How to configure Port Address Translation (PAT) on Cisco routers
Port Address Translation (PAT), is an extension to the well known Network Address Translation (NAT) protocol that allows multiple devices on a local area network (LAN) to access Internet resources using a single public IP address. NAT is defined in RFC 1631 and the main purpose of using it was to slow the depletion of public IP address space. A practical use of PAT is for example when an ISP allocates a public IP address for an organization which has many devices which need Internet access. PAT uses private IP address classes defined in RFC 1918 for all inside devices and also uses port numbers to identify the connection. When an internal host wants to communicate with the outside it sends a datagram with its private source address and a random port. The NAT router will then rewrite the source address and port with its public IP and sends the datagram to the requested resource. The response will come back to this same public address and port combination (called a socket) and can be translated back again.
In order to clear some confusion regarding how packets are translated we need to define some NAT terminology.
- Inside local (IL) – this is the source host inside address before translation which is tipically an private address defined by RFC 1918
- Outside local (OL) – this is the address from which source host is known on the Internet. This is usually the address of the router interface connected to ISP—the actual Internet address.
- Inside global (IG) – this is the source host address used after translation to get onto the Internet. This is also the actual Internet address.
- Outside global (OG) – this is the address of outside destination host and, again, the real Internet address.
Port Address Translation (PAT) configuration
PAT is the typical form of NAT which is most in use nowadays. For the purpose of configuring PAT we’ll assume we have received an /30 network from our ISP which has 2 usable addresses e.g. 184.108.40.206/30 and I’ll use 220.127.116.11 as the Inside global address. For our inside network we’ll use a private C class network e.g. 192.168.25.0/24. We need to first define our inside and outside interfaces. In my example scenario I’ll use a Cisco 3725 IOS router and define FastEthernet 0/1 as my inside interface, and FastEthernet 0/0 as my outside interface.
Next we’ll designate the internal interface with the ip nat inside command and assign an IP address from the internal range (192.168.25.1).
GW(config)# interface FastEthernet0/1 GW(config-if)# ip address 192.168.25.1 255.255.255.0 GW(config-if)# ip nat inside
Next step is to designate the outside interface using the command ip nat outside and assign the public IP address we have received from the ISP (18.104.22.168).
GW(config)# interface FastEthernet0/0 GW(config-if)# ip address 22.214.171.124 255.255.255.252 GW(config-if)# ip nat outside
When any internal device connects to devices outside the network, it will appear to have the same source address as the external interface of the router, 126.96.36.199 in my case. We now need to create an Access control list (ACL) that will specify internal hosts which will be translated. You can use standard or extended access lists depending on your requirements.
GW(config)# access-list 110 permit ip 192.168.25.0 0.0.0.255 any
This extended ACL will allow all hosts in the 192.168.25.0/24 subnet to be translated to external IP 188.8.131.52. This ACL will be applied then to the NAT service command. If you want to exclude some inside local addresses from being translated you can place a deny ACL statement before the permit ACL like this:
GW(config)# access-list 110 deny ip 192.168.25.50 0.0.0.0
In the above example the IP address 192.168.25.50 will not be rewritten, instead, it will appear unchanged on the outside. Next we need to configure the actual translation action using the following line:
GW(config)# ip nat inside source list 110 interface FastEthernet0/0 overload
This line tells the router to translate the source addresses of any internal devices that match access-list number 110. The router will translate the source addresses of all of these devices to the address that is configured on the interface FastEthernet0/0, which is the outside interface. The overload keyword tells the router that many internal devices can use the same global address simultaneously. After running the above commands the PAT configuration is finished and we can proceed to NAT verification.
Port Address Translation (PAT) verification
The simplest way to check that the PAT translation works properly is to run ping command from your inside local host to an outside global host. You can view the NAT translation table by using the following command:
GW# show ip nat translation Pro Inside global Inside local Outside local Outside global udp 184.108.40.206:2562 192.168.25.10:2562 220.127.116.11:53 18.104.22.168:53 tcp 22.214.171.124:21457 192.168.25.22:21457 126.96.36.199:22 188.8.131.52:22 tcp 184.108.40.206:7563 192.168.25.10:7563 220.127.116.11:80 18.104.22.168:80
The first column specifies the protocol of the port identifying the address and the following four columns are explained in the NAT Terminology section above. If the overload option is not used in your NAT configuration the first column will be blank. As we can see from the output the first translation directed to 22.214.171.124 is a DNS request from internal host 192.168.25.10, the second one is and SSH request to the 126.96.36.199 external host and the last entry is an http request to a web server with IP address 188.8.131.52.
You can also gather some statistics about the NAT translations by running the following command:
GW# show ip nat statistics Total translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: FastEthernet0/0 Inside interfaces : FastEthernet0/1 Hits: 192 Misses : 2 Expired translations: 3 Dynamic mappings: -- Inside Source [Id: 2] access-list 110 interface Fastethernet0/0 refcount 2
The Total translations line indicates the number of translations active in the system and is incremented each time a translation is created and is decremented each time a translation is cleared or times out. The Hits line specifies the number of times the software does a translations table lookup and finds an entry and the Misses line specifies the number of times the software does a translations table lookup, fails to find an entry, and must try to create one. Also the Expired translations line is the cumulative count of translations that have expired since the router was booted.
Troubleshooting Port Address Translation (PAT)
Entries in the NAT translation table are created dynamically and they will be removed from the translation table after some time (default timeout is 24h). If the translation table grows big (thousands of NAT entries) this could cause the router to have poor performance because it tries to keep up with all connections. In such case we can clear the entries from the NAT table and free up the resouces by running the following command:
GW# clear ip nat translation *
Using * it will clear the whole NAT translation table. If you want to clear a specific entry, you must specify either the global address for a device that is inside, or a local address for a device that is outside like this:
GW# clear ip nat translation inside 184.108.40.206 GW# clear ip nat translation outside 192.168.25.10
If you need to troubleshoot some NAT misconfigurations Cisco offers a useful debug facility for NAT. The basic form of the command is debug ip nat which is used to verify the operation of the NAT feature by displaying information about each packet that the router translates.
GW# debug ip nat *May 22 13:44:28.243: NAT: s=192.168.25.10->220.127.116.11, d=18.104.22.168  *May 22 13:44:28.247: NAT*: s=22.214.171.124, d=126.96.36.199->192.168.25.10  *May 22 13:44:28.251: NAT*: s=192.168.25.10->188.8.131.52, d=184.108.40.206  *May 22 13:44:28.255: NAT*: s=220.127.116.11, d=18.104.22.168->192.168.25.10 
In this output we have run ping from the 192.168.25.10 IP address to the 22.214.171.124 external IP address. The first field after the timestamp NAT indicates that the packet is being translated by NAT. An asterisk (*) indicates that the translation is occurring in the fast path. The first packet in a conversation always goes through the slow path (that is, it is process switched). The remaining packets go through the fast path if a cache entry exists. s=192.168.25.10->126.96.36.199 is the source address of the packet and how it is being translated. d=188.8.131.52 is the destination address of the packet.  is the IP identification number of the packet which might be useful in the debugging process to correlate with other packet traces from protocol analyzers.
It’s not recommended to run the debug ip nat command on production routers because if the network traffic is heavy it could crash the router or make it unresponsive.
In this article we explained the basic usage on PAT on Cisco routers. Generally NAT can be quite confusing because people usually think it can be used as a firewall which is not true. With the increasing deployments of IPv6 networks world-wide NAT usage should decrease substantially.