Port Address Translation (PAT)
September 9, 2025 - Reading time: 4 minutes

In the previous lessons, we focused on Static NAT for inbound connections, including restricting traffic to specific services. For this lesson, we move to outbound internet access for inside users, using Port Address Translation (PAT), also known as NAT Overload.

PAT is a form of Dynamic NAT that allows multiple internal devices to share a single public IP address. It achieves this by assigning a unique port number to each connection. When a user inside the network wants to access the internet, the router changes the source IP address of the packet from the private internal address to the public external address and assigns a unique port number. This clever mechanism allows hundreds or even thousands of devices to share one public IP address, making it the most common form of NAT used in home and business networks.

We’ll also simulate real-world firewall behavior by applying ACLs to both the inside and outside interfaces:

  • Outbound ACL: Controls what internet services inside users can access.

  • Inbound ACL: Blocks unsolicited inbound connections from the internet while allowing return traffic from inside-initiated sessions.

Scenario

  • Users: 192.168.1.10–192.168.1.50 should access the internet using the router’s public IP 200.1.1.1.

  • Router:

    • Inside (LAN) interface: FastEthernet0/0 — 192.168.1.1/24

    • Outside (WAN) interface: FastEthernet0/1 — 200.1.1.1/24

Network Topology

[LAN]192.168.1.0/24 --- Fa0/0 [R1] Fa0/1 --- [ISP]200.1.1.0/24

Step 1 – Interface & NAT Role Setup

R1(config)# interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# ip nat inside
R1(config-if)# exit

R1(config)# interface FastEthernet0/1
R1(config-if)# ip address 200.1.1.1 255.255.255.0
R1(config-if)# ip nat outside
R1(config-if)# exit

Marks the LAN-facing interface as ip nat inside and the WAN-facing interface as ip nat outside.

Step 2 – Define Inside Addresses for Translation

R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Matches all devices in the 192.168.1.0/24 subnet so they can be translated.

Step 3 – Configure PAT Using the Interface’s Public IP

R1(config)# ip nat inside source list 1 interface FastEthernet0/1 overload

Enables overloading, allowing all matched inside devices to share the router’s own public IP (200.1.1.1) for outbound connections.

Step 4 – Apply Outbound Filtering (Inside Interface)

R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config)# interface FastEthernet0/0
R1(config-if)# ip access-group 101 out

Allows inside users to access websites over HTTP and HTTPS while blocking all other outbound traffic.

Step 5 – Apply Inbound Protection (Outside Interface)

R1(config)# access-list 102 permit tcp any any established
R1(config)# access-list 102 deny ip any any
R1(config)# interface FastEthernet0/1
R1(config-if)# ip access-group 102 in

Allows return traffic for sessions initiated by inside hosts but blocks unsolicited inbound connection attempts from the internet.

Verification

1. Check NAT Translations
After a client (e.g., 192.168.1.10) accesses the internet:

R1# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
icmp 200.1.1.1:10008    192.168.1.10:1     8.8.8.8:1           8.8.8.8:1

Shows PAT translating 192.168.1.10 to 200.1.1.1 with a unique source port.

2. Check NAT Statistics

R1# show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: 1  Misses: 0
Dynamic mappings:
-- Inside Source access list 1 interface FastEthernet0/1 refcount 1

Confirms PAT is active and tracking translations.

Common Mistakes

Mistake Symptom Solution
Forgetting the overload keyword Only one device can access the internet Include overload in the command
Incorrect ACL for NAT pool Some devices can’t go online Verify ACL matches the correct subnet
Outbound ACL too restrictive Users can’t access needed services Adjust ACL to allow required ports
Missing inbound ACL Unwanted traffic enters LAN Apply inbound ACL on outside interface

NAT Role Table

Inside Subnet Public IP Translation Type Purpose
192.168.1.0/24 200.1.1.1 PAT (overload) Internet access for all LAN users

User Challenge

You’re the lone network administrator at BrightSide Graphics, a small but fast-moving design studio. Last week, management proudly announced they’d signed up for the “super-affordable” business internet plan from their new ISP.

There’s a catch. The ISP will only give you one public IP address, and it’s assigned dynamically to your router’s outside interface via DHCP. They also have a habit of changing it without warning, sometimes in the middle of the night.

The CEO made the policy clear in a staff meeting:

“Our network needs to automatically adapt if our internet provider changes the main address for our connection. This way, our business stays online 24/7 without requiring someone to manually fix it.”

Meanwhile, the part-time IT security consultant had their own warning:

“Only traffic we ask for should come in. If someone out there tries to reach us without us talking to them first, they shouldn’t even get a reply.”

The marketing team is standing behind you now, eager to upload their latest project to the cloud. They’re impatient, the CEO is watching the clock, and the ISP could change your address at any moment. It’s up to you to make sure the office gets online — and stays online — while keeping unwanted visitors out.

The lab is available for download from this link.

Network Topology:

[ISP] 200.1.1.0/24 --- Fa0/0 [R1] Fa0/1 --- [LAN] 192.168.1.0/24
Fa0/0 (outside): Dynamic IP via DHCP from ISP
Fa0/1 (inside): 192.168.1.1

The answer key will be available next week—until then, happy networking!

Port Address Translation (PAT) | PocketCLI

Search

Categories

LATEST POSTS

Download


>