Luminis Logo Luminis


How to configure NAT & PAT on Cisco router?

The Internet has a very long history of utilizing mechanisms that may breathe new life into older technologies, stretching it out so that newer technologies may be delayed or obviated altogether. IPv4 addressing, and the well-known depletion associated with it, is one such area that has seen a plethora of mechanisms employed in order to give it more shelf life.

In the early 90s, the IETF gave us Classless Inter-Domain Routing (CIDR), which dramatically slowed the growth of global Internet routing tables and delayed the inevitable IPv4 address depletion. Later came DHCP, another protocol which assisted via the use of short term allocation of addresses which would be given back to the provider's pool after use. In 1996, the IETF was back at it again, creating RFC 1918 private addressing, so that networks could utilize private addresses that didn't come from the global pool. Utilizing private address space gave network operators a much larger pool to use internally than would otherwise have been available if utilizing globally assigned address space — but if they wanted to connect to the global Internet, they needed something to translate those addresses. This is what necessitated the development of Network Address Translation (NAT).

In fact, Network Address Translation (NAT) and Port Address Translation (PAT) later, played a major role in delaying the exhaustion of the IP addresses.

Whenever we are accessing the network of home, office, campus, etc it means that we are accessing these as private network; and the time we are connected to the Internet or ISP means we are accessing the public network.

To access the public network, we need a valid registered unique public IP address. After having the public IP address, we can assign them to the host which want to access the public network or want to be the part of that network. This can be achieved either by directly assigning Public IP to the host or with the help of NAT/PAT.

NAT/PAT having these components:

  • Private network and Public network
  • Private IP address and Public IP address
  • Inside local and Inside Global

Private And Public Network

Private And Public IP Address

Inside Local Inside Global

Types of NAT:

  • Static NAT
  • Dynamic NAT
  • PAT

Working of NAT

Step 1
The host PC11 with the private IP address, wants to access an email server gmail.com in public network domain. So its connection attempt reaches to the router first.

Step 2
The router checks a matching logic against that private IP, and allocates a valid public IP address, e.g.,, from the defined pool of public addresses (allotted by ISP).

Step 3
The router will also make an entry in NAT table for PC11.

Step 4
Now the PC11 has a new public IP and with this new public IP, it can visit the public network and access server gmail.com.

Step 5
When response is received from the gmail.com, routers will check its NAT table and forward the response to the particular host e.g., PC11.

This is the basic way the router handles the NAT.

Selection of the NAT type

There are basically three situations for using the NAT/PAT:

Situation 1
When we need to allocate a fixed public IP address against the private IP address and in this type of mapping, we use 'Static NAT'. For example, we have a web server in our private network and we want to allow the users from the Internet or Public network to access that web server.

Situation 2
When we have a pool of Public IP addresses and the allocation of these addresses to the private IP addresses are not predefined and are not fixed. It works on 'First come, first serve' basis and the same public IP can be allocated to the another host after use. In this case, we use 'Dynamic NAT'.

Situation 3
Each and every public IP address costs you, to overcome this problem we can use PAT. In this case, we can allocate the single public IP address to the number of private IP addresses simultaneously, with the help of separate port no.

Configuration of NAT/PAT

We will use this diagram for our configuration.

topology final

Interface Ethernet0/0 is connected with inside network and having network address,

NAT Inside

Interface Ethernet0/1 is connected with DMZ network and having network address,

NAT Inside Static

Interface Serial4/0 is connected with ISP network and having network address,

NAT Outside

We need to configure default route on Luminis-R, to access anything on the Internet.

Default Route

On ISP configure the static route as given below:

Static Route on ISP

Static NAT

In the DMZ network, have a Webserver hosting a website LuminsIndia.com. The users from the outside network (Internet), can access this server. Public IP address we will use is,
The configuration of 'Static NAT' for this network is:

NAT Inside Static

Static NAT

Featuerd Article Configure EtherChannel

Dynamic NAT

In the inside network, we can have 254 hosts as per the network address We have a pool of 10 public IP addresses (

Access List

Dynamic NAT With Pool


PC11 to gmail.com

 Verification PC11 Dynamic NAT

NAT translation table

Verification NAT Table1 in Dynamic NAT

PC11 to hotmail.com

Verification PC11 2 Dynamic NAT

NAT translation table

Verification NAT Table2 in Dynamic NAT

PC22 to gmail.com

Verification PC22 Dynamic NAT

NAT translation table

Verification NAT Table21 in Dynamic NAT

PC22 to hotmail.com

Verification PC22 1 Dynamic NAT

NAT translation table

Verification NAT Table22 in Dynamic NAT

PC33 to gmail.com

Verification PC33 Dynamic NAT

NAT translation table

Verification NAT Table31 in Dynamic NAT

PC33 to hotmail.com

Verification PC33 1 Dynamic NAT

NAT translation table

Verification NAT Table31 1 in Dynamic NAT

Luminis-Server to gmail.com and hotmail.com

Verification LuminisIndia Static NAT

NAT translation table

Verification NAT Table Static NAT

Gmail-Server to Luminis-Server

Verification gmail Static NAT

Hotmail-Server to Luminis-Server

Verification hotmail Static NAT

Dynamic NAT would allow only n number of hosts to access the Internet, where n is equivalent to the number of public IP addresses in its pool. This type of NAT is not much scalable and the replacement of it is Port Address Translation.

