IP address to represent an entire group of computers.

Key Characteristics of NAT:

• Translates IP addresses at the network layer (Layer 3)
• Maintains a translation table to map internal addresses to external addresses
• Can work in multiple modes depending on the deployment scenario
• Introduces some processing overhead due to address translation
• Requires stateful packet inspection to maintain translation state

What is PAT?

Port Address Translation (PAT), also known as Network Address Port Translation (NAPT) or dynamic NAT overload, is an advanced form of NAT that goes beyond simple address translation by also translating port numbers. This allows multiple internal hosts to share a single external IP address by using unique port numbers to distinguish between different conversations.

Key Characteristics of PAT:

• Translates both IP addresses and port numbers
• Enables many-to-one address mapping
• Uses port numbers (16-bit values) to track individual sessions
• Theoretically supports up to 65,536 simultaneous connections per external IP address
• Most commonly used in small business and residential environments

NAT and PAT Types

Static NAT: Creates a one-to-one permanent mapping between an inside local address and an inside global address. Useful for servers that need consistent external IP addresses.

Dynamic NAT: Creates a temporary many-to-many mapping between inside local addresses and a pool of inside global addresses. When a host initiates communication, it is assigned an address from the pool for the duration of the session.

PAT (Overloaded NAT): Creates a many-to-one mapping where multiple inside local addresses map to a single inside global address, with port numbers differentiating the conversations.

How NAT and PAT Work

NAT Operation Process:

1. Packet Generation: An internal host generates a packet destined for an external network with a source IP from the private address space (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16)
2. Address Translation: The NAT device intercepts the packet and checks its translation table
3. Table Lookup: If no translation exists, the device creates a new entry mapping the inside local address to an inside global address
4. Header Modification: The source IP address in the packet header is replaced with the translated address
5. Transmission: The modified packet is forwarded to the external network
6. Response Reception: When the external host responds, the packet arrives at the NAT device
7. Reverse Translation: Using the translation table, the NAT device converts the destination address back to the inside local address
8. Delivery: The packet is delivered to the original internal host

PAT Operation Process:

1. Outbound Session Initiation: An internal host initiates communication with an external host, creating a packet with source IP and port
2. Translation Table Lookup: The PAT device checks if a translation exists for this host and port combination
3. Dynamic Port Assignment: If no translation exists, the device selects an unused port number on the outside global IP address
4. Entry Creation: A translation entry is created mapping inside-local-IP:inside-port to outside-global-IP:outside-port
5. Packet Modification: Both the source IP address and source port are modified in the outgoing packet
6. Response Handling: Responses arriving at the outside global IP and port are translated back and forwarded to the correct internal host
7. Session Timeout: Entries are removed after a configurable idle timeout period

NAT Terminology

Understanding NAT terminology is crucial for exam success:

• Inside Local Address: The IP address assigned to a host on the inside network (typically private RFC 1918 address)
• Inside Global Address: The registered IP address representing an inside host to the outside network
• Outside Local Address: The IP address of an outside host as it appears to the inside network
• Outside Global Address: The IP address assigned to an outside host (the real public IP of the external device)

Configuring NAT on Cisco Routers

Static NAT Configuration:

Static NAT is commonly used when an internal server needs a consistent public IP address:

Dynamic NAT Configuration:

Dynamic NAT is used when you have a pool of public addresses available:

PAT Configuration:

PAT is the most commonly deployed NAT type in modern networks:

NAT Troubleshooting Commands

Essential commands for verifying and troubleshooting NAT implementations:

• show ip nat translations: Displays all active NAT translation entries in the translation table
• show ip nat statistics: Shows NAT statistics including the number of active translations and translation memory usage
• debug ip nat: Enables detailed debug output for NAT operations (use with caution in production)
• clear ip nat translation *: Clears all dynamic NAT translation entries
• show access-lists: Verifies the access control lists used for NAT source matching

Common NAT and PAT Issues

Issue: PAT Exhaustion

When too many internal hosts attempt to communicate simultaneously, available ports on the external address may be exhausted, preventing new connections.

Solution: Implement multiple external IP addresses in a PAT pool or implement carrier-grade NAT techniques.

Issue: Fragmentation Problems

NAT increases packet header size, which can cause fragmentation issues, especially with MTU-sensitive applications.

Solution: Ensure proper MTU settings across the network and monitor for fragmentation issues using path MTU discovery.

Issue: Application Layer Issues

Some protocols embed IP addresses in the application layer payload, which NAT cannot translate at Layer 3.

Solution: Implement Application Layer Gateway (ALG) support or Protocol-Specific Handlers like FTP ALG.

Issue: Asymmetric Routing

When return traffic takes a different path than outbound traffic, NAT translation may fail if the return path doesn't pass through the NAT device.

Solution: Ensure symmetric routing paths and verify routing table entries.

Exam Tips: Answering Questions on NAT and PAT Configuration

1. Understand the Question Context

When you encounter a NAT/PAT question, immediately identify whether the scenario involves:

• Securing internal networks with IP address translation
• Connecting multiple internal addresses to the internet through limited public addresses
• Enabling specific internal servers to be accessed from the internet
• Troubleshooting connectivity issues related to address translation

2. Master NAT Terminology

CCNP exams frequently test your understanding of NAT terminology. Create a clear mental model:

• Inside Local = Private IP: What the host actually has internally
• Inside Global = Public IP: What represents the host to the outside world
• Outside Local = How we see them: The external device's address as we see it (usually equals outside global)
• Outside Global = Real address: The actual public IP of the external device

Create a quick reference table in your mind during the exam to prevent mixing up these terms.

