NetworkingCCNA

CCNA NAT Types: Static NAT, Dynamic NAT, PAT & Inside/Outside

Network Address Translation (NAT) is how almost every private network connects to the internet. The CCNA 200-301 exam tests static NAT, dynamic NAT, and PAT (Port Address Translation), the inside/outside/local/global address terminology, and the configuration commands. Understanding the terminology precisely is as important as knowing the commands — exam questions routinely test 'inside global' vs 'inside local' to trip up unprepared candidates.

8 min

4 sections · 6 exam key points

5 practice questions

NAT terminology: inside local, inside global, outside local, outside global

NAT introduces four address terms that describe addresses from two perspectives (inside vs outside) and two locations (local = before translation, global = after translation).

Inside local: the actual IP address of an inside host as configured on its interface — typically a private RFC 1918 address (e.g., 192.168.1.10). Inside global: the translated address of an inside host as seen from the outside — typically a public IP address assigned by the ISP (e.g., 203.0.113.5). Outside global: the actual IP address of an outside host (e.g., 8.8.8.8 for Google DNS). Outside local: the translated address of an outside host as seen from the inside — in most implementations, this equals the outside global address since outside addresses are usually not translated.

On the CCNA exam: inside local = private IP of the LAN host. Inside global = public IP that the world sees. Know which address appears in the NAT translation table on each side.

Static NAT

Static NAT creates a permanent one-to-one mapping between an inside local address and an inside global address. One private IP always maps to the same public IP. This is used for servers that must be reachable from the internet with a consistent public address — web servers, mail servers, FTP servers.

Configuration: `ip nat inside source static <inside-local> <inside-global>`. Mark the LAN interface as `ip nat inside` and the WAN interface as `ip nat outside`. The mapping persists regardless of traffic — the inside global IP is always reserved for that one host.

Static NAT requires one public IP per mapped host. If you have 10 servers that need to be reachable from the internet, you need 10 static NAT entries and 10 public IPs.

Dynamic NAT

Dynamic NAT maps inside local addresses to inside global addresses from a pool of public IPs. When an inside host initiates a connection, the router assigns the next available IP from the pool. When the session ends, the public IP is returned to the pool.

Configuration: define the inside hosts with an access list, define the pool of public IPs with `ip nat pool`, and connect them with `ip nat inside source list <acl> pool <pool-name>`.

Dynamic NAT limitation: if all pool IPs are in use and a new host tries to connect, translation fails — the host cannot reach the internet. Dynamic NAT without overload still provides a one-to-one mapping, just dynamic instead of static.

PAT (Port Address Translation / NAT Overload)

PAT is what most people mean when they say 'NAT.' PAT maps multiple inside local addresses to a single inside global address by using port numbers to distinguish sessions. Each translation entry includes source IP, destination IP, source port (translated to a unique port), and destination port.

PAT is configured by adding `overload` to the NAT statement: `ip nat inside source list <acl> interface <outside-interface> overload` or `ip nat inside source list <acl> pool <pool-name> overload`. The `overload` keyword enables port-level multiplexing.

A single public IP can support tens of thousands of simultaneous translations because each session gets a unique source port. This is how a home router shares one ISP-assigned IP among all family devices.

`show ip nat translations` shows active NAT entries. `show ip nat statistics` shows totals and misses. `debug ip nat` shows real-time translation activity — useful for troubleshooting but verbose.

NAT type comparison

Type	Mapping	Public IPs needed	Use case
Static NAT	One-to-one (permanent)	One per inside host	Internet-facing servers
Dynamic NAT	One-to-one (from pool)	Pool must be large enough for concurrent users	Outbound when 1:1 mapping needed
PAT (NAT Overload)	Many-to-one (with ports)	One (or small pool)	Internet access for LAN users

Key exam facts — CCNA

Inside local = private IP of LAN host. Inside global = public IP after translation
Static NAT: permanent 1:1 mapping. Dynamic NAT: 1:1 from a pool. PAT: many:1 using ports
PAT requires `overload` keyword: `ip nat inside source list <acl> interface <int> overload`
`ip nat inside` on LAN interface; `ip nat outside` on WAN interface
`show ip nat translations` verifies active NAT entries
If dynamic NAT pool exhausted, new translations fail — host cannot access internet

Common exam traps

Inside local and inside global are the same when NAT is not configured

Inside local is always the private IP on the LAN side. Inside global is always the translated public IP. When there is no NAT, these concepts don't apply — they're NAT-specific terminology.

