NetPilot
Back to Blog
Tutorial6 min

NAT/PAT Configuration Lab Step by Step

Hands-on NAT lab: configure static NAT, dynamic NAT, and PAT overload on Cisco routers. Full configs, verification, and common mistakes.

S
Sarah Chen
Network Engineer

NAT (Network Address Translation) is one of those CCNA topics where the concept is straightforward but Cisco's terminology makes it confusing. Inside local, inside global, outside local, outside global — it's a lot of jargon for a simple idea.

This lab walks through all three types of NAT with real configurations so you can see exactly how each one works.

To generate this lab instantly:

Build a NAT lab with 1 router as the NAT device, an inside network
(192.168.1.0/24) with 3 PCs, and an outside network (203.0.113.0/24)
simulating the internet with 1 server.

The Lab Topology

  • R1 — the NAT router, sits between inside and outside networks
  • Gi0/0 (inside) — 192.168.1.1/24, connects to the LAN switch
  • Gi0/1 (outside) — 203.0.113.1/24, connects to the "internet"
  • 3 PCs on the inside network (192.168.1.10, .11, .12)
  • 1 Server on the outside network (203.0.113.100)

Quick Terminology Guide

Before configuring anything, here's what Cisco's NAT terms actually mean:

  • Inside local — the private IP of an internal host (192.168.1.10)
  • Inside global — the public IP representing that host to the outside (203.0.113.10)
  • Outside local — how an external host appears to your inside network (usually the same as outside global)
  • Outside global — the real IP of the external host (203.0.113.100)

In most scenarios, you only care about inside local → inside global translation. That's what NAT does.

Exercise 1: Static NAT

Static NAT maps one private IP to one public IP permanently. Use this for servers that need to be reachable from outside.

Scenario: Map the internal web server (192.168.1.10) to public IP 203.0.113.10.

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip nat inside
R1(config-if)# exit
!
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip nat outside
R1(config-if)# exit
!
R1(config)# ip nat inside source static 192.168.1.10 203.0.113.10

Breaking it down:

  • ip nat inside / ip nat outside — marks which interfaces are internal and external
  • ip nat inside source static — creates a permanent one-to-one mapping

Verify:

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       ---                ---

The translation exists even before any traffic flows. That's what "static" means — it's always there.

Exercise 2: Dynamic NAT

Dynamic NAT maps inside hosts to a pool of public IPs on a first-come, first-served basis.

Scenario: Allow inside hosts to use public IPs from pool 203.0.113.20 - 203.0.113.25.

R1(config)# ip nat pool PUBLIC-POOL 203.0.113.20 203.0.113.25 netmask 255.255.255.0
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 pool PUBLIC-POOL

Breaking it down:

  • ip nat pool — defines a range of public IPs to use
  • access-list 1 — defines which inside hosts can be translated (the entire 192.168.1.0/24 subnet)
  • ip nat inside source list 1 pool PUBLIC-POOL — ties the ACL to the pool

Verify after generating some traffic:

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.20       192.168.1.10       ---                ---
--- 203.0.113.21       192.168.1.11       ---                ---

Each inside host gets a unique public IP from the pool. If all 6 pool addresses are in use, the next host can't get translated — the connection fails.

Check statistics:

R1# show ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 0 extended)
Outside interfaces:
  GigabitEthernet0/1
Inside interfaces:
  GigabitEthernet0/0
Hits: 15  Misses: 0

Exercise 3: PAT (Port Address Translation)

PAT is what most networks actually use. It maps all inside hosts to a single public IP, using port numbers to track which host is which. Cisco calls this "overload."

Scenario: All inside hosts share R1's outside interface IP for internet access.

R1(config)# access-list 2 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 2 interface GigabitEthernet0/1 overload

That's it. Two lines. The overload keyword is what makes it PAT instead of dynamic NAT.

Verify after traffic flows:

R1# show ip nat translations
Pro Inside global         Inside local        Outside local       Outside global
tcp 203.0.113.1:1024      192.168.1.10:45678  203.0.113.100:80    203.0.113.100:80
tcp 203.0.113.1:1025      192.168.1.11:52341  203.0.113.100:80    203.0.113.100:80
tcp 203.0.113.1:1026      192.168.1.12:39872  203.0.113.100:443   203.0.113.100:443

Notice: all three inside hosts share the same inside global IP (203.0.113.1) but with different port numbers. That's how the router tracks which response goes to which host.

NAT Order of Operations

This catches people on the exam. NAT happens at a specific point in the packet processing pipeline:

For traffic going inside → outside:

  1. Routing decision
  2. NAT translation (inside to global)
  3. ACL check on outbound interface

For traffic going outside → inside:

  1. ACL check on inbound interface
  2. NAT translation (global to inside)
  3. Routing decision

This matters when you combine NAT with ACLs. If you're filtering on the outside interface, you need to match against the translated (global) address, not the original inside address.

Common NAT Mistakes

1. Forgetting ip nat inside or ip nat outside

Without marking the interfaces, NAT won't translate anything. No error message — it just silently does nothing.

! Verify with:
R1# show ip nat statistics
! Check that inside and outside interfaces are listed

2. ACL doesn't match inside hosts

The ACL in ip nat inside source list must match the inside local addresses. A common mistake:

! Wrong — this matches the public IPs, not the private ones
access-list 1 permit 203.0.113.0 0.0.0.255
 
! Correct — matches the inside hosts
access-list 1 permit 192.168.1.0 0.0.0.255

3. Forgetting overload for PAT

Without overload, you get dynamic NAT — one public IP per inside host. If your pool has 1 IP and 50 hosts, only 1 host can translate at a time.

4. NAT pool subnet mismatch

The pool addresses must be in the same subnet as the outside interface, or you need routing to handle them. If R1's outside interface is 203.0.113.1/24 and your pool is 10.0.0.0/24, the outside network won't know how to route responses back.

Clearing and Debugging

Useful commands for troubleshooting:

! Clear all dynamic translations (static ones remain)
R1# clear ip nat translation *
 
! Watch translations happen in real time
R1# debug ip nat
! Then generate traffic and watch the output
! Remember to turn off debug when done:
R1# no debug ip nat

What's Next

NAT often works alongside other CCNA topics:

  • ACLs — filtering traffic before or after NAT translation. See the ACL configuration lab.
  • DHCP — assigning inside addresses dynamically while NAT handles the translation
  • Default routes — NAT routers typically have a default route pointing to the internet

For more CCNA hands-on practice, check out the OSPF lab guide or explore all CCNA labs.

Ready to practice? Get started with NetPilot — describe your NAT scenario and get a working lab in under 2 minutes.

Try NetPilot Free

Build enterprise-grade network labs in seconds with AI assistance

Get Started Free