PAT – Port Address Translation configuration Cisco IOS
Port Address Translation (PAT) can be a valuable tool.
If you’re running low on public IP addresses but need to provide internet access for multiple devices on your private network, Port Address Translation (PAT) is a valuable tool. PAT, also known as overload, is a form of Network Address Translation (NAT) that allows many internal IP addresses to be mapped to a single public IP address.
With PAT, each outgoing connection from an internal host is translated to the router’s public IP address, with a unique port number assigned. This port number multiplexing allows multiple concurrent connections to be established through the single public IP. PAT is particularly useful for small office/home office environments. Also, when you simply don’t have enough public IPs for a one-to-one NAT mapping.
Configuring PAT on a Cisco router running IOS is a straightforward process involving a few key steps:
- Designating the inside and outside interfaces for NAT
- Defining the internal address space to be translated
- Enabling PAT/overload on the outside interface
In this guide, we’ll walk through each configuration step in detail. We include optional tweaks like customizing the port range and blocking specific ports. By the end, you’ll have PAT up and running. You’ll maximize your single public IP address across multiple internal hosts and connections.
Whether you’re a network administrator looking to conserve public IPs or a home user wanting to share your internet connection, mastering PAT on Cisco IOS routers is an essential skill. Let’s get started!
To configure an interface for NAT overload (PAT – Port Address Translation) on a Cisco IOS router, follow these steps:
- Identify the inside and outside interfaces for NAT:
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside
This marks the GigabitEthernet0/0 interface as the outside public interface and GigabitEthernet0/1 as the inside private interface.[3]
- Create an access list to define the inside private networks:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
This allows the 192.168.0.0/24 network to be translated.
- Configure NAT overload on the outside interface:
ip nat inside source list 100 interface GigabitEthernet0/0 overload
This enables dynamic NAT overload, allowing multiple inside hosts to share the single public IP address on the outside interface GigabitEthernet0/0. The overload keyword enables PAT.
- Optionally, configure the port range for overload:
ip nat settings interface-overload port range 4501 65535
This sets the port range NAT can use for overload translations to 4501-65535. This reserves ports below 4501 for other applications like IPsec.
- Optionally, block a specific port from overload:
ip nat settings interface-overload block port tcp 5099
This blocks TCP port 5099 from being used for overload translations, allowing unrestricted access on that port.
By following these steps, you can enable NAT overload on a Cisco router interface. PAT allows multiple inside hosts to share a single public IP address while translating ports for concurrent connections.