Back
Lesson 4 of 5

NAT PAT Configuration and Troubleshooting

NAT PAT Configuration and Troubleshooting

Introduction

Network Address Translation (NAT) and Port Address Translation (PAT) are foundational technologies that every network engineer must understand. They allow private IPv4 addresses to communicate with external networks by translating them into public addresses at the router boundary. As organizations continue to manage mixed IPv4 and IPv6 environments, NAT has evolved well beyond simple one-to-one address mapping. Modern networks leverage PAT (also called NAT overload) to let many internal hosts share a single public IP, and advanced transition mechanisms like NAT64 and MAP-T bridge the gap between IPv4 and IPv6 domains entirely.

In this lesson, you will learn how to configure NAT with PAT overload using route maps and pools on Cisco routers, enable NAT64 on interfaces for IPv6 transition, and understand how MAP-T provides IPv4 connectivity across an IPv6-only infrastructure. By the end, you will be able to apply these configurations in a lab environment and troubleshoot common translation issues.

Key Concepts

Before diving into configuration, it is important to understand the core terminology and how each NAT variant differs.

NAT (Network Address Translation) replaces the source or destination IP address in a packet header as it crosses a router. This lets devices using private RFC 1918 addresses reach the public internet.

PAT (Port Address Translation), also known as NAT overload, extends NAT by also tracking TCP and UDP port numbers. Multiple internal hosts can share a single public IP address because each session is uniquely identified by its port number.

NAT64 is a stateful or stateless translation mechanism that converts IPv6 packets to IPv4 and vice versa. It allows IPv6-only hosts to communicate with IPv4 resources without requiring dual-stack on every device.

MAP-T (Mapping of Address and Port using Translation) combines MAP rules with stateless NAT64 to provide IPv4 connectivity over an IPv6-only network. It uses algorithmic address and port mapping rather than maintaining per-session state.

FeatureNAT/PAT (Overload)NAT64MAP-T
Primary Use CaseShare public IPv4 addresses among private hostsBridge IPv6 hosts to IPv4 resourcesIPv4 over IPv6-only infrastructure
Translation TypeIPv4 to IPv4IPv6 to IPv4 (and reverse)IPv4 to IPv6 via stateless NAT64 + NAT44
StatefulnessStateful (tracks sessions)Can be stateful or statelessStateless (algorithmic mapping)
Address SharingYes, via port multiplexingDepends on deploymentYes, via Port Set Identifier (PSID)

A route map in the context of NAT lets you selectively choose which traffic gets translated. Instead of translating everything from an inside interface, a route map matches specific flows, giving you granular control over which sessions use which NAT pool.

How It Works

NAT with PAT Overload

When a router is configured for NAT overload, it maintains a translation table that maps each internal source address and port to the external pool address and a unique external port. The command structure ties together a route map for traffic matching, a named pool of public addresses, and the overload keyword to enable port-based multiplexing.

The packet flow works as follows:

  1. An inside host sends a packet with its private source IP and a source port.
  2. The router matches the packet against the route map criteria.
  3. If the packet matches, the router selects an address from the configured NAT pool.
  4. The router replaces the private source IP with the pool address and assigns a unique port number, recording the mapping in the translation table.
  5. When the return packet arrives, the router uses the translation table to reverse the mapping and forward the packet back to the original inside host.

NAT64 on Cisco IOS XE

NAT64 operates at the interface level. You enable it on both the LAN-facing (inside) interface and the WAN-facing (egress) interface. The router then translates between IPv6 and IPv4 headers for traffic crossing those boundaries. The LAN interface must have a valid IPv6 address assigned for NAT64 to function. On the egress side, NAT64 handles the conversion back to native IPv4 for reaching external destinations.

MAP-T Packet Flow

MAP-T is designed for service provider environments where the core network runs IPv6 only, but subscribers still need IPv4 internet access. The architecture involves two key devices:

  • MAP CE (Customer Edge): The customer premises device that performs IPv4-to-IPv6 translation and port mapping. It connects IPv4 users with private addresses to the IPv6 network.
  • MAP BR (Border Relay): The service provider edge device that connects the MAP domain to the native IPv4 network.

The step-by-step packet flow in a MAP-T deployment uses these specific addresses from the reference topology:

  • Inside host: 192.168.10.10
  • CPE (CE) public IPv4: 112.96.5.9
  • CPE (CE) IPv6: 2001:db8:100::1
  • CPE (CE) LAN IPv6: 2001:db8:100:aaaa::1
  • ISP BR IPv4: 112.96.5.9
  • ISP BR IPv6: 2001:db8:c04e::1
  • Destination site: 72.13.4.185

Step 1 -- The inside host at 192.168.10.10 opens a connection to a remote IPv4 site at 72.13.4.185 on port 443. The original packet has a source of 192.168.10.10:41001 and a destination of 72.13.4.185:443.