Featuerd Article Route Selection

Port Address Translation (PAT)

When we are connected with Internet, definitely we have a public IP address for that connection. In PAT we can use that same IP while allocating the public IP to the multiple hosts inside the private network.

How can it be possible to assign a single IP to the multiple devices?

PAT differentiates the single IP between the multiple devices with the help of Ports. Total number of ports are 65,536 we can say that a single IP address can be allocated to the number of devices depending upon -- how many ports are available at that time. And theoretically it's possible to allocate more than 64,000 sessions along with a single public IP address.

Clear the translation table entry of NAT, with the following command

clear ip nat translation

Configuration of PAT, with this command.


The word overload is used for PAT.

clear ip nat translation1


PC11 to gmail.com and hotmail.com

Verification PC11 PAT


NAT translation table

Verification NAT Table PAT

PC22 to gmail.com and hotmail.com

Verification PC22 PAT

NAT Translation Table

Verification NAT Table PAT 1

In the NAT translation table, for both the hosts PC11 and PC22 a single IP address used and it is differentiating with the port number.

Last Words

NAT's contribution to the reliability and existence of the Network society as known today has turned out to be extremely valuable. Conservation of IP addresses is the primary benefit of NAT through NAT Overloading. Private networks hide their real identity therefore remain secure without revealing their network topology to the outside world.

Something important to keep in mind is that NAT implementation tries to preserve the original source port all the way through the translation.

Since, NAT worked very well for many, many years, and slowed the address depletion a great deal. But in order to perform that translation, you still needed to acquire at least one globally addressable IP. As such, this only served to slow down depletion but not prevent it - carriers were still required to provide that globally addressable IP from their own address space. With the explosive growth of the Internet of Things, carriers likewise began to run out of address space to allocate.

NAT came to the rescue again. Carriers took notice of the success of NAT in enterprise environments and wanted to do this within their own networks, after all, if it worked for customers it should likewise work for the carriers too. This prompted the IETF to develop Carrier Grade NAT (CGN), also known as Large Scale NAT (LSN). CGN aims to provide a similar solution for carriers by obviating the need for allocating publicly available address space to their customers. By deploying CGN, carriers could over-subscribe their pool of global IPv4 addresses while still providing for seamless connectivity, i.e. no truck-roll.

So while the world is spared from address depletion yet again, the use of CGN technologies opens a new can of worms for carriers. No longer does one globally routable IP represent a single enterprise or customer - due to the huge over-subscription which is afforded through CGN, an IP can service potentially thousands of customers. The caveat here is -- Any successful DoS or DDoS attack would have potential to affect the exponentially large number of users simultaneously.

What do you think of NAT/PAT and now CGN?

Your feedback is very valuable.  Kindly spare a minute to leave your comment here.




This article is written & published by Ms. Meena, Senior Manager - IT, at Luminis Consulting Services Pvt Ltd, India. She can be reached at Email:  and/or Linkedin: https://www.linkedin.com/in/meena1 


Print Email

0 # RE: How to configure NAT & PAT on Cisco router?Tarık 2016-11-20 16:14
Very useful. Thank You.
Reply | Reply with quote | Quote
Add comment
Kindly use 'Add Comment' section, if you feel that your comment stands at its own. In case, you wish to reply to the comment(s) made by other users of the website, you may use the 'Reply' options given underneath each comment.


Prof. Ashok Menon (in Name field)
http://www.yahoo.com (in Website field, if any)
HOD - Mechanical Engineering at ABC Institute of Engineering, Mumbai (in Job Title field)


Luminis Consulting Services promotes a receptive, transparent and civil atmosphere for comments and users. Critical, in-depth and intelligent discussions and debates are encouraged and the best of these are highlighted in various ways, such as Homepage display etc. Everyone is welcome and encouraged to voice their opinion regardless of identity, politics, ideology, religion or agreement with other community members, the author of the post or staff members as long as those opinions are respectful and constructively add to the conversation.

However, this community does not tolerate direct or indirect attacks, name-calling or insults, nor does it tolerate intentional attempts to derail, hijack, troll or bait others into an emotional response. These types of comments will be removed from the community where warranted. To maintain a civil atmosphere, our moderation team may read comments before they are displayed to other users, as we strive to get to all comments as quickly as possible. However, Luminis Consulting Services reserves the right to add, delete, edit or act upon the comments made by any user. Thanks!


Blog Subscription Image





I want to subscribe to following blogs: *

IT & Networking Blog
Process Improvement Blog
Leadership Management Blog
Education Training Blog