Dynamic NAT and PAT are the same thing

Dynamic NAT assigns a pool IP one-to-one per session (no port multiplexing). PAT (dynamic NAT with overload) maps many private IPs to one public IP using unique source ports. PAT is far more scalable and is what home routers use.

The `ip nat inside` command goes on the outside/WAN interface

`ip nat inside` goes on the LAN-facing interface (where private addresses are). `ip nat outside` goes on the WAN-facing interface (where public addresses are). Swapping these will break NAT.

Practice questions — NAT Types

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.A company web server at 192.168.1.100 must be reachable from the internet at 203.0.113.50 permanently. Which NAT type is appropriate?

A.Dynamic NAT

B.PAT with overload

C.Static NAT

D.Dynamic NAT with pool

Explanation: Static NAT creates a permanent one-to-one mapping between a private (inside local) address and a public (inside global) address. This is the correct choice for servers that must be consistently reachable from the internet at a specific IP.

Q2.100 LAN hosts share a single public IP address to access the internet. Which NAT feature makes this possible?

A.Static NAT

B.Dynamic NAT without overload

C.PAT (NAT overload)

D.Inside global translation

Explanation: PAT (Port Address Translation), configured with the overload keyword, allows many inside hosts to share a single public IP by using unique source port numbers to distinguish each session.

Q3.Which address is the inside local address in a NAT translation?

A.The public IP address assigned by the ISP

B.The translated port number

C.The private IP address of the LAN host

D.The outside server's IP address

Explanation: Inside local is the IP address of the inside host as configured on its interface — typically a private RFC 1918 address. Inside global is the public IP address that the host appears to use after NAT translation.

Q4.Which command enables PAT on a Cisco router using the IP address of the outside interface?

A.ip nat inside source static 192.168.1.0 255.255.255.0

B.ip nat inside source list 1 interface GigabitEthernet0/1 overload

C.ip nat outside source list 1 pool PUBLIC overload

D.ip nat inside source pool PUBLIC overload

Explanation: ip nat inside source list <acl> interface <outside-interface> overload enables PAT. The ACL defines inside hosts, the interface keyword uses the outside interface's IP as the inside global address, and overload enables port multiplexing.

Q5.A network engineer types `show ip nat translations` and sees no entries. A user reports they cannot reach the internet. What is a likely cause?

A.PAT is working correctly — entries only appear during active sessions

B.The ip nat inside and ip nat outside commands may be reversed or missing

C.The NAT pool has too many entries

D.Static NAT is overriding dynamic NAT

Explanation: If no NAT translations appear even when users are trying to connect, the NAT configuration likely has errors — most commonly, ip nat inside and ip nat outside applied to the wrong interfaces, or the ACL not matching the inside hosts.

Frequently asked questions — NAT Types

What is the difference between inside local and inside global?

Inside local is the IP address of an inside (LAN) host as seen from the inside network — typically a private RFC 1918 address like 192.168.1.10. Inside global is the public IP address that the same host appears to have after NAT translation — what the internet sees. NAT changes the inside local to the inside global in outgoing packets.

How does PAT allow multiple hosts to share one IP address?

PAT (Port Address Translation) uses unique TCP/UDP source port numbers to distinguish sessions from different hosts. Host A's HTTP request gets source port 12345; Host B's gets 12346. The router tracks these in the NAT translation table. Return traffic uses the port number to identify which host gets the packet.

When should I use static NAT vs PAT?

Use static NAT for servers that must be consistently reachable from the internet (web servers, mail servers) — the public IP is permanently mapped to the private IP. Use PAT for outbound internet access from LAN hosts — many private IPs share one public IP, which is cost-effective and doesn't require one public IP per user.

What happens when the dynamic NAT pool is exhausted?

When all public IPs in the dynamic NAT pool are allocated to active sessions, new translation requests fail. Hosts attempting to reach the internet at that moment get no response. PAT (overload) avoids this problem by allowing thousands of sessions per public IP via port multiplexing.

What is the difference between `ip nat inside source` and `ip nat outside source`?

`ip nat inside source` is the most common — it translates the source IP of packets originating from inside hosts going to the outside (outbound NAT). `ip nat outside source` translates the source IP of packets coming from outside — used in specific scenarios like Policy NAT or when outside addresses need to be translated. For most internet access scenarios, only `ip nat inside source` is used.

Practice this topic

CCNApractice questions

Test yourself on NAT Types

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime