NAT Overload Cisco (PAT) Explained

NAT Overload Cisco example showing source and destination IPs and ports before and after translation using PAT

Course Contents

1. Introduction

NAT Overload, also known as Port Address Translation (PAT), is a technique used by Cisco routers to allow multiple devices on a private network to share a single public IP address when accessing the internet.

Why does this matter?

Public IPv4 addresses are limited, and private IP addresses cannot be routed over the internet. In modern networks, the number of devices needing internet access continues to grow, creating pressure on limited public IP resources.

This is where basic Dynamic NAT quickly runs into a problem.

A Common Scenario

Imagine four devices (PC1 to PC4) on a private network want to access the internet. You’ve configured Dynamic NAT with a pool of only three public IP addresses.

What happens?

NAT Overload Cisco example showing three private IPs being translated and one device denied due to public IP exhaustion with Dynamic NAT.

PC1 to PC3: Their traffic is successfully translated and allowed online.
PC4: Its request is denied because the public IP pool is exhausted…

This highlights a major limitation of Dynamic NAT:

Each session requires one public IP address.
Once the pool is used up, no new sessions can be established.

Dynamic NAT does not scale well in environments with many simultaneous users. That’s why NAT Overload (PAT) is the preferred solution in most Cisco deployments.

2. PAT (Port Address Translation)

To solve this limitation, Cisco introduced PAT, also known as NAT Overload.

What Makes PAT Different?

Instead of assigning one public IP per device, PAT allows many internal devices to share a single public IP address.

How Does It Work?

PAT translates the source IP address and also the source port number. This combination (Source IP + Source Port) creates a unique identifier for each connection.

PAT not only translates the source IP address but also the source port number.
This combination — Source IP + Source Port — forms a unique identifier for each session.

As a result, the router can track multiple connections, even if they all appear to come from the same public IP.

PAT in Action

Let’s walk through a simple example.

Example : PC1 Translation

PC1 sends a packet with Source IP 192.168.1.10 and Source Port 20001.
The router translates this packet with Source IP 37.5.55.103 and Source Port 40001.
The destination server sees the request as coming from 37.5.55.103:40001.

NAT Overload Cisco diagram showing PC1 using source port 20001 translated by the router to 37.5.55.103:40001 with Inside Local and Inside Global address mapping

The router stores this translation in its NAT table.

When the server replies, the router consults the table and forwards the packet back to PC1.

Let’s view how PAT behaves when multiples devices sends traffic at the same time.

Multiple Devices Using PAT

Now let’s see what happens when multiple devices send traffic simultaneously:

PC2 Sends Traffic

PC2 uses the source port 20001.
When the traffic reach the router, PAT assigns a different global port in this case : 40002.

NAT Overload Cisco example showing multiple PCs using the same source port translated to different global ports by PAT

The PAT table now holds 2 entries. Even though both PC1 and PC2 used the same Public IP Address, PAT recognizes each device with the different ports used during the translation.

PC3 Sends Traffic

PC3 also sent traffic to the web server with the port source : 20001.
The router translate the Source IP to 37.5.55.103 and translated the Source Port to : 40003.

PAT translation table showing multiple private IPs using the same source port with unique global port assignments and one public IP

As you can see, the router keep track of all three devices and they shared one single public IP with different global ports.

In Summary

PAT solves the scalability issue of Dynamic NAT by allowing multiple internal devices to:

Share one public IP
Use different Source Port translations for session tracking

This makes PAT a powerful solution for environments where many users need internet access with limited public IP resources.

3. PAT Configuration

Now that you understand how PAT works, let’s look at the network topology and how to configure it on a Cisco router.

Quick Recap

In the previous example, we had this setup:

PAT network topology showing three private hosts sharing one public IP via a Cisco router with inside and outside interfaces

An internal network: 192.168.1.0/24
Three devices (PC1, PC2, PC3) trying to access the Internet
A Cisco router with:
- Inside interface G0/0: 192.168.1.254
- Outside interface G0/1: 37.5.55.103 (our only public IP)

Our goal is to let all three internal hosts access the internet through this single public IP using PAT.

Step 1 – Define Inside and Outside Interfaces

We need to specify which interface is connected to the internal network and which one to the outside:

R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 192.168.1.254 255.255.255.0
R1(config-if)# ip nat inside

R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 37.5.55.103 255.255.255.0
R1(config-if)# ip nat outside

Step 2 – Create an Access List for Internal Devices

This access list defines which internal devices are allowed to use NAT.

R1(config)# ip access-list standard LOCAL_HOSTS
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255

Step 3 – Enable PAT Using the Overload Keyword

Now, we bind the access list to the outside interface and enable PAT. The overload keyword tells the router to use port numbers for multiple translations over the same IP.

R1(config)# ip nat inside source list LOCAL_HOSTS interface GigabitEthernet0/1 overload

Summary Diagram

You now have PAT configured using these 3 steps.

Cisco router NAT configuration with ip nat inside source list and overload command for PAT using access list and interface mapping

All internal hosts can access the internet via a single public IP.

4. Verifying PAT

Once PAT is configured, it’s important to verify that it’s working.

Show Active NAT Translations

Use the following command to view real-time PAT translations:

PAT verification on Cisco router using show ip nat translations command showing inside local and global addresses with translated ports

In this output:

Inside local shows the original private IPs and source ports from your internal hosts.
Inside global shows the translated public IP (37.5.55.103) with unique port numbers assigned by PAT.
All three internal devices share the same public IP but use different ports, ensuring unique socket identifiers.

Show NAT Statistics

To monitor overall NAT usage and check for performance issues, use:

R1# show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
  GigabitEthernet0/1
Inside interfaces: 
  GigabitEthernet0/0
Hits: 135  Misses: 0
CEF Translated packets: 135, CEF Punted packets: 0
Reserved port setting: disabled, provisioned: no
Expired translations: 2
Dynamic mappings:
-- Inside Source
[Id: 1] access-list LOCAL_HOSTS interface GigabitEthernet0/1 refcount 3
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0

Key Metrics to Watch

Hits: Number of packets successfully translated
Misses: Packets dropped due to port exhaustion or misconfiguration
Dynamic mappings: Confirm that the correct access list and interface are in use
refcount: Number of current sessions using the mapping