Network Address Translation

Terminology and Features

Network Address Translation (NAT) is designed for IPv4 address simplification and conservation. NAT
enables private IP internetworks that use nonregistered IP version 4 (IPv4) addresses to connect to the
Internet. Usually, NAT connects two networks and translates the private (inside) addresses in the internal
network into public addresses before packets are forwarded to another network. As part of this functionality,
you can optionally configure NAT to advertise only one address for the entire network to other external
internetworks. Advertising only one address effectively hides the internal network from the world, thus
providing a layer of additional security.

NAT is defined in RFC 1631. Details are available at http://www.faqs.org/rfcs/rfc1631.html. For purposes of
this paper, we will be referring strictly to the IPv4 address space.

In NAT terminology, the “inside network” is the set of networks that are subject to translation. The “outside
network” refers to all other addresses. Usually these are valid addresses located on the Internet.

Cisco defines the following list of NAT terms:

 Inside local address: An IP address that is assigned to a host on the inside network.
 Inside global address: A legitimate IP address that is assigned by the network interface card
(NIC) or service provider that represents one or more inside local IP addresses to the outside
world.
 Outside local address: The IP address of an outside host as it appears to the inside network.
Not necessarily legitimate, the outside local address is allocated from a routable address space
on the inside.
 Outside global address: The IP address that is assigned to a host on the outside network by
the host owner. The outside global address is allocated from a globally routable address or
network space.
NAT offers these benefits:

 Eliminates the need to readdress all hosts that require external access, saving time and money.
 Conserves addresses through application port-level multiplexing. With NAT, internal hosts can
share a single registered IP address for all external communications, thus conserving IP
addresses.
 Protects network security, because private networks do not advertise their addresses or internal
topology.
One of the main features of NAT is static Port Address Translation (PAT), which is also referred to as
“overload” in Cisco IOS terminology. PAT allows you to translate multiple internal addresses into a single
external address, essentially allowing the internal addresses to share one external address.

 PAT uses unique source port numbers on the inside global IP address to distinguish between
translations. Because the port number is encoded in 16 bits, the total number of internal
addresses that NAT can translate into one external address is, theoretically, as many as 65,536.

1 Network Address Translation: Terms and Features © 2010 Cisco Systems, Inc.
 NOTE: Although the maximum number of ports is theoretically 65,536, some ports are
reserved. Thus, the actual number of ports will be somewhat less in practical applications.
 PAT attempts to preserve the original source port. If the source port is already allocated, PAT
attempts to find the first available port number. It starts from the beginning of the appropriate port
group, 0 to 511, 512 to 1023, or 1024 to 65535. If PAT does not find an available port from the
appropriate port group and if more than one external IP address is configured, PAT moves to the
next address and tries to allocate the original source port again. PAT continues trying to allocate
the original source port until it runs out of available ports and external IP addresses.
NAT has many forms and can work in the following ways:

 Static NAT: Maps an unregistered IP address to a registered IP address (one to one). Static
NAT is particularly useful when a device must be accessible from outside of the network.
 Dynamic NAT: Maps an unregistered IP address to a registered IP address from a pool of
registered IP addresses.
 NAT overloading: Maps multiple unregistered IP addresses to a single registered IP address
(many to one) by using different ports. Overloading is also known as PAT and is a form of
dynamic NAT, but you can also configure static PAT.

Using Cisco IOS CLI Command Syntax for NAT/PAT

To display active translation information, use the command show ip nat translations in EXEC mode.

The following table describes the show ip nat translations fields.

Field Description
Pro Protocol of the port that identifies the address
Inside global The legitimate IP address that represents one or more inside local
IP addresses to the outside world
Inside local The IP address that is assigned to a host on the inside network
Outside local IP address of an outside host as it appears to the inside network
Outside global The IP address that is assigned to a host on the outside network by
its owner
Create How long ago the entry was created (in hours:minutes:seconds)
Use How long ago the entry was last used (in hours:minutes:seconds)
Flags The flag is an indication of the type of translation and can be one of
the following:
 extended: Extended translation
 static: Static translation
 destination: Rotary translation
 outside: Outside translation
 timing out: Translation will no longer be used, due to a TCP
finish (FIN) or reset (RST) flag

In a simple network environment, it is useful to monitor NAT statistics with the show ip nat statistics
command. However, in a more complex NAT environment with several translations taking place, this show
command may not prove as useful due to the quantity of information that may be output.

2 Network Address Translation: Terms and Features © 2010 Cisco Systems, Inc.
The following table describes the information that each show ip nat statistics field presents.

Field Description
Total The number of translations that are active in the system. This
translations number is incremented each time a translation is created and is
decremented each time a translation is cleared or times out.
Outside The interfaces that are marked as outside with the ip nat outside
interfaces command.
Inside The interfaces that are marked as inside with the ip nat inside
interfaces command.
Hits The number of times that the software looks up an entry in the
translations table and finds an entry.
Misses The number of times that the software looks up a translations
table, fails to find an entry, and must try to create one.
Expired The cumulative count of translations that has expired since the
translations router was booted.
Dynamic The information that follows is about dynamic mappings.
mappings
Inside source The information that follows is about an inside source translation.
access-list The ACL number that is being used for the translation.
pool The name of the pool.
refcount The number of translations that are using this pool.
netmask The IPv4 network mask that is used in the pool.
start The starting IPv4 address in the pool range.
end The ending IPv4 address in the pool range.
type The type of pool. Possible types are generic or rotary.
total addresses The number of addresses in the pool that are available for
translation.
allocated The number of addresses that are being used.
misses The number of failed allocations from the pool.

3 Network Address Translation: Terms and Features © 2010 Cisco Systems, Inc.
On occasion, there is a need to clear the translation table. The following table lists clear ip nat translation
commands that you can use to clear the entries before they time out.

Command
clear ip nat translation *
clear ip nat translation
inside global-ip local-ip
[outside local-ip global-ip]
clear ip nat translation
outside local-ip global-ip
clear ip nat translation
protocol inside global-ip
global-port local-ip local-
port [outside local-ip
local-port global-ip global-
port]
Description
Clears all dynamic address translation
entries from the NAT translation table.
Clears a simple dynamic translation entry
that contains an inside translation or both
an inside and outside translation.
Clears a simple dynamic translation entry
containing an outside translation.
Clears an extended dynamic translation
entry (PAT entry).

This brief paper is intended to establish a basic foundation relating to NAT/PAT on Cisco IOS routers. For
more detailed information and command-line interface (CLI) commands, please refer to Cisco IOS
configuration guides and command references on Cisco.com.

4 Network Address Translation: Terms and Features © 2010 Cisco Systems, Inc.