Adjacent Node
Networking, explained. No BS.
NAT
What It Is
Network Address Translation changes IP addresses, and sometimes transport ports, as packets cross a boundary. NAT is used for Internet edge PAT, static publishing, overlapping networks, cloud egress, partner connectivity, and legacy address workarounds. NAT is not a security boundary by itself, but it often sits next to firewall policy and can make troubleshooting much harder.
NAT Address Terms
| Term | Meaning | Example |
|---|---|---|
| Inside local | Real address of an inside host before translation | 10.10.20.25 |
| Inside global | Translated address representing inside host externally | 198.51.100.25 |
| Outside global | Real address of an outside host | 203.0.113.10 |
| Outside local | Translated address representing outside host internally | 10.255.10.10 |
Modern note: The inside/outside local/global terms are Cisco-heavy but still useful. Always draw NAT from the perspective of the translating device.
Common NAT Types
| Type | What It Does | Common Use |
|---|---|---|
| Static NAT | One inside address maps to one translated address | Publish a host or preserve fixed mapping |
| Dynamic NAT | Inside addresses map to a pool | Less common now |
| PAT / NAPT | Many addresses share one or more addresses using ports | Internet egress |
| Static PAT | One port maps to another address and port | Publish a specific service |
| Twice NAT | Source and destination are translated | Overlapping networks or partner VPN |
| NAT exemption | Do not translate matching traffic | VPN protected traffic |
| NAT64 | IPv6 clients reach IPv4 services | IPv6 transition |
| CGNAT | Provider-scale customer NAT | ISP and mobile networks |
Watch out: NAT order of operations is platform-specific. On firewalls, routers, and cloud gateways, policy may see pre-NAT or post-NAT addresses depending on direction and feature.
Design Notes
| Design Choice | Guidance |
|---|---|
| Internet egress | PAT is normal, log translations if you need attribution |
| Inbound publishing | Prefer reverse proxy, load balancer, or firewall policy where appropriate |
| Site-to-site VPN | Exempt VPN traffic from Internet NAT unless doing deliberate NAT over VPN |
| Overlap handling | Use twice NAT carefully and document both real and translated ranges |
| Cloud NAT | Know provider reserved addresses, SNAT port limits, and logging options |
| IPv6 | Avoid NAT66 as a default design |
| Troubleshooting | Always identify original source, translated source, original destination, and translated destination |
Modern note: NAT hides address structure, not intent. Treat NAT and firewall policy as separate decisions.
Cisco IOS/IOS-XE Examples
NAT boundary:
interface GigabitEthernet0/0
description Inside LAN
ip address 10.10.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
description Internet edge
ip address 198.51.100.2 255.255.255.252
ip nat outsidePAT to interface:
ip access-list standard NAT-INSIDE
permit 10.10.20.0 0.0.0.255
!
ip nat inside source list NAT-INSIDE interface GigabitEthernet0/1 overloadStatic service translation:
ip nat inside source static tcp 10.10.20.50 443 198.51.100.50 443VPN NAT exemption pattern:
ip access-list extended NAT-EXEMPT
deny ip 10.10.20.0 0.0.0.255 10.30.0.0 0.0.255.255
permit ip 10.10.20.0 0.0.0.255 any
!
ip nat inside source list NAT-EXEMPT interface GigabitEthernet0/1 overloadNotes:
- For IOS NAT ACLs,
permitmeans eligible for NAT, anddenymeans do not NAT. - Static PAT publishes a service. It does not replace firewall filtering.
- Use remarks and diagrams for any overlap or twice NAT design.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Inside host cannot reach Internet | NAT ACL, route, outside interface, translations | No NAT match or no default route |
| VPN traffic goes to Internet | NAT exemption | Protected traffic is being PATed |
| Inbound service fails | Static NAT/PAT, firewall, route back | Missing translation or policy |
| Works for some users only | Translation table, port exhaustion, pool size | PAT exhaustion |
| Partner traffic hits wrong host | Twice NAT rules and order | Overlap mapping error |
| App embeds IP in payload | ALG, protocol behavior, TLS | NAT cannot fix application payload |
| Logs show public IP only | Translation logging | Missing user attribution |
Commands
show ip nat translations
show ip nat translations verbose
show ip nat statistics
clear ip nat translation *
show access-lists NAT-INSIDE
show ip routeExpected clues:
- Matching traffic creates translations.
- Inside local maps to the intended inside global.
- Return traffic matches an existing translation.
- NAT ACL counters increment only for traffic meant to be translated.
- Routes send traffic through the NAT device in both directions.
Watch Out
- Do not troubleshoot NAT without a packet walk.
- Do not assume NAT equals firewall policy.
- Do not use NAT to avoid fixing bad address planning unless the tradeoff is explicit.
- Do not forget DNS when publishing services through NAT.
- Do not ignore PAT port exhaustion on busy egress gateways.
- Do not translate traffic before IPsec unless that is the intended design.