Port Address Translation (PAT), also known as NAT overload, is a cornerstone of IP connectivity for CCNA students and essential for conserving IPv4 addresses in real-world deployments. In the CCNA 200-301 exam (IP Services domain), you’ll configure PAT to map multiple private inside local addresses (e.g., 192.168.x.x) to a single public inside global address, enabling an entire LAN to share one ISP-assigned IP.
PAT works by multiplexing TCP/UDP ports: the router tracks source IP + port combos in its NAT table, allowing up to 65,536 sessions per global IP theoretically (ports 0–65535). Practically, in Cisco IOS XE 17.x (2022+), expect 4,000–50,000 active translations before port exhaustion—critical for branch routers handling VoIP or web traffic. For CCNP-level depth, note PAT’s role in IPv6 transitions via NAT64.
We’ll cover two configurations:
- PAT with a public IP pool (scalable for enterprises)
- Single-IP overload (ideal for home/small office)
By the end, you’ll verify translations like a pro, troubleshoot common issues, and even extend PAT to IPv6 environments.
Configuring Port Address Translation for a Pool of Public IP Addresses
To configure Port Address Translation (PAT) on a Cisco router, first create a NAT pool with a range of public IP addresses allotted by the Internet Service Provider. After pool configuration, you must create a standard access list to identify and permit the group of private inside IP addresses allowed for NAT translation.
After creating a pool of global IP addresses and an IP access list to identify the traffic, you must configure NAT using the “ip nat” command.
Finally, you must specify which is inside the interface and which is the outside interface. The main difference between configuring Dynamic NAT and Port Address Translation (PAT) is using the keyword “overload.”
Example Configuration
The example configuration shown in the figure below establishes overload translation for the NAT pool named Global_pool. The pool contains the same addresses used in the previous lesson, from 202.128.54.3 to 202.128.54.14. Hosts in the 192.168.10.0/24 and 192.168.11.0/24 networks are needed to translate.
The sub-interface S0/0/0.101 is an outside interface, and g0/0 and g0/1 are inside interfaces. The router R2 is the Port Address Translation (PAT) router. We are using the same topology used in the previous lesson, “Dynamic NAT Configuration.”
This method uses a pool of public IPs with overload, allowing massive scalability—ideal for medium to large networks.
Topology Reference: See Figure 1 above.
Step-by-Step PAT Pool Configuration on Cisco Router
Create NAT Pool
R2> enable R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# ip nat pool Global_pool 203.0.113.3 203.0.113.14 netmask 255.255.255.240 R2(config)#
Define Access Control List (ACL)
R2(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R2(config)# access-list 1 permit 192.168.11.0 0.0.0.255
R2(config)#
Enable PAT Overload with Pool
R2(config)# ip nat inside source list 1 pool Global_pool overload
R2(config)#Mark Interfaces
R2(config)# interface gigabitEthernet 0/0 R2(config-if)# ip nat inside R2(config-if)# exit R2(config)# interface serial 0/0/0.101 R2(config-subif)# ip nat outside R2(config-subif)# exit R2(config)#
Verify and Reset (Lab Use)
R2# show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 203.0.113.3:48 192.168.11.100:48 201.128.35.2:48 201.128.35.2:48 icmp 203.0.113.3:49 192.168.11.100:49 201.128.35.2:49 201.128.35.2:49 tcp 203.0.113.4:1029 192.168.10.101:1029 201.128.35.2:80 201.128.35.2:80 tcp 203.0.113.5:1030 192.168.10.102:1030 201.128.35.2:80 201.128.35.2:80 R2# clear ip nat translation * R2#
Now, the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24. It will use the same interface for outside. We have configured the “ACL permission” and “ip nat inside” interfaces.
PAT Pool vs. Single-IP PAT Comparison
| Feature | PAT Pool (This Method) | Single-IP PAT (Next Section) |
|---|---|---|
| Use Case | Enterprise with multiple public IPs | SOHO or single public IP |
| Scalability | 12 IPs × 50,000 ports = ~600,000 sessions | 1 IP × 50,000 ports = ~50,000 sessions |
| Config Keyword | pool Global_pool overload | interface <outside> overload |
| CCNA Exam Tip | Test ACL permits; misses = no translation | Watch for port exhaustion in high traffic |
Common Pitfall: Overlapping or incorrect ACLs cause traffic leaks. Always verify with show access-lists after configuration.
Configuring Port Address Translation for a Single Public IPv4 Address
If only a public IPv4 address is available, the overload configuration typically assigns the public address to the outside interface connecting to the ISP. When leaving the outside interface, all inside addresses are translated to a single IPv4 address. The steps to follow to configure Port Address Translation (PAT) with a single IPv4 address are as follows:
Define an ACL to permit the traffic to be translated.
