NetworkingCCNANetwork+

NAT and PAT Explained for CCNA and Network+

Your home router gives your laptop a private IP address like 192.168.1.50, but when you browse the internet, websites see a completely different address. That translation is NAT. Without it, the internet would have run out of IP addresses long before IPv6 was ready. NAT allows thousands of devices with private addresses to share a small pool of public addresses. CCNA and Network+ both test NAT concepts and the specific types of translation. The distinction between static NAT, dynamic NAT, and PAT (which Cisco calls NAT overload) appears in almost every topology question that involves internet access.

7 min

3 sections · 5 exam key points

5 practice questions

NAT concepts and address terminology

NAT works by maintaining a translation table on a router or firewall. When a private-address device sends a packet to the internet, NAT replaces the private source IP with a public IP before forwarding the packet. When the response comes back, NAT replaces the public destination IP with the original private IP and delivers it to the correct internal device.

NAT uses four address terms that the exam tests precisely. Inside local: the private IP address of an internal device as seen from inside the network (e.g., 192.168.1.10). Inside global: the public IP address that represents that internal device to the outside world. Outside global: the actual public IP of the remote server on the internet. Outside local: how the remote server's IP appears to the inside network, which in most configurations is the same as the outside global.

The terms inside and outside refer to the network perspective. Inside = your organization's network. Outside = the internet or any external network.

Static NAT, dynamic NAT, and PAT

Static NAT creates a permanent one-to-one mapping between one private IP and one public IP. Every packet from 192.168.1.10 always appears as the same public IP on the internet. Inbound connections work too because the mapping is permanent. Static NAT is used for servers that need to be reachable from the internet: web servers, mail servers, and VPN endpoints.

Dynamic NAT maps private IPs to public IPs from a pool on demand. When a device initiates an outbound connection, NAT assigns the next available public IP from the pool for the duration of the connection. When the connection closes, the public IP goes back to the pool. Dynamic NAT still requires one public IP per simultaneous session, so it does not scale well. If the pool is exhausted, new connections fail.

PAT (Port Address Translation), called NAT overload by Cisco, allows many private IPs to share a single public IP by distinguishing sessions using port numbers. When multiple devices connect to the internet simultaneously, PAT adds unique source port numbers to each session so it knows which response belongs to which internal device. PAT is what your home router uses. One public IP supports thousands of simultaneous connections.

How to choose the correct answer

Static NAT: one-to-one, permanent. For servers that need inbound internet access.

Dynamic NAT: pool of public IPs, one-to-one per session, but not permanent. Cannot support inbound connections.

PAT / NAT overload: many-to-one using port numbers. The standard for home and enterprise outbound internet access.

Address terminology: inside local = private IP as seen internally. Inside global = public IP as seen externally. The exam often presents these terms in questions about which address appears in packet headers at specific points in the path.

NAT breaks end-to-end connectivity, which is why protocols that embed IP addresses in their payload (like FTP active mode) may have compatibility issues with NAT without Application Layer Gateways.

NAT types comparison

Type	Mapping	Public IPs needed	Supports inbound?	Use case
Static NAT	One-to-one (permanent)	One per internal IP	Yes	Web servers, mail servers
Dynamic NAT	One-to-one (on demand)	One per session	No	Limited, scalability issues
PAT (NAT Overload)	Many-to-one (port-based)	One for all	No (without special config)	Home routers, enterprise outbound

Key exam facts — CCNA / Network+

Static NAT: permanent one-to-one. Used for servers needing inbound connections.
Dynamic NAT: pool-based, one-to-one per session. Pool exhaustion = connection failure.
PAT: many-to-one using unique port numbers. Scales for thousands of concurrent sessions.
Inside local: private IP of internal device. Inside global: public IP representing internal device.
PAT is Cisco's term for NAT overload. Both mean the same configuration.

Common exam traps

NAT improves network security by hiding internal IP addresses.

NAT obscures internal IP addresses as a side effect of address translation, not as a security design. It should not be relied upon as a security control. A firewall with proper ACLs provides actual security. NAT's purpose is address conservation, not security.

Dynamic NAT and PAT work the same way.

Dynamic NAT assigns one public IP per session from a pool, requiring as many public IPs as simultaneous sessions. PAT uses one public IP for all sessions by tracking them with unique port numbers. PAT is far more scalable and is the standard implementation.

Devices behind NAT cannot receive inbound connections.

Static NAT and PAT with port forwarding both support inbound connections. Static NAT has a permanent mapping that allows inbound. PAT port forwarding creates a static mapping for a specific port to a specific internal host. Without these configurations, inbound connections cannot be established.

Practice questions — NAT & PAT

These questions are representative of what you will see on CCNA, Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A host at 192.168.1.10 accesses a web server at 203.0.113.5 through a router running PAT with a single public IP of 198.51.100.1. What is the 'inside global' address of the host?

