NAT Overloading or Port Address Translation (PAT) is a modified form of dynamic NAT where the number of inside local addresses is greater than the number of inside global addresses. Mostly, there is just a single inside global IP address providing Internet access to all inside hosts. NAT Overloading is the only flavor of NAT that actually conserves IP addresses and it is also the most popular form of NAT as well.

Figure 10-4 Port Address Translation (PAT)


PAT allows overloading or the mapping of more than on inside local address to the same inside global address. But this also means that return packets would all have the same destination address as they reach the NAT router. How would the router know which inside local address each return packet belongs to? In order to deal with this scenario, the NAT entries in the translation table are extended entries; the entries not only track the relevant IP addresses, but also the protocol types and ports. By translating both the IP address and the port number of a packet, up to 65535 inside local addresses could theoretically be mapped to a single inisde global address (based on the 16-bit port number).

But keep in mind that a single NAT entry uses approximately 160 bytes of router memory, so 65535 entries would take more than 10 MB of memory and also large amounts of CPU power. In practical PAT configurations, nowhere near this number of addresses are mapped, but it is definitely a theoretical limit.

Here is a sample configuration for NAT overloading or PAT according to Figure 10-4.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip nat pool MyPool ?
netmask        Specify the network mask
prefix-length  Specify the prefix length

R1(config)#ip nat pool MyPool netmask
R1(config)#access-list 1 permit
R1(config)#ip nat inside source list 1 pool MyPool overload

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address
R1(config-if)#ip nat inside
R1(config-if)#interface FastEthernet0/1
R1(config-if)#ip address
R1(config-if)#ip nat outside

The above configuration may appear very similar to the configuration for dynamic NAT, however there are important differences. First, the pool of IP addresses has been shrunk to a single IP address assigned to the outside interface of router R1.

Second, access list 1 matches the entire class C network which means any inside local address from this network will be translated. If you want a specific host from this network not to be translated, you have to explicitly specify by adding a deny statement to the access list. Let’s assume we want to deny translation to a single host while allowing all other hosts:

R1(config)#access-list 1 deny host
R1(config)#access-list 1 permit 

Also there is an addition of overload keyword with the ip nat inside source list 1 pool MyPool command.

Key Concept – NAT Overload is a special form of dynamic NAT that allows many-to-one mapping of local addresses to a smaller number global addresses from a pool of global addresses. The pool of global addresses may even consist of a single address. NAT Overload is also called Port Address Translation (PAT).  These are a favorite type of scenario question on the CCNA exam.

Let’s start our usual verification by issuing the show ip nat translations command:

R1#show ip nat translations


There are no static mappings and hence the blank output above. Let’s generate some traffic from inside hosts to the server and issue the show ip nat translations command again:

R1#show ip nat translations
Pro  Inside global  Inside local   Outside local     Outside global

As you can see in the output above, all inside local addresses are translated into the same inside global address, which is the essence of NAT overload or PAT. You may have noticed that the router has preserved the source port numbers as inside local addresses were translated to inside global addresses. This is the usual behavior but when the router creates a new translation entry such that the source port number is already in use, the port number also gets translated to a different number. The occurrence of two inside hosts choosing the same source port number is not very common, but it still may happen especially when the number of connections from inside to outside is significant.

Let’s also issue the show ip nat statistics command:

R1#show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
Inside interfaces:
Hits: 135  Misses: 15
CEF Translated packets: 150, CEF Punted packets: 0
Expired translations: 12
Dynamic mappings:
— Inside Source
[Id: 2] access-list 1 pool MyPool refcount 3
pool MyPool: netmask
start end
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0 

You should keep two things in mind. First, NAT overload is useful in any situation when the number of inside hosts is larger than public addresses you have. In many situations you only have a single public IP address that is assigned to the outside interface of your Internet facing router. In this case your pool would consist of a single IP address as the configuration above shows. However, you may have more than one public IP addresses available, one of which may be assigned to the Internet facing interface of your router. In such case, your NAT pool may consist of more than one IP addresses still using NAT overload to accommodate a larger number of inside hosts wanting to connect to the Internet. In short, you may have a single overloaded public address or you may have more than one overloaded public addresses.

NAT Overload or PAT is the most prevalent NAT configuration for the obvious reason that it is the flavor of NAT that actually preserves global IP addresses, the primary reason for NAT usage.