Configure source translation using the interface and overload keywords. The interface keyword defines which interface IP address to use when translating inside addresses. The overload keyword instructs the router to track port numbers with each NAT entry.
Identify which interfaces are inside and which are outside in relation to NAT. The inside interface is any interface that connects to the inside network, and the outside interface is an interface connected to the outside network.
The configuration is similar to dynamic NAT, except that the interface keyword is used to identify the outside IPv4 address instead of a pool of addresses. Therefore, no NAT pool is defined. Now look at the below configuration on R2 for a single IPv4 address on the same topology. The commands for Port Address Translation (PAT) -single IP configuration is the following:
R2> enable R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# access-list 1 permit 192.168.10.0 0.0.0.255 R2(config)# access-list 1 permit 192.168.11.0 0.0.0.255 R2(config)# ip nat inside source list 1 interface serial 0/0/0.101 overload R2(config)# interface gigabitEthernet 0/0 R2(config-if)# ip nat inside R2(config-if)# exit R2(config)# interface serial 0/0/0.101 R2(config-subif)# ip nat outside R2(config-subif)# exit R2(config)#
Note: This method is compatible with IOS XE 17.12+ (2025). No syntax changes since IOS 15.x
Sample Debug Output (Enable with debug ip nat)
*Nov 15 12:55:00: NAT: i: icmp (192.168.10.101, 3789) -> (203.0.113.1, 3789) [0] *Nov 15 12:55:01: NAT: o: icmp (203.0.113.1, 3789) -> (192.168.10.101, 3789) [1]
Analyzing Port Address Translation (Packet Flow)
When a PC initiates a connection:
Return traffic is demultiplexed using the NAT table
PC1 (192.168.11.100) sends packet to 201.128.35.2:80
Router assigns ephemeral port (e.g., 1025) → translates to 203.0.113.1:1025
PC2 (192.168.10.101) uses same destination but gets different port (e.g., 1026)
PC to Server Process
The figure below illustrates PC1 and Laptop0 sending packets to the web server simultaneously. PC1 has the source IPv4 address 192.168.11.100 and uses TCP source port 1025. Laptop0 has the source IPv4 address 192.168.10.101 and is also assigned the source port 1025.
The packet from PC1 reaches R2 first. Using PAT, R2 translates the source IPv4 address to 202.128.54.1 inside the global address. Since no other devices in the NAT table are using port 1025, PAT maintains the same port number. The packet is then forwarded to the webserver at 201.128.35.2.
PAT is configured to use a single inside global IPv4 address for all translations, so when a packet from Laptop0 arrives on R2, similar to PC1, PAT translates Laptop0’s source IPv4 address to the inside global address 202.128.54.1.
However, the Laptop’s source port number is the same as that of a current PAT entry, the translation for PC1. PAT increases the source port number until it becomes unique in its table. In this example, the source port entry in the NAT table is increased to 1025.
Both hosts use the same translated address, the inside global address of 202.128.54.1, and the same source port number of 1024; however, the R2 process modifies the port number for Laptop0 to 1025. This will become evident in the packets sent from the servers back to the clients.
Server-to-PC Process
The servers use the source port from the received packet as the destination port and the source address as the destination address for the return traffic. The servers give the impression that they are communicating with the same host at 202.128.35.1, but this is not actual.
When the router receives the packet at interface serial 0/0/0.101 on R2, it looks up its NAT table for a unique entry using the packet’s destination address and port.
Multiple entries were received from the server with the destination IPv4 address 202.128.54.1 but only one with the destination port 1025. R2 matched the entry with the NAT table and changed the packet’s destination IPv4 address to 192.168.11.101. No change was required for the destination port. The packet was then forwarded to PC1.
When a packet is received with destination port 1026 to R2, R2 performs a similar translation. The destination IPv4 address of 202.128.54.1 is found again with multiple entries. But R2 uses the destination port of 1026 to uniquely identify the translation entry. The destination IPv4 address is translated to 192.168.10.101.
Verifying Port Address Translation
We can use the commands discussed in “Static NAT Configuration and Dynamic NAT Configuration” to verify Port Address Translation (PAT). Below you can see the show ip nat translations command and its output. It displays the translations from two different hosts to a single web server.
R2# show ip nat statistics Total translations: 20 (2 static, 18 dynamic, 18 extended) Outside Interfaces: Serial0/0/0.101 Inside Interfaces: GigabitEthernet0/0 , GigabitEthernet0/1 Hits: 32 Misses: 18 Expired translations: 0 Dynamic mappings: R2#
We can also use the show ip nat statistics command to verify that NAT-POOL2 has allocated a single address. The running-config command is another command we can use for the PAT configuration.
Sample NAT Translation Table
| Proto | Inside Local | Inside Global | Outside Local | Outside Global | Port Mapping |
|---|---|---|---|---|---|
| TCP | 192.168.11.100:1025 | 203.0.113.1:1025 | 201.128.35.2:80 | 201.128.35.2:80 | PC1 Web Session |
| TCP | 192.168.10.101:1025 | 203.0.113.1:1026 | 201.128.35.2:80 | 201.128.35.2:80 | PC2 (Remapped) |
Scalability Formula: 1 Global IP × 65,352 Ephemeral Ports = ~65,000 Sessions
CCNA Mnemonic: “Ports Prevent Portmanteau” — PAT merges multiple sessions into one IP using unique ports.
Updated Sample Output (IOS XE 17.12)
R2# show ip nat statistics
Total translations: 25 (0 static, 25 dynamic, 25 extended)
Outside Interfaces: Serial0/0/0.101
Inside Interfaces: GigabitEthernet0/0, GigabitEthernet0/1
Hits: 45 Misses: 5
Expired translations: 0
Dynamic mappings:
Inside Source
access-list 1 pool Global_pool refcount 25
pool Global_pool: netmask 255.255.255.240
start 203.0.113.3 end 203.0.113.14
type generic, use count 12
R2#
Troubleshooting PAT Issues
| Symptom | Command to Check | Fix |
|---|---|---|
| No translation entries | show ip nat translations | Check ACL, ip nat inside/outside flags |
| High “misses” count | show ip nat statistics | Expand ACL or clear with clear ip nat * |
| Port exhaustion | show ip nat statistics (max entries) | Use pool or tune ip nat translation max-entries 100000 |
| Asymmetric routing | debug ip nat detailed | Ensure return path uses same router |
Pro Tip: In production, avoid debug during peak hours. Use SNMP monitoring or NetFlow instead.
Advantages and Disadvantages of PAT
Advantages
- IPv4 Conservation: One public IP supports thousands of devices
- Simple Configuration: 3–5 lines for basic setup
- CCNA Exam Favorite: Always appears in IP Services labs
- Security by Obscurity: Hides internal topology
Disadvantages
- Port Exhaustion Risk: UDP-heavy apps (gaming, IoT) can deplete ports
- Not Ideal for Servers: Inbound access requires static NAT
- Troubleshooting Complexity: Large NAT tables slow verification
- No End-to-End Traceability: Breaks some protocols (IPsec, FTP without helpers)
Conclusion
Mastering Port Address Translation (PAT) is critical for passing CCNA 200-301 and building real-world networks. Whether you’re configuring a small branch office or scaling an enterprise edge, PAT remains the go-to solution for IPv4 address scarcity.
Practice Tip: Download a free CCNA PAT lab in Packet Tracer or GNS3 and simulate 100+ clients to see port behavior.
For CCNP ENCOR 350-401, explore:
- VRF-aware PAT
- Carrier-Grade NAT (CGN)
- PAT with Zone-Based Policy Firewall (ZBFW)
FAQs
What is Port Address Translation (PAT)?
PAT, or NAT overload, is a Cisco networking feature that maps multiple private IPv4 addresses to one public IP using unique TCP/UDP port numbers for session differentiation. It conserves public IPs, allowing hundreds of internal hosts to access the internet simultaneously via a router’s NAT table, which tracks original ports for inbound responses. Ideal for small offices facing IPv4 scarcity.
How does PAT differ from standard NAT?
Unlike dynamic or static NAT, which use one-to-one IP mappings (limiting scalability), PAT employs “overload” to enable many-to-one translation by appending distinct ports to packets. For example, conflicting ports (e.g., both 1025) are incremented (e.g., to 1026), ensuring unique global sessions without needing a pool of public IPs. This boosts efficiency in address-constrained environments.
How do you configure PAT for a single public IP on a Cisco router?
Create an access list (e.g., access-list 1 permit 192.168.10.0 0.0.0.255), then apply: ip nat inside source list 1 interface Serial0/0/0.101 overload. Set interfaces: ip nat inside on internal (Gig0/0), ip nat outside on external. This overloads the outside IP (e.g., 202.128.54.1) for all inside traffic, using ports to multiplex sessions to external servers. Verify with show ip nat translations.
What are the advantages of using PAT in networks?
PAT conserves scarce public IPv4 addresses by supporting up to 65,536 theoretical connections per global IP (practically ~4,000 due to router limits), simplifies management over multiple IPs, and enables concurrent internet access for multiple devices. It’s cost-effective for home/SOHO setups, enhances security by hiding internal topology, and integrates seamlessly with firewalls for controlled outbound traffic.
