Overview
Network Address Translation (NAT) is a foundational IOS/IOS-XE feature that maps private (RFC 1918) IP addresses to publicly routable addresses. This run book covers every NAT variant used in production: Static NAT, Dynamic NAT with pool, PAT (overload), Policy NAT via route-map, Static NAT with port translation, and NAT Virtual Interface (NVI).
All examples use infrarunbook naming conventions, RFC 1918 addressing, and documentation-range public IPs (203.0.113.x) as required by the InfraRunBook style guide.
NAT Address Terminology
- Inside Local — The actual private IP of the internal host (e.g. 10.10.10.5). This is the address the host believes it has.
- Inside Global — The public IP used to represent that inside host on the outside network (e.g. 203.0.113.10). The NAT table maps Inside Local to Inside Global.
- Outside Local — The IP address of an external host as seen from inside the network. For standard outbound NAT this is identical to Outside Global.
- Outside Global — The actual public IP address of the external destination host.
The NAT translation table maps Inside Local <—> Inside Global. For standard outbound NAT the Outside Local equals Outside Global. Destination NAT (DNAT) and double NAT are cases where Outside Local and Outside Global differ.
Interface Roles: inside and outside
Every traditional NAT configuration requires at least one interface marked ip nat inside and one marked ip nat outside. Translation only occurs when a packet crosses this inside-to-outside (or outside-to-inside) boundary.
! rtr-infrarunbook-01 — interface NAT role assignment
interface GigabitEthernet0/0
description LAN-infrarunbook — inside
ip address 10.10.10.1 255.255.255.0
ip nat inside
no shutdown
interface GigabitEthernet0/1
description WAN-ISP-uplink — outside
ip address 203.0.113.1 255.255.255.252
ip nat outside
no shutdownIf ip nat inside or ip nat outside is missing on either interface, no translations will occur andshow ip nat translationswill remain empty even when ACLs and NAT statements are correctly configured.
Static NAT
Static NAT creates a permanent one-to-one mapping between an Inside Local and an Inside Global address. It is bidirectional — external hosts can initiate connections to the Inside Global IP and the router forwards them to the Inside Local host. Use static NAT for servers that must be reachable inbound: web servers, mail servers, VoIP gateways.
Configuration
! Permanently map internal server 10.10.10.50 to public IP 203.0.113.10
ip nat inside source static 10.10.10.50 203.0.113.10Verification
rtr-infrarunbook-01# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.10 10.10.10.50 --- ---
rtr-infrarunbook-01# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0Static NAT with Port Translation (Port Forwarding)
Port forwarding maps a specific TCP or UDP port on a public IP to an internal host and port. This allows a single public IP to front-end multiple internal servers differentiated by port number.
! Forward TCP 443 on 203.0.113.10 to internal HTTPS server 10.10.10.51
ip nat inside source static tcp 10.10.10.51 443 203.0.113.10 443
! Forward TCP 8080 on the same public IP to an internal app server on port 80
ip nat inside source static tcp 10.10.10.52 80 203.0.113.10 8080
! Forward UDP 53 to internal DNS server
ip nat inside source static udp 10.10.10.53 53 203.0.113.10 53rtr-infrarunbook-01# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.10:443 10.10.10.51:443 --- ---
tcp 203.0.113.10:8080 10.10.10.52:80 --- ---
udp 203.0.113.10:53 10.10.10.53:53 --- ---The Inside Global IP used in port-forwarding entries must be reachable — either the physical WAN IP or an additional secondary IP configured on the outside interface. IOS-XE does not automatically create the public IP; it must exist on the router or be routed to it.
Dynamic NAT with Pool
Dynamic NAT allocates a full public IP from a pre-defined pool on a first-come first-served basis. Each inside host that initiates a session gets an exclusive public IP for the life of that translation. No port sharing occurs. Suitable when you have a block of public addresses and need true per-host isolation (e.g. SIP ALG environments).
Step 1 — Define the public IP pool
ip nat pool infrarunbook-nat-pool 203.0.113.20 203.0.113.30 netmask 255.255.255.0Step 2 — Create an ACL matching inside source addresses
ip access-list standard ACL-NAT-INSIDE
remark Match all hosts on the 10.10.10.0/24 LAN
permit 10.10.10.0 0.0.0.255Step 3 — Bind the ACL to the pool
ip nat inside source list ACL-NAT-INSIDE pool infrarunbook-nat-poolVerification
rtr-infrarunbook-01# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.20 10.10.10.10 --- ---
--- 203.0.113.21 10.10.10.11 --- ---
rtr-infrarunbook-01# show ip nat pool
Pool infrarunbook-nat-pool: netmask 255.255.255.0
start 203.0.113.20 end 203.0.113.30
type generic, total addresses 11, allocated 2 (18%), misses 0When the pool is exhausted and a new session arrives, misses increments. The new session is dropped until an existing translation times out. Monitorshow ip nat statisticsmisses counter in production to detect pool exhaustion before it causes outages.
PAT — Port Address Translation (NAT Overload)
PAT multiplexes thousands of inside hosts behind a single public IP by tracking both the translated IP and a unique port number per session. This is by far the most common NAT type deployed in enterprise and branch networks. IOS-XE supports 65,535 simultaneous PAT entries per translated IP.
Option A — Overload the outside interface IP (most common)
ip access-list standard ACL-PAT-INSIDE
remark All RFC1918 LAN hosts
permit 10.10.10.0 0.0.0.255
permit 172.16.0.0 0.0.255.255
ip nat inside source list ACL-PAT-INSIDE interface GigabitEthernet0/1 overloadOption B — Overload a named pool
ip nat pool infrarunbook-pat-pool 203.0.113.2 203.0.113.2 netmask 255.255.255.252
ip access-list standard ACL-PAT-INSIDE
permit 10.10.10.0 0.0.0.255
ip nat inside source list ACL-PAT-INSIDE pool infrarunbook-pat-pool overloadVerification
rtr-infrarunbook-01# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.1:1024 10.10.10.10:54321 203.0.113.200:80 203.0.113.200:80
tcp 203.0.113.1:1025 10.10.10.11:60001 203.0.113.200:443 203.0.113.200:443
udp 203.0.113.1:4500 10.10.10.12:500 203.0.113.100:500 203.0.113.100:500
rtr-infrarunbook-01# show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Peak translations: 312, occurred 00:14:22 ago
Outside interfaces: GigabitEthernet0/1
Inside interfaces: GigabitEthernet0/0
Hits: 14829 Misses: 0
Expired translations: 204Policy NAT (Route-Map Based NAT)
Policy NAT translates based on both source and destination address, not just source alone. Use it when the same inside host must present different public IPs depending on the external destination — typical in multi-ISP or multi-homed edge designs.
Scenario
- Traffic from 10.10.10.0/24 destined for 203.0.113.100 → translate source to 203.0.113.10
- Traffic from 10.10.10.0/24 destined for 203.0.113.200 → translate source to 203.0.113.11
Configuration
! Extended ACLs matching source + destination pairs
ip access-list extended ACL-POLICY-NAT-1
permit ip 10.10.10.0 0.0.0.255 host 203.0.113.100
ip access-list extended ACL-POLICY-NAT-2
permit ip 10.10.10.0 0.0.0.255 host 203.0.113.200
! Route-maps referencing each ACL
route-map RM-POLICY-NAT-1 permit 10
match ip address ACL-POLICY-NAT-1
route-map RM-POLICY-NAT-2 permit 10
match ip address ACL-POLICY-NAT-2
! Loopback0 hosts the first public IP
interface Loopback0
ip address 203.0.113.10 255.255.255.255
ip nat outside
! NAT statements bound to route-maps
ip nat inside source route-map RM-POLICY-NAT-1 interface Loopback0
ip nat inside source route-map RM-POLICY-NAT-2 pool infrarunbook-policy-pool-2
ip nat pool infrarunbook-policy-pool-2 203.0.113.11 203.0.113.11 netmask 255.255.255.252Policy NAT requires extended ACLs (matching both source and destination). Standard ACLs only match the source address and cannot differentiate based on destination — using a standard ACL in a route-map for policy NAT will produce unpredictable results.
NAT Virtual Interface (NVI)
NVI removes the strict inside/outside interface designation. Instead, ip nat enable is applied to all relevant interfaces and NAT translates based on route lookups alone. NVI is required in complex VPN, MPLS, and VRF topologies where the directional role of an interface is ambiguous or changes dynamically.
! Enable NVI on all relevant interfaces
interface GigabitEthernet0/0
ip nat enable
interface GigabitEthernet0/1
ip nat enable
! Standard PAT using NVI syntax
ip access-list standard ACL-NVI-INSIDE
permit 10.10.10.0 0.0.0.255
ip nat source list ACL-NVI-INSIDE interface GigabitEthernet0/1 overloadNVI (ip nat enable) and traditional NAT (ip nat inside/ip nat outside) are mutually exclusive on the same router. Mixing them causes unpredictable translation behaviour. Convert fully to NVI or fully to traditional NAT — never mix both models on the same device.
