NAT Made Simple: How Your Private Network Talks to the Internet

PitsPits
13 min read

When you connect your devices to the internet, each one needs an IP address to communicate. But what happens when there aren’t enough public IP addresses for everyone? This is where Network Address Translation, or NAT, comes in. NAT works behind the scenes to let multiple devices share a single public IP address, making internet communication possible for homes, offices, and even large organizations. In this blog, we’ll break down what NAT is, why it matters, and how it actually works in a way that’s easy to understand.

Private IPv4 Addresses (RFC 1918)

Before we dive deeper into how NAT works, it’s important to understand the type of IP addresses it often deals with. Many networks, especially in homes and offices, use private IPv4 addresses. These addresses are defined in RFC 1918 and are meant to be used only inside private networks. They cannot be used directly on the public internet, which is one of the main reasons NAT exists in the first place.

Private IPv4 addresses are also part of the short-term solutions to IPv4 address exhaustion, along with Classless Inter-Domain Routing (CIDR) and NAT. By using private addresses inside local networks, organizations can reduce the number of public IP addresses they need.

These addresses fall into three specific ranges:

  • 10.0.0.0 to 10.255.255.255

  • 172.16.0.0 to 172.31.255.255

  • 192.168.0.0 to 192.168.255.255

If you’ve ever checked your home Wi-Fi settings and seen something like 192.168.1.5, you’ve already used a private IP address. NAT then takes care of translating that private address into a public one so you can browse websites, watch videos, or send emails without any issues.

Network Address Translation (NAT)

Now that we know about private IPv4 addresses and how they fit into the bigger picture of solving IPv4 exhaustion, let’s talk about NAT. Network Address Translation is the process of changing the source or destination IP address in a packet as it passes through a router or firewall.

In most cases, NAT is used to allow devices with private IP addresses to communicate on the public internet. It works by translating those private addresses into a public one (or several public ones) that can be routed across the internet. When the response comes back, NAT translates the public address back into the correct private address so the right device gets the data.

This translation happens quickly and invisibly, which is why most people using the internet at home have no idea it’s even happening. Without NAT, every device would need its own public IP address, and we would have run out of IPv4 addresses a long time ago.

Static NAT

Static NAT creates a one-to-one mapping between a private IP address and a public IP address. This means a specific internal device will always use the same public IP address when it communicates outside the network.

Because the mapping is fixed, Static NAT is often used for devices that need to be reachable from the internet, such as web servers, mail servers, or security cameras. For example, if your internal web server has the private address 192.168.1.10, your router can map it permanently to a public address like 203.0.113.5. Anyone accessing that public address will always reach the same internal server.

The main advantage of Static NAT is predictability. The public IP never changes for that device. However, it requires a dedicated public IP for each device you want to expose, which makes it less efficient for conserving IP addresses compared to other NAT types.

Inside Local and Inside Global

When talking about NAT, you’ll often hear the terms Inside Local and Inside Global. These describe the addresses before and after translation.

  • Inside Local – This is the private IP address assigned to a device inside your network. It’s the address the device uses within the local network and is not routable on the internet.

  • Inside Global – This is the public IP address that represents the same internal device to the outside world. It’s what people on the internet see when your device communicates with them.

Example:
Let’s say you have a web server inside your network:

  • Inside Local: 192.168.1.10 (private address inside your LAN)

  • Inside Global: 203.0.113.5 (public address that outside users connect to)

When someone on the internet types http://203.0.113.5, the router uses NAT to forward that request to 192.168.1.10 inside your network. The server’s reply goes back through the router, which changes the source address from 192.168.1.10 to 203.0.113.5 before sending it out.

This mapping ensures the correct device gets the traffic, and the outside world never directly sees the private IP address.

Static NAT Configuration on Cisco IOS

Now that we know what Static NAT is and understand Inside Local and Inside Global addresses, let’s see how to configure it on a Cisco router. The goal here is to create a permanent one-to-one mapping between a private IP and a public IP.

Example Scenario:

  • Inside Local: 192.168.1.10 (web server inside the LAN)

  • Inside Global: 203.0.113.5 (public IP assigned by the ISP)

Steps to Configure:

Router> enable
Router# configure terminal
Router(config)# interface g0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# no shutdown

Router(config)# interface g0/1
Router(config-if)# ip address 203.0.113.1 255.255.255.0
Router(config-if)# ip nat outside
Router(config-if)# no shutdown

Router(config)# ip nat inside source static 192.168.1.10 203.0.113.5
Router(config)# end
Router# write memory

Explanation:

  1. Assign IP addresses to the inside and outside interfaces.

  2. Mark the LAN-facing interface as ip nat inside and the WAN-facing interface as ip nat outside.

  3. Use the ip nat inside source static command to map the inside local address (192.168.1.10) to the inside global address (203.0.113.5).

