How private networks reach the Internet without burning public addresses.
Your office has 200 devices but only 1 public IP from your ISP. NAT translates each device's private address
to that single public IP on the way out — and keeps track of who said what so replies get back to the right device.
IPv4 only has about 4.3 billion addresses. The Internet ran out. NAT is the workaround.
The Problem
4.3 billion addresses, 8 billion people
IPv4 uses 32 bits — 2^32 = 4,294,967,296 unique addresses. With billions of internet-connected
devices, the public address pool was exhausted. IANA allocated the last IPv4 blocks to regional
registries in 2011. New public IPs are now rare and expensive.
The Solution — RFC 1918
Private address ranges
RFC 1918 reserves three address blocks for private use — not routable on the public Internet.
Any organization can use them internally without registration. NAT translates between private
and public addresses at the network edge.
Class A Private
10.0.0.0 /8
10.0.0.0 – 10.255.255.255. Over 16 million addresses. Common in large enterprises and cloud VPCs.
Class B Private
172.16.0.0 /12
172.16.0.0 – 172.31.255.255. Over 1 million addresses. Used by Docker, some corporate networks.
Class C Private
192.168.0.0 /16
192.168.0.0 – 192.168.255.255. Over 65,000 addresses. Default in home routers and small offices.
These private addresses are non-routable on the Internet. Routers will drop packets with private source
or destination addresses. NAT is the bridge between the private internal world and the public Internet.
Slide 3 of 10
Static NAT — 1:1 Mapping
One private IP permanently mapped to one public IP. Used for servers that must be reachable from the Internet.
Inside Local
192.168.1.10
Web Server
→
NAT Router
Translates
static mapping
→
Inside Global
203.0.113.5
Public IP (always same)
→
Outside
Internet
Use Cases
When you need 1:1
Hosting a public-facing web server, mail server, or any service that external users initiate connections to.
The public IP must be consistent — DNS points to it. The mapping is permanent and bidirectional.
Limitations
Still consumes one public IP per device
Every device with a static NAT entry needs its own dedicated public IP. This does not conserve addresses.
For 200 internal devices, you would need 200 public IPs — the original problem is not solved.
Static NAT is for specific servers, not general outbound Internet access.
Cisco IOS — Static NAT Config
R1(config)# ip nat inside source static 192.168.1.10 203.0.113.5
R1(config)# interface gi0/0
R1(config-if)# ip nat inside
R1(config)# interface gi0/1
R1(config-if)# ip nat outside
Slide 4 of 10
Dynamic NAT — Pool-Based
A pool of public IPs shared among internal devices on a first-come, first-served basis.
How It Works
First available public IP from the pool
You define a pool of public IP addresses. When an inside device initiates an outbound connection,
the router assigns the next available public IP from the pool. The mapping exists only for the
duration of the connection. When it ends, the public IP returns to the pool for reuse.
The Problem
Pool exhaustion
If 200 devices try to connect simultaneously and the pool only has 10 IPs, 190 devices fail.
Dynamic NAT still requires one public IP per concurrent session. This is why PAT (NAT overload)
replaced it for most use cases — PAT allows thousands of sessions from a single IP.
Cisco IOS — Dynamic NAT Config
R1(config)# ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
R1(config)# ip nat inside source list 1 pool MYPOOL
This maps the 192.168.1.0/24 subnet to public IPs .10 through .20 in the pool
Dynamic vs Static: Static NAT is permanent and bidirectional (external hosts can initiate connections).
Dynamic NAT mappings are temporary and usually unidirectional — external hosts cannot initiate connections
to a dynamically assigned address because the mapping may not exist yet.
Slide 5 of 10
PAT — NAT Overload
Port Address Translation: many internal devices share one public IP, differentiated by source port numbers.
Inside Local (private)
Inside Local Port
Inside Global (public)
Inside Global Port
Destination
192.168.1.10
51200
203.0.113.1
1024
93.184.216.34:443
192.168.1.11
51200
203.0.113.1
1025
93.184.216.34:443
192.168.1.12
52100
203.0.113.1
1026
8.8.8.8:53
192.168.1.200
49801
203.0.113.1
1027
1.1.1.1:443
All four inside devices share the same public IP 203.0.113.1.
The router differentiates them by assigning a unique outside port number per session. When a reply arrives, the router looks up
the outside port in its translation table to identify which inside device gets the packet.
R1(config)# ip nat inside source list 1 interface gi0/1 overload
The "overload" keyword enables PAT — many-to-one using the outside interface IP
Slide 6 of 10
Port Forwarding — Inbound NAT
PAT is outbound-only. Port forwarding punches a hole inward for external-initiated connections.
External Client
98.1.2.3
→
Public IP : Port
203.0.113.1:80
→
NAT Router
Rewrites dst
→
Inside Server
192.168.1.10:80
How Port Forwarding Works
Destination NAT (DNAT)
The router is configured to forward incoming traffic on a specific public IP and port to an
internal private IP and port. External clients connect to the public address; the router
transparently redirects the connection to the internal server. The server's private IP is never exposed.