Clearing NAT Translations
! Clear all dynamic NAT translations (does NOT clear static entries)
clear ip nat translation *
! Clear one specific inside translation
clear ip nat translation inside 10.10.10.10 global 203.0.113.20
! Clear a specific PAT (extended) entry
clear ip nat translation tcp inside 10.10.10.10 54321 203.0.113.1 1024
! Clear all translations for a specific outside address
clear ip nat translation outside 203.0.113.100Static NAT entries cannot be cleared withclear ip nat translation *— they persist until theip nat inside source staticconfiguration statement is removed. Active sessions using a static entry will drop immediately when the config is removed.
NAT Translation Timeout Tuning
! View current timeout values
show ip nat translations timeout
! Tune per-protocol timeouts (all values in seconds)
ip nat translation timeout 86400 ! Dynamic one-to-one (24 h default)
ip nat translation tcp-timeout 3600 ! Established TCP PAT entries (1 h)
ip nat translation udp-timeout 300 ! UDP PAT entries (5 min default)
ip nat translation icmp-timeout 60 ! ICMP entries
ip nat translation dns-timeout 30 ! DNS entries (fast-aging)
ip nat translation finrst-timeout 60 ! TCP FIN/RST entries
ip nat translation syn-timeout 60 ! TCP SYN-only entries (half-open)! Cap total NAT table entries (DoS/flood protection)
ip nat translation max-entries 50000
! Per-host limit
ip nat translation max-entries host 10.10.10.0 0.0.0.255 200Troubleshooting NAT
Debug commands
! Basic NAT debug — shows translation events
debug ip nat
! Detailed — shows packet contents and table lookups
debug ip nat detailed
! Limit debug scope to a specific host (critical on production routers)
debug ip nat 10.10.10.10
! Always disable debug after troubleshooting
undebug all
no debug allCommon issues and root causes
- No translation occurring — Verify
ip nat inside
andip nat outside
are applied to the correct interfaces. Confirm the ACL matches the actual traffic. Checkshow ip nat statistics
misses counter. - Translation exists but traffic still drops — Check routing. The router must have a route to the Inside Global IP on the outside interface. Return traffic must arrive on the same router that holds the translation.
- Asymmetric routing — If outbound traffic exits one router and return traffic enters another, NAT translation will fail. Centralise NAT on a single exit point or use stateful NAT (SNAT) in redundant designs.
- Pool exhausted —
show ip nat pool
shows allocated count at maximum.show ip nat statistics
shows rising misses. Add IPs to pool or convert to PAT overload. - FTP active mode broken — NAT rewrites IP headers but not embedded IP addresses in FTP PORT commands by default. Enable the FTP ALG:
ip nat service ftp
. Or switch clients to passive mode (PASV). - SIP/H.323 calls dropping — These protocols embed IP addresses in the payload. Enable the relevant ALG:
ip nat service sip tcp port 5060
orip nat service h323
.
Essential show commands
show ip nat translations
show ip nat translations verbose
show ip nat translations total
show ip nat statistics
show ip nat pool
show running-config | include nat
show access-lists ACL-PAT-INSIDEComplete Reference Configuration
! ===== rtr-infrarunbook-01 — Full NAT/PAT Reference =====
! ── Interface roles ──────────────────────────────────────
interface GigabitEthernet0/0
description LAN-infrarunbook — inside
ip address 10.10.10.1 255.255.255.0
ip nat inside
no shutdown
interface GigabitEthernet0/1
description WAN-ISP-uplink — outside
ip address 203.0.113.1 255.255.255.252
ip nat outside
no shutdown
! ── Static NAT — internal web server ─────────────────────
ip nat inside source static 10.10.10.50 203.0.113.10
! ── Port forwarding — internal HTTPS server ──────────────
ip nat inside source static tcp 10.10.10.51 443 203.0.113.10 443
! ── PAT overload — all LAN users ─────────────────────────
ip access-list standard ACL-PAT-INSIDE
remark All RFC1918 hosts on infrarunbook LAN
permit 10.10.10.0 0.0.0.255
permit 172.16.0.0 0.0.255.255
ip nat inside source list ACL-PAT-INSIDE interface GigabitEthernet0/1 overload
! ── Timeout tuning ───────────────────────────────────────
ip nat translation udp-timeout 300
ip nat translation tcp-timeout 3600
ip nat translation icmp-timeout 60
ip nat translation dns-timeout 30
ip nat translation max-entries 50000Frequently Asked Questions
1. What is the difference between Dynamic NAT and PAT?
Dynamic NAT assigns one full public IP per inside host from a pool — no port sharing occurs. The pool must be as large as the number of simultaneous users, making it expensive for large deployments. PAT (overload) uses a single public IP and differentiates each session by a unique port number, supporting tens of thousands of concurrent hosts behind one address. PAT is the standard choice for almost all enterprise and branch deployments.