To Verify:

Router# show ip nat translations

Example Output:

Pro  Inside global      Inside local       Outside local      Outside global
---  203.0.113.5        192.168.1.10       ---                ---

This shows a permanent mapping between the public IP (Inside Global) and the private IP (Inside Local).

What These Columns Mean:

  • Inside Local – The private IP address of the device inside your network (192.168.1.10 in this example).

  • Inside Global – The public IP address that represents the inside device on the internet (203.0.113.5).

  • Outside Local – The IP address of the external device as it appears from inside your network. In some cases, this could be different if the outside device is also behind NAT, but here it’s 198.51.100.20.

  • Outside Global – The real, routable IP address of the external device (198.51.100.20 here because there’s no NAT on the other side).

This table helps confirm that the mapping is working correctly and that NAT is translating between your private network and the outside world as expected.

Clearing NAT Translations:

If you need to remove existing NAT translation entries, you can use the following command:

Router# clear ip nat translations *

This deletes all current NAT table entries. It’s useful when testing configurations or making changes, as it forces the router to create fresh translation entries the next time traffic passes through.

For Static NAT, the mapping itself remains in the configuration even after clearing the translations. The router will recreate the entry automatically once new traffic is generated.

Viewing NAT Statistics:

To check how many translations are active and how NAT is performing, use:

Router# show ip nat statistics

Example Output:

Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 25  Misses: 0
Expired translations: 0
Dynamic mappings:

What This Shows:

  • Total active translations – Number of current NAT entries, with a breakdown of static and dynamic ones.

  • Inside interfaces / Outside interfaces – Interfaces that have been marked for NAT traffic flow.

  • Hits – Number of times a packet matched an existing translation.

  • Misses – Packets that required a new translation to be created.

  • Expired translations – Number of translation entries that were removed due to inactivity.

For Static NAT, you’ll see at least one static entry even if there’s no active traffic.

Dynamic NAT

So far, we covered Static NAT, where a fixed one-to-one mapping exists between a private and public IP address. Now, let’s look at Dynamic NAT.

Unlike Static NAT, Dynamic NAT doesn’t assign a permanent public IP to a specific internal device. Instead, it uses a pool of public IP addresses that can be shared among internal devices on a first-come, first-served basis. When a device inside the network needs to access the internet, the router assigns one of the available public IPs from the pool temporarily.

This approach is more flexible and conserves public IP addresses better than Static NAT because the pool of public addresses is shared rather than dedicated. However, it still requires having enough public IP addresses in the pool to accommodate active connections.

An Access Control List (ACL) is used to identify which traffic should be translated. The router checks the source IP address against the ACL, and if it matches (is permitted), the NAT translation applies. If the source IP is denied by the ACL, it won’t be translated. This helps control which devices or traffic get translated through Dynamic NAT.

Creating a NAT Pool and ACL for Dynamic NAT

To set up Dynamic NAT, you need two things:

  1. NAT Pool – This is a group of public IP addresses the router can use to translate private IPs. Instead of assigning one public IP per device, the router picks an available IP from this pool when needed.

  2. Access Control List (ACL) – This defines which private IP addresses or range of addresses are allowed to be translated by NAT.

Example:

Imagine you have:

  • Private network range: 192.168.1.0/24

  • Public IP addresses for NAT: 203.0.113.10 to 203.0.113.20

Steps to create NAT pool and ACL:

Router(config)# ip access-list standard NAT-ACL
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# exit

Router(config)# ip nat pool NAT-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0

  • The ACL named NAT-ACL permits any IP from 192.168.1.0 to 192.168.1.255 to be translated.

  • The NAT pool named NAT-POOL contains public IPs from 203.0.113.10 to 203.0.113.20.

Once you create these, you’ll link them together in the NAT configuration so the router knows to translate allowed internal IPs using addresses from that pool.

NAT Pool Exhaustion

One challenge with Dynamic NAT is something called NAT pool exhaustion. Since Dynamic NAT relies on a limited pool of public IP addresses, it’s possible to run out of available addresses if too many devices try to access the internet at the same time.

When all the IPs in the NAT pool are in use, any new device or connection that needs translation will be denied until one of the existing translations is freed up. This means some users might not be able to access external resources until there’s an available public IP in the pool.

This limitation makes Dynamic NAT less scalable for larger networks with many devices. To handle this, network administrators often use Port Address Translation (PAT), also known as NAT overload, which allows multiple devices to share a single public IP address by using different ports.

Dynamic NAT Configuration on Cisco IOS

Now that we understand how Dynamic NAT works and the role of NAT pools and ACLs, let’s see how to configure it on a Cisco router.

