Skip to main content
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
Practice
All practice →
Troubleshooting Labs
OSPF neighbor never comes upA blocked host still reaches the serverThe LAN can’t reach the internetA VLAN won’t cross the trunk All troubleshooting labs →
Packet Tracer Labs
VLAN + Trunk Basics (Lab 4)Standard ACL Walk-throughExtended ACL Walk-throughOSPF Multi-Area LabOSPF Adjacency TroubleshootingEIGRP + OSPF — Same TopologyPort Security + DHCP Snooping + DAI (Lab 32)Static + Default RoutingNAT / PAT — Fix the Lab All labs →
Interactive Simulators
Subnetting Visualizer · LiveOSPF Neighborship · LiveStandard ACL · LiveExtended ACL · LiveVLAN + Trunk · LiveNAT / PAT · Live All simulators →
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All posts
ccnaip-servicesnatpat

NAT & PAT Explained — Inside Local, Inside Global, and Overload (CCNA Tutorial)

Free CCNA-level NAT and PAT tutorial for US networking learners. Static vs dynamic vs PAT/overload, the four inside/outside local/global terms decoded, the config, and the show commands that prove it works.

NAT is not a hard topic. The concept — a router rewriting IP addresses as packets cross it — takes about thirty seconds to understand. What trips people up is the vocabulary: inside local, inside global, outside local, outside global. Four terms that sound interchangeable and aren’t.

So this tutorial does two things: makes the concept click, then nails down the four terms so the exam questions become free points. This is the CCNA-scoped version — for carrier-grade NAT, NAT64, and the deeper edge cases, see the full NAT & PAT library topic.

The one-line idea

The public internet ran out of IPv4 addresses years ago. NAT is the workaround that kept it running.

Organizations use private IP ranges (RFC 1918) internally — addresses the public internet refuses to route:

RangeTypical use
10.0.0.0/8Large enterprise
172.16.0.0/12Mid-size networks
192.168.0.0/16Home + small business

When a private host wants to reach the internet, the NAT router on the edge rewrites the source IP from private to a public address it owns. The reply comes back to that public address; the router checks its translation table and rewrites the destination back to the private IP before forwarding it inside. (If /8 and /12 still look like magic, read Subnetting in your head first — NAT is much easier once CIDR is automatic.)

That’s the whole mechanism. Everything else is detail.

The three flavors

FlavorMappingWhen you use it
Static NATFixed 1:1 — one private IP always maps to one public IPAn inside server that must be reachable from the internet
Dynamic NATA pool of public IPs handed out 1:1, returned when idleRare today — you’d need a stack of spare public IPs
PAT (overload)Many private hosts share one public IP, told apart by source portThe default. Every home router, every branch office

PAT is what you’ll deploy 99% of the time. The exam tests all three, but knowing which one fits a scenario is the skill that matters.

The four terms — the part everyone gets wrong

Two axes. Learn them once and every NAT question becomes mechanical.

  • Inside = a host on our network.
  • Outside = a host on someone else’s network.
  • Local = the address as seen from the inside.
  • Global = the address as seen from the outside (the routable internet).

Cross the two axes and you get four combinations:

TermPlain EnglishExample
Inside LocalOur host’s private IP, before translation10.0.0.5
Inside GlobalOur host’s public IP, after translation203.0.113.7
Outside GlobalThe remote host’s real public IP8.8.8.8
Outside LocalThe remote host as seen from inside (usually = Outside Global)8.8.8.8

The exam loves this question: 10.0.0.5 becomes 203.0.113.7 while talking to 8.8.8.8. What is the Inside Global address?” Answer: 203.0.113.7.

The mnemonic that makes it automatic:

Inside = our hosts. Local = before translation. Global = after translation.

So “Inside Local” = our host before translation = the private IP. “Inside Global” = our host after translation = the public IP. Draw the arrow 10.0.0.5 → 203.0.113.7 and label the left side Local, the right side Global. You’ll never miss it again.

PAT — what your home router actually does

Right now, every device in your house is sharing one public IP. PAT (Port Address Translation, or NAT Overload) makes that work by adding the source port to the translation:

Inside                         →  Inside Global (shared)        →  Outside
10.0.0.5 : 50000               →  203.0.113.7 : 50000           →  8.8.8.8 : 443
10.0.0.6 : 51000               →  203.0.113.7 : 51000           →  8.8.8.8 : 443
10.0.0.7 : 52000               →  203.0.113.7 : 52000           →  8.8.8.8 : 443

All three conversations leave from the same public IP — the router tells them apart by source port. When two hosts happen to pick the same source port, the router rewrites one of them to keep the pair unique.