Common Use Cases
Services behind PAT
Home gaming consoles (port 3074), Minecraft servers (port 25565), internal web servers (port 80/443),
remote desktop access (port 3389), SSH access to home lab (port 22). Any service that needs
to be reachable from the Internet but lives behind a PAT device.
Cisco IOS — Static Port Forwarding (forward public :80 to internal :80)
Inbound TCP to public 203.0.113.1:80 is forwarded to private 192.168.1.10:80
Slide 7 of 10
NAT Address Terminology
Four terms that the exam tests precisely. Get these right and translation tables become readable.
Inside Local
The private IP address of an inside host — as configured on the device itself.
192.168.1.10
Inside Global
The public IP address that represents an inside host to the outside world — after NAT translation.
203.0.113.1
Outside Local
The IP address of an outside host as seen from the inside network. Usually the same as outside global unless NAT on the outside is also configured.
8.8.8.8
Outside Global
The actual public IP address assigned to the outside host on the Internet. Typically the same as outside local in simple NAT designs.
8.8.8.8
Memory anchor: "Inside" = your network. "Outside" = the Internet side. "Local" = what the address looks like from your perspective.
"Global" = what the address looks like on the public Internet. The most important pair for the exam:
Inside Local (private IP you configured) and Inside Global (public IP after translation).
show ip nat translations — reading the table
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
NAT breaks protocols that embed IP addresses in their payload. These require special handling.
VoIP / SIP
IP in the payload
SIP embeds the caller's IP address in the SIP message body. NAT rewrites the IP header
but not the payload — the embedded address stays private and becomes unreachable.
Solution: ALG (Application Layer Gateway) on the NAT device, or STUN.
IPsec VPN
Integrity check fails
IPsec ESP authenticates the entire packet. When NAT changes the source IP, the integrity
check fails and the VPN drops the connection. Solution: NAT-T (NAT Traversal) encapsulates
ESP packets inside UDP 4500 so NAT can rewrite the outer UDP header without touching ESP.
Online Gaming / P2P
Peer-to-peer connection setup
Multiplayer games need direct peer connections. Behind NAT, peers cannot initiate connections
to each other. Solution: NAT traversal techniques like UDP hole-punching, STUN (Session
Traversal Utilities for NAT), or TURN (relay). Strict NAT causes connectivity issues.
NAT64
IPv6 to IPv4 translation
A transition mechanism that allows IPv6-only clients to communicate with IPv4 servers.
The NAT64 device translates IPv6 packets to IPv4 and maintains a mapping — similar to standard
NAT but bridging address family versions. DNS64 synthesizes AAAA records from A records.
ALG — Application Layer Gateway
Protocol-aware NAT helper
An ALG inspects application payloads and rewrites embedded IP addresses to match what NAT
did at the IP header level. Common ALGs: SIP ALG, FTP ALG. Can sometimes cause issues if
the application already implements its own NAT traversal — disable when needed.
Slide 9 of 10
Troubleshooting NAT
The translation table is your primary diagnostic tool — it shows every active mapping.
show ip nat translations — full output
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
Last entry is a static NAT (no port — 1:1 mapping for 192.168.1.20)
Common Problems & Root Causes
Symptom
Inside hosts cannot reach Internet
NAT inside/outside interfaces not assigned, or ACL in the NAT rule does not match the source subnet. Check with show ip nat statistics — look at misses count.
Symptom
Port forward not working
Firewall rule blocking inbound traffic before NAT processes it, or the static port forward entry is incorrect. Check both the NAT table and the ACL/firewall rule. Confirm the inside server is actually listening on that port.
Commands
Diagnose flow
show ip nat translations verbose — adds timing and hit counts per entry. debug ip nat — real-time translation events (use sparingly in production). clear ip nat translation * — flush the table to force re-translation.
Device reports "No Internet." Check show ip nat translations. If entries appear, NAT is working — the problem is upstream.
If no entries appear for that source IP, the ACL or interface NAT assignment is missing.
Slide 10 of 10 | N10-009 Obj 1.4
200 Devices, One IP — NAT Makes It Work
All 200 devices in your office reach the Internet through a single public IP.
PAT (NAT overload) assigns each outbound session a unique source port, tracks the mapping,
and delivers replies to the correct internal device. For the one server that needs to be reachable from outside,
you added a static NAT entry. For troubleshooting, show ip nat translations
tells you everything: what internal address mapped to what public address, which port, and when.
5 Facts to Carry Out of This Presentation
1Static NAT = 1:1 permanent mapping. Dynamic NAT = pool of public IPs. PAT = many:1 using port numbers. PAT is what home routers use.
2RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Not routable on the public Internet.
3Inside Local = private IP on the device. Inside Global = public IP after translation. Know both for the translation table output.
4NAT breaks protocols that embed IPs in their payload: VoIP (SIP), IPsec (use NAT-T / UDP 4500), and some gaming/P2P applications.
5Troubleshoot with show ip nat translations (active mappings) and show ip nat statistics (hit/miss counters).