Example Scenario:

  • Private network: 192.168.1.0/24

  • Public IP pool: 203.0.113.10 to 203.0.113.20

Step 1: Create the ACL to identify inside local addresses

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Step 2: Create the NAT pool with the range of public IPs

Router(config)# ip nat pool MY_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0

Step 3: Configure NAT to use the pool for addresses matching the ACL

Router(config)# ip nat inside source list 1 pool MY_POOL

Step 4: Mark the interfaces

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat outside
Router(config-if)# exit

Step 5: Save the configuration

Router(config)# end
Router# write memory

This setup allows devices in the 192.168.1.0/24 network to get translated using any available IP from the public pool 203.0.113.10 to 203.0.113.20 when they access the internet.

Verifying Dynamic NAT:

To check active NAT translations, use:

Router# show ip nat translations

You’ll see entries like this:

Pro  Inside global      Inside local       Outside local      Outside global
---  203.0.113.10       192.168.1.2        198.51.100.5       198.51.100.5
---  203.0.113.11       192.168.1.3        198.51.100.10      198.51.100.10

This shows which private IPs (Inside Local) are currently translated to which public IPs (Inside Global).

To view NAT statistics, use:

Router# show ip nat statistics

Port Address Translation (PAT)

Also known as NAT overload, PAT allows many devices on a private network to share a single public IP address by tracking connections using different port numbers. This is how most home routers handle internet traffic today.

Unlike Dynamic NAT, which requires one public IP per active connection, PAT lets multiple devices use the same public IP but assign a unique port number to each session. This greatly conserves public IP addresses and allows thousands of devices to access the internet through one IP.

PAT (Port Address Translation) Configuration on Cisco IOS

PAT lets multiple devices share a single public IP by using different port numbers. Here’s how to set it up:

Example Scenario:

  • Private network: 192.168.1.0/24

  • Public IP: 203.0.113.5 (single IP)

Step 1: Create an ACL to identify inside local addresses

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Step 2: Configure PAT to translate addresses matching the ACL using the single public IP

Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

Step 3: Mark the interfaces

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat outside
Router(config-if)# exit

Step 4: Save the configuration

Router(config)# end
Router# write memory

This config tells the router to translate all IPs matching ACL 1 using the IP address assigned to the GigabitEthernet0/1 interface. The keyword overload enables port address translation so many devices can share that one IP.

What Does overload Mean in PAT?

The keyword overload in the NAT configuration tells the router to use Port Address Translation (PAT). This allows multiple devices on your private network to share a single public IP address by using different port numbers for each connection.

Without overload, NAT would assign one public IP address per private device, which uses up public IPs quickly. With overload, the router tracks each connection using port numbers, so many devices can access the internet simultaneously with just one public IP.

Think of it like an apartment building using the same street address (the public IP) but different apartment numbers (port numbers) to keep track of each resident (device). This method conserves public IP addresses and is how most home routers handle internet traffic today.

Verifying PAT:

To see active PAT translations, use:

Router# show ip nat translations

Example output might look like this:

Pro  Inside global      Inside local       Outside local      Outside global
tcp  203.0.113.5:1025   192.168.1.10:1025  198.51.100.20:80   198.51.100.20:80
udp  203.0.113.5:4096   192.168.1.12:4096  198.51.100.30:53   198.51.100.30:53

Notice how the Inside global IP is the same (203.0.113.5), but the port numbers differ to distinguish each connection.

To check NAT statistics, use:

Router# show ip nat statistics

NAT Command Summary

Static NAT:

ip nat inside source static [inside-local-ip] [inside-global-ip]
ip nat inside
ip nat outside
show ip nat translations
clear ip nat translations *
show ip nat statistics

Dynamic NAT:

access-list [number] permit [inside-local-subnet] [wildcard-mask]
ip nat pool [pool-name] [start-ip] [end-ip] netmask [netmask]
ip nat inside source list [access-list-number] pool [pool-name]
ip nat inside
ip nat outside
show ip nat translations
show ip nat statistics

PAT (NAT Overload):

access-list [number] permit [inside-local-subnet] [wildcard-mask]
ip nat inside source list [access-list-number] interface [outside-interface] overload
ip nat inside
ip nat outside
show ip nat translations
show ip nat statistics

Wrap Up

NAT is a key technology that helps solve the shortage of IPv4 addresses by allowing private networks to communicate with the public internet. Whether through Static NAT’s fixed mappings, Dynamic NAT’s address pools, or PAT’s port-based translation, NAT keeps the internet running smoothly for millions of devices.

Understanding how NAT works and how to configure it on Cisco devices is essential for anyone managing networks today. If you want to dive deeper, practicing these commands in a lab environment is a great next step.

0
Subscribe to my newsletter

Read articles from Pits directly inside your inbox. Subscribe to the newsletter, and don't miss out.

networkingnetworking for beginnersnatnetwork address translation

Written by

Pits
Pits