3. Identify the NAT Type Required

Look for these indicators in the question:

• "Servers must be accessible from the internet with consistent IP addresses" → Static NAT
• "Multiple internal hosts need external access with multiple public IPs available" → Dynamic NAT
• "Many internal users need internet access but you have only one public IP" → PAT
• "Maximize use of limited public IP addresses" → PAT

4. Configuration Command Order Matters

Always follow this sequence when analyzing configuration questions:

1. Define what addresses need translation (ACL)
2. Define the translation pool or outside interface (if applicable)
3. Create the NAT rule (using the ACL and pool/interface)
4. Assign inside and outside interfaces

If an exam question shows commands out of this order, it's likely incorrect.

5. Recognize Common Configuration Patterns

Watch for these telltale signs:

• "overload" keyword → This is PAT/Overloaded NAT
• "pool" definition followed by IP range → Dynamic NAT or PAT with multiple IPs
• "static" keyword → Static NAT with one-to-one mapping
• "interface" instead of pool → PAT using the interface's public IP

6. Understand Inside vs. Outside Interfaces

Never get confused about which interface gets which designation:

• Inside Interface: Connected to the private/internal network (the LAN side)
• Outside Interface: Connected to the public/external network (the WAN or internet side)

In exam questions, look for keywords like "LAN," "private," "internal" to identify the inside interface and "WAN," "public," "external," "internet" for the outside interface.

7. Analyze Troubleshooting Scenarios

If the exam presents a troubleshooting question about NAT/PAT:

• Check if interfaces are correctly marked as inside/outside
• Verify the ACL matches the correct source addresses
• Ensure the NAT rule is applied in the correct direction
• Look for MTU issues or application-layer protocol problems (FTP, VoIP, etc.)
• Check translation table saturation in PAT scenarios

8. Watch Out for Trick Questions

Common trap scenarios:

• Traffic Direction Confusion: Some questions ask about inbound vs. outbound NAT - be clear about which direction is being asked about
• Return Path Issues: A question might show one-way NAT configuration that wouldn't work because return traffic has no path back
• Port Number Confusion: Don't confuse the port number used in PAT translation with the port number in the application layer
• ACL Matching: Questions often include incorrect ACLs - verify the ACL permits the exact addresses being NAT'd

9. Practice with Real-World Scenarios

When studying, consider scenarios like:

• A company with 200 employees needs internet access through one ISP connection with a single public IP
• A web server at 192.168.1.50 needs to be accessible from the internet at the company's public IP 203.0.113.1
• A company is moving offices and needs to change internal IP addressing without affecting external services

10. Verify Your Answer with Logic

After selecting an answer, ask yourself:

• Does this solution actually solve the stated problem?
• Are all necessary configuration steps included?
• Could traffic actually flow both directions with this configuration?
• Would this work in a production environment, or does it have obvious limitations?

11. Know What "Overload" Really Means

The keyword "overload" is crucial for CCNP exams. It indicates that multiple inside addresses will share a single outside address by using different port numbers. This is the signature feature of PAT. Any time you see "overload" in a configuration command, you're dealing with PAT.

12. Understand NAT with Dynamic Routing

In modern networks, NAT often works alongside dynamic routing protocols. Remember:

• NAT translates addresses for data plane traffic
• Routing protocols operate on the actual addresses configured on interfaces
• The inside global address should be advertised to external networks, not the inside local address
• Access lists for NAT use inside local addresses (the actual configured addresses)

13. Remember the Limits and Constraints

When answering exam questions, keep these practical limits in mind:

• PAT Port Limit: Theoretically 65,536 simultaneous connections per external IP (but practically lower due to TIME_WAIT state and system resources)
• Translation Table Size: Router memory limitations may restrict the number of active translations
• CPU Overhead: High-volume NAT/PAT can impact router CPU utilization

14. Practice Translation Table Reading

Exam questions may show output from "show ip nat translations" and ask you to interpret it. Be able to read entries like:

This shows a static NAT entry where an internal web server at 192.168.1.10:80 is accessible from the outside as 203.0.113.1:8080, with a remote device at 198.51.100.5 initiating the connection.

15. Time Management During the Exam

NAT/PAT questions can be lengthy with detailed configurations:

• Read the entire question and all answer options before deciding
• If it's a scenario question with multiple parts, identify what's being asked first
• If you're uncertain, eliminate obviously incorrect answers (wrong NAT type, missing interface configuration, etc.)
• Come back to particularly difficult NAT questions if you have time, as they sometimes become clearer with fresh perspective

Key Exam Concepts Summary

Remember these crucial points for exam success:

• NAT works at Layer 3, translating IP addresses; PAT also translates Layer 4 ports
• Static NAT = 1-to-1 mapping; Dynamic NAT = many-to-many; PAT = many-to-1 with port differentiation
• Always designate interfaces as either "inside" or "outside" - there's no middle ground
• ACLs for NAT always use the inside local (private) addresses
• The "overload" keyword is synonymous with PAT
• Static NAT is used for servers; dynamic NAT or PAT for client access
• Return traffic must have a path back through the NAT device
• Some protocols require ALG (Application Layer Gateway) support to work properly with NAT

By mastering these tips and maintaining a solid understanding of NAT/PAT fundamentals, you'll be well-prepared to tackle any NAT or PAT configuration question that appears on your CCNP ENCOR exam.