2. Can I use Static NAT and PAT on the same router simultaneously?
Yes. Static NAT entries take precedence over dynamic and PAT entries. A server mapped with
ip nat inside source staticalways uses its dedicated public IP, regardless of any PAT or dynamic NAT configuration. All other hosts without a static entry use the PAT pool or interface overload. The router evaluates static entries first when building the translation table.
3. How do I check if a NAT pool is exhausted?
Run
show ip nat pool— the allocated count will equal the total pool size. Also check
show ip nat statistics: the misses counter increments each time a new translation cannot be created because the pool is full. Rising misses during production hours indicate that the pool needs more addresses or should be converted to PAT overload.
4. Why does NAT break active-mode FTP?
In active FTP, the client sends its private IP and a port number inside the FTP PORT command payload. NAT rewrites the IP header source address but does not inspect or rewrite embedded application-layer IP addresses by default. The external FTP server tries to connect back to the private IP it received in the PORT command, which is unreachable from outside. Enable the FTP Application Layer Gateway with
ip nat service ftp(enabled by default on most IOS versions) to make NAT rewrite the embedded IP in PORT commands, or configure clients to use passive (PASV) mode instead.
5. What is Policy NAT and when should I use it?
Policy NAT (route-map based NAT) translates based on both source and destination address, not just source alone. Use it when a single inside host must present different public IPs depending on which external destination it communicates with. This is common in multi-ISP designs where different upstream providers require traffic to originate from specific public IPs, or in NAT-based traffic engineering scenarios. Policy NAT requires extended ACLs — standard ACLs only match source address and cannot be used for destination-aware translation.
6. How do I remove a static NAT entry without disrupting other sessions?
First clear the specific translation entry:
clear ip nat translation inside <inside-local> global <inside-global>. Then remove the static statement:
no ip nat inside source static <inside-local> <inside-global>. Active TCP sessions passing through that translation will drop immediately when the entry is cleared. Schedule static NAT changes during maintenance windows for services with active persistent connections.
7. Can I apply NAT between two inside interfaces?
Not with traditional NAT — translation requires traffic to cross an inside-to-outside boundary. For inside-to-inside translation use NVI (
ip nat enableon both interfaces), which does not enforce directional roles. Alternatively, a NAT-on-a-stick design routes inter-VLAN traffic through a loopback acting as the outside interface, but this is operationally complex. NVI is the cleaner solution for environments where traffic direction is ambiguous.
8. What does ip nat translation max-entries
do?
It caps the total number of simultaneous NAT translation table entries, protecting the router from memory exhaustion during connection floods or DoS attacks. Without this limit, a host generating thousands of short-lived UDP/ICMP sessions can fill the translation table and cause NAT failures for all other hosts. Per-host limits (
max-entries host) are even more targeted — they restrict how many sessions a single inside host can generate simultaneously, useful for limiting scan or flood behaviour from a compromised host.
9. Does NAT break IPsec VPN tunnels?
Standard NAT modifies the IP source address, which invalidates the ESP integrity check because ESP protects the original IP header. IKE phase-1 negotiations also break when NAT changes the source IP mid-handshake. Use NAT Traversal (NAT-T) which encapsulates ESP packets in UDP port 4500:
crypto isakmp nat-traversal. Ensure UDP 500 and UDP 4500 are permitted through any ACLs applied to the outside interface. NAT-T is enabled by default on IOS-XE 15.x and later.
10. How do I verify which interface triggered a NAT translation?
Use
show ip nat translations verbose. The verbose output includes the interface that created each translation entry and the time remaining before it expires. This makes it straightforward to trace which LAN segment, subinterface, or VRF generated a specific translation — useful when troubleshooting asymmetric NAT or when multiple inside interfaces share the same outside interface.
11. What is the NAT order of operations on IOS-XE?
For outbound traffic (inside to outside): routing occurs first, then NAT translates the source address before the packet leaves the outside interface. For inbound traffic (outside to inside): NAT translates the destination address first, then routing determines the exit interface. This order matters when combining NAT with Policy-Based Routing (PBR) or ACLs applied to interfaces — a route-map used for PBR on an inside interface is evaluated before NAT rewrites the address, so PBR must match the original inside address, not the translated global address.
12. Can NAT be scoped to a specific VRF?
Yes. Use
ip nat inside source list <acl> pool <pool> vrf <vrf-name> overloadto scope PAT to a specific VRF. Each VRF maintains an independent NAT translation table, so overlapping RFC 1918 address spaces across different VRFs do not conflict. This is essential in VRF Lite designs where multiple tenants share the same router with the same private address ranges. Verify with
show ip nat translations vrf <vrf-name>.