One CCNA gotcha worth banking: ICMP has no ports. So when you ping from behind PAT, the router can’t overload on a port — it rewrites the ICMP Query ID instead. Same idea, different field.

The config — the two patterns to memorize

PAT / overload (the everyday config)

! 1. Tag the interfaces
R1(config)# interface Gig0/0
R1(config-if)# ip nat inside
R1(config)# interface Gig0/1
R1(config-if)# ip nat outside

! 2. Pick which inside sources may be translated (an ACL)
R1(config)# ip access-list standard NAT-INSIDE
R1(config-std-nacl)# permit 10.0.0.0 0.0.0.255

! 3. Enable PAT, overloading the outside interface
R1(config)# ip nat inside source list NAT-INSIDE interface Gig0/1 overload

The overload keyword is what makes it PAT instead of plain 1:1 NAT. The ACL decides which inside sources get translated — point it at the wrong subnet and nothing matches (a top-3 mistake).

Static NAT (for an inside server)

! Inside server 10.0.0.50 is reachable from the internet as 203.0.113.50
R1(config)# ip nat inside source static 10.0.0.50 203.0.113.50

This 1:1 mapping is permanent — it sits in the translation table even when no traffic is flowing.

Verify it — the commands that prove NAT works

R1# show ip nat translations
R1# show ip nat statistics

show ip nat translations is the daily driver. Healthy PAT output looks like this:

Pro  Inside global       Inside local      Outside local   Outside global
tcp  203.0.113.7:50000   10.0.0.5:50000    8.8.8.8:443     8.8.8.8:443
tcp  203.0.113.7:51000   10.0.0.6:51000    8.8.8.8:443     8.8.8.8:443
---  203.0.113.50        10.0.0.50         ---             ---

The first two rows are PAT (note the protocol and ports). The last row — protocol ---, no ports — is a static NAT entry: it never times out. That --- is how you spot a static mapping at a glance.

When NAT “isn’t working” — the 6-step check

Nine times out of ten in a CCNA lab, it’s one of these:

  1. Interfaces tagged? show ip nat statistics — does it list the correct inside and outside interfaces? You need both.
  2. ACL matching? show access-lists — is the hit counter rising? Zero hits means the ACL’s source range is wrong.
  3. Translations appearing? show ip nat translations — empty table means the ACL didn’t match or an interface isn’t tagged.
  4. overload present? Without it you get 1:1 dynamic NAT, which exhausts fast.
  5. Public IP routable back? For static NAT, the upstream must actually route that public address to you.
  6. Right subnet in the ACL? The ACL must permit your inside-local (private) sources — not the public side.

Common mistakes (memorize these)

  1. Forgetting an interface tag. No ip nat inside and ip nat outside → nothing translates.
  2. ACL pointed the wrong way. It must list the private inside sources, not the public addresses.
  3. Dropping overload. Without it, dynamic NAT runs out after the pool size.
  4. Static NAT to an IP you don’t own. Replies never arrive — usually use the router’s own outside-interface IP.
  5. Assuming NAT is security. NAT is address translation, not access control. Always pair it with a real firewall.

Try it yourself

Reading about translation tables is one thing — watching one build is another. Two free, no-login tools:

  • NAT / PAT simulator — send packets from inside hosts to the internet, watch R1 rewrite the source IP and port, see the translation table fill in, then watch the reply get untranslated. Flip between PAT, static, and dynamic, and break it on purpose (missing ip nat inside, wrong ACL) to see exactly where traffic dies.
  • NAT / PAT “fix the lab” — a partially-configured Packet Tracer file where NAT is broken on purpose. Diagnose it and finish the config.

Do the simulator first to build the mental picture, then the lab to build the muscle memory.

Where NAT goes next (beyond CCNA)

Once the CCNA version is solid, the real-world extensions are: CGNAT (your ISP doing a second layer of NAT, the 100.64.x.x addresses), NAT-T (UDP 4500, how IPsec VPNs survive PAT), and NAT64 (bridging IPv6-only clients to IPv4-only servers). They all live in the full NAT & PAT topic — and they all matter less as IPv6 rolls out, since IPv6 removes the address shortage that NAT exists to patch.

What’s next

The four terms are the whole battle. Get inside local vs inside global to reflex and the rest of NAT is just two config patterns and a show command. We drill exactly this kind of “make it automatic” repetition — on real gear, with feedback — in the 1:1 CCNA program. First session is free.

Get posts like this by email.

One short, opinionated tutorial per week. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.