A.192.168.1.10

B.203.0.113.5

C.198.51.100.1

D.192.168.1.1 (the router's inside interface)

Explanation: Inside global is the public IP that represents the internal host to the outside world. In PAT, all internal hosts share the single public IP (198.51.100.1) — they are differentiated by port numbers. Inside local is 192.168.1.10 (the private IP). Outside global is 203.0.113.5 (the web server's IP).

Q2.A company needs to host a web server that must be reachable from the internet on TCP port 80. The web server has private IP 10.0.0.50. Which NAT type should be used?

A.Dynamic NAT with a pool of public IPs

B.PAT (NAT overload) for all traffic

C.Static NAT with a one-to-one mapping of a public IP to 10.0.0.50

D.No NAT is needed for inbound connections

Explanation: Static NAT creates a permanent one-to-one mapping between a public IP and the web server's private IP. This allows inbound internet connections on port 80 to be translated to the web server. Dynamic NAT and PAT create temporary or port-based mappings that only work for outbound sessions — they cannot support unsolicited inbound connections without additional port forwarding configuration.

Q3.An engineer configures PAT on a router with the command 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. What does 'overload' mean?

A.The router will drop packets when the translation table is full

B.Multiple inside hosts share a single public IP using unique port numbers (PAT)

C.The NAT translation table is backed up to prevent overwriting

D.Only one inside host at a time can use the outside interface

Explanation: 'Overload' in Cisco's NAT configuration means PAT (Port Address Translation). It allows multiple inside hosts to share the single IP address of GigabitEthernet0/0 by using unique source port numbers to track each session. Without 'overload', the command would create dynamic NAT with a one-to-one mapping.

Q4.What is the purpose of the 'ip helper-address' command on a Cisco router interface?

A.It specifies the IP address of the router's own interface for DHCP purposes

B.It forwards DHCP broadcast packets as unicast to a DHCP server on another subnet

C.It enables static NAT translation for the specified IP address

D.It configures a secondary IP address on the router interface

Explanation: DHCP Discover messages are broadcasts. Routers don't forward broadcasts between subnets. The 'ip helper-address' command configured on the router's inside interface causes the router to intercept DHCP broadcasts from clients and forward them as unicast to the specified DHCP server address. This allows a single DHCP server to serve multiple subnets.

Q5.Which NAT type supports inbound connections from the internet to an internal server without additional port forwarding configuration?

A.Dynamic NAT

B.PAT (NAT overload)

C.Static NAT

D.No NAT type supports inbound connections

Explanation: Static NAT creates a permanent, bidirectional one-to-one mapping between a public IP and a private IP. Inbound connections to the public IP are translated to the private IP automatically because the mapping is always present. Dynamic NAT and PAT create temporary/outbound-only translations that expire when the session ends, making them unable to accept unsolicited inbound connections.

Frequently asked questions — NAT & PAT

What is the difference between static NAT, dynamic NAT, and PAT?

Static NAT: one public IP permanently mapped to one private IP. Supports both inbound and outbound connections. Used for servers. Dynamic NAT: a pool of public IPs mapped on demand to private IPs (one-to-one per session). Outbound only, pool can be exhausted. PAT (NAT overload): one public IP shared by all inside hosts, distinguished by unique source port numbers. Highly scalable, outbound only by default. PAT is what home routers and most enterprises use.

What is the difference between inside local and inside global addresses in NAT?

Inside local is the private IP address of an internal device as it is known within the organization's network (e.g., 192.168.1.10). Inside global is the public IP address that represents that device to the outside internet (e.g., 203.0.113.5 or the PAT interface IP). The NAT router translates between these two addresses. Outside global is the actual public IP of the external destination server.

Does NAT provide security?

NAT provides obscurity as a side effect — internal IP addresses are hidden from the internet. However, NAT should not be relied upon as a security control. It does not filter malicious traffic, prevent exploits, or protect against attacks. A firewall with proper ACLs is required for actual security. NAT's purpose is IPv4 address conservation, not security.

How is NAT tested on CCNA and Network+?

CCNA tests all three NAT types (static, dynamic, PAT), NAT terminology (inside local, inside global, outside local, outside global), configuration syntax, and DHCP relay (ip helper-address). Network+ focuses more on the concepts of NAT and PAT, when each type is appropriate, and the impact of NAT on end-to-end connectivity (breaking protocols like FTP active mode and IPsec without NAT-T).

Why does PAT not work well with some applications?

PAT tracks sessions using source port numbers. Some protocols embed IP addresses in their application payload (FTP active mode embeds the data connection IP/port in the command channel). When NAT translates the outer IP header but not the embedded address in the payload, the application breaks. Application Layer Gateways (ALGs) inspect and fix these embedded addresses. IPsec also has NAT compatibility issues because it encrypts headers that NAT needs to modify, solved by NAT Traversal (NAT-T).

Practice this topic

CCNApractice questions Network+practice questions

Test yourself on NAT & PAT

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime