Sign in Subscribe
CCNA

Configuring PAT on Cisco Routers (NAT Overload)

Jay

3 min read
Configuring PAT on Cisco Routers (NAT Overload)

What is PAT (Port Address Translation)?

PAT (Port Address Translation), also known as NAT Overload, is a form of Network Address Translation that allows multiple devices on a private network to share a single public IP address. Unlike one-to-one NAT, PAT uses port numbers to differentiate between multiple internal connections, making it possible for hundreds or thousands of devices to access the internet using just one public IP address.

PAT works by translating both the IP address and port number of outbound packets. When a device on the private network initiates a connection, the router assigns a unique port number to track that specific session. This allows the router to properly route return traffic back to the correct internal device.

PAT Configuration Methods

There are two primary methods to configure PAT on Cisco routers:

  • Interface-based PAT - Uses the IP address of the outside interface
  • Pool-based PAT - Uses a pool of public IP addresses

Method 1: Interface-based PAT Configuration

This is the most common method, especially in small office/home office environments where you have only one public IP address assigned by your ISP.

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat inside
Router(config-if)# interface GigabitEthernet0/0
Router(config-if)# ip nat outside

Let's break down each command:

  • access-list 1 permit 192.168.1.0 0.0.0.255 - Defines which internal networks are allowed to use NAT
  • ip nat inside source list 1 interface GigabitEthernet0/0 overload - Enables PAT using the outside interface IP address
  • ip nat inside - Designates the internal interface
  • ip nat outside - Designates the external interface

The overload keyword is what enables PAT functionality, allowing multiple internal addresses to share the same public IP address.

Method 2: Pool-based PAT Configuration

This method is used when you have multiple public IP addresses available from your ISP.

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat pool INTERNET_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router(config)# ip nat inside source list 1 pool INTERNET_POOL overload
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat inside
Router(config-if)# interface GigabitEthernet0/0
Router(config-if)# ip nat outside

In this configuration:

  • ip nat pool INTERNET_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 - Creates a pool of public IP addresses
  • ip nat inside source list 1 pool INTERNET_POOL overload - Uses the pool with PAT overload

Verifying PAT Configuration

After configuring PAT, use these commands to verify and troubleshoot your configuration:

Show NAT Translations

Router# show ip nat translations

This command displays active NAT translations. With PAT, you'll see entries showing how internal IP addresses and ports are mapped to external addresses and ports:

Pro Inside global      Inside local       Outside local      Outside global
tcp 203.0.113.1:1024   192.168.1.10:80    172.16.1.1:80      172.16.1.1:80
tcp 203.0.113.1:1025   192.168.1.11:443   172.16.1.2:443     172.16.1.2:443

Show NAT Statistics

Router# show ip nat statistics

This displays NAT statistics including total translations, active translations, and expired translations.

Clear NAT Translations

To clear NAT translation entries (useful for troubleshooting):

Router# clear ip nat translation *

PAT Configuration Example

Here's a complete example configuration for a typical small office setup:

! Configure interfaces
interface GigabitEthernet0/0
 ip address dhcp
 ip nat outside
 no shutdown

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no shutdown

! Configure DHCP for internal clients
ip dhcp pool LAN
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 8.8.8.8 8.8.4.4

! Configure PAT
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload

! Configure default route
ip route 0.0.0.0 0.0.0.0 dhcp

Common PAT Issues and Troubleshooting

NAT Table Full

If you receive "NAT: translation table full" errors, you may need to adjust the translation timeout values:

Router(config)# ip nat translation timeout 300
Router(config)# ip nat translation tcp-timeout 3600
Router(config)# ip nat translation udp-timeout 300

Applications Not Working

Some applications require specific port forwarding. You can configure static NAT entries for problematic applications:

Router(config)# ip nat inside source static tcp 192.168.1.10 80 interface GigabitEthernet0/0 80

Debugging PAT

Enable NAT debugging to troubleshoot translation issues:

Router# debug ip nat
Router# debug ip nat detailed

Remember to disable debugging when finished: no debug all

PAT vs. Other NAT Types

Understanding when to use PAT versus other NAT types:

  • Static NAT - One-to-one mapping, used for servers that need consistent external access
  • Dynamic NAT - One-to-one mapping from a pool, but translations expire
  • PAT (NAT Overload) - Many-to-one mapping using ports, most efficient use of public IP addresses

PAT is the most commonly used form of NAT in enterprise and home environments because it maximizes the use of limited public IP addresses while providing internet access to multiple internal devices.

Sign up for more like this.

Enter your email
Subscribe