Step 2 -- The CPE (CE) performs NAPT44, translating the private source address to the shared public IPv4 address 112.96.5.9. It then removes the IPv4 header and synthesizes an IPv6 header. The CE embeds the IPv4 address and port information directly into the IPv6 address using hexadecimal encoding. The IPv4 address 112.96.5.9 becomes 7060:0509 in hex, and TCP port 41001 becomes a029. The resulting IPv6 packet has a source of 2001:db8:100::7060:0509:a029 and a destination of 2001:db8:c04e::480d:04b9 (where 480d:04b9 encodes the destination 72.13.4.185:443).

Step 3 -- The BR receives the IPv6 packet, checks that it matches its known MAP rules, reverses the algorithm to synthesize an IPv4 header, and forwards the packet onto the IPv4 internet with a source of 112.96.5.9:41001 and a destination of 72.13.4.185:443.

The operating mode for MAP-T endpoints is dual stack with shared IPv4 addressing, meaning multiple subscribers share the same public IPv4 address, differentiated by their assigned port sets.

Configuration Example

NAT with PAT Overload Using a Route Map

The following command configures NAT on the inside interface, using a route map named rm1 to select traffic and a pool named p3 for address allocation. The overload keyword enables PAT so multiple hosts share pool addresses:

nat inside source route-map rm1 pool p3 overload

This single command ties together three components:

  • route-map rm1: Defines which traffic should be translated. You would configure rm1 with match statements (such as matching an access list) to select the desired flows.
  • pool p3: A named pool of public IP addresses available for translation. The pool is defined separately with the ip nat pool command specifying a range of addresses and a netmask.
  • overload: Enables PAT, allowing the router to assign unique port numbers so that many inside hosts can share the same pool address simultaneously.

NAT64 Interface Configuration

To enable NAT64, you configure it on both the LAN and egress interfaces. The LAN interface must carry a valid IPv4 address, and NAT64 is enabled as a feature on the interface:

interface Vlan1
 ip address 10.10.0.1 255.255.255.0
 nat64 enable

interface GigabitEthernet0/0/1
 nat64 enable
  • interface Vlan1: The LAN-facing interface where internal hosts connect. It is assigned the IPv4 address 10.10.0.1/24.
  • nat64 enable: Activates NAT64 processing on this interface. Traffic arriving on this interface will be evaluated for IPv6-to-IPv4 translation.
  • interface GigabitEthernet0/0/1: The egress (WAN-facing) interface. Enabling NAT64 here ensures that translated packets are processed in both directions.

Important: The LAN interface needs a valid IPv6 address for NAT64 to function properly. Make sure IPv6 is enabled and an address is assigned on the interface in addition to the IPv4 configuration shown above.

MAP-T Configuration Steps

Configuring MAP-T on IOS XE follows a structured sequence. The reference material outlines these steps in order:

  1. Create MAP-E domain instance -- Define a MAP domain to group all the translation rules.
  2. Define MAP Rules -- Configure the Basic Mapping Rule (BMR) that the service provider distributes. This rule defines how IPv4 addresses and ports map into IPv6 addresses.
  3. Specify BR address -- Identify the Border Relay IPv6 address so the CE knows where to send translated packets.
  4. Configure DMR (Default Mapping Rule) -- Set the source IP for encapsulation, which determines the IPv6 prefix used for destinations outside the MAP domain.
  5. Define traffic matching -- Specify which traffic should be subject to MAP-T translation.
  6. Define NAT mapping -- Create the NAT mapping that ties the MAP domain rules to the actual translation behavior.
  7. Enable NAT64 on LAN interface -- Activate NAT64 on the inside-facing interface with a valid IPv6 address.
  8. Enable NAT64 on egress interface -- Activate NAT64 on the outbound interface to complete the translation path.

Real-World Application

When to Use NAT/PAT Overload

PAT overload is the most commonly deployed form of NAT in enterprise networks. It is the standard approach when an organization has a limited number of public IPv4 addresses but many internal hosts. Branch offices, small businesses, and home networks all rely on PAT to provide internet access. Using route maps with NAT gives administrators the ability to apply different translation policies to different traffic flows, which is valuable when certain traffic should use specific public addresses or bypass NAT entirely.

When to Deploy NAT64 and MAP-T

NAT64 is deployed when organizations or service providers are migrating toward IPv6-only infrastructure but still need to reach IPv4 resources on the internet. Rather than maintaining a full dual-stack environment end-to-end, NAT64 lets the internal network run pure IPv6 while the translation boundary handles IPv4 communication.

MAP-T is particularly relevant in service provider environments where the access and core network have transitioned to IPv6 only. Subscribers still using IPv4 applications connect through a MAP CE device at the customer premises, which translates their IPv4 traffic into IPv6 for transport across the provider network. At the provider edge, the MAP BR reverses the translation to reach native IPv4 destinations. Because MAP-T is stateless and algorithmic, it scales efficiently -- the BR does not need to maintain per-session translation tables for every subscriber.

Best Practice: When deploying MAP-T, ensure that the Basic Mapping Rule is consistently configured on both the CE and BR. Mismatched rules will cause translation failures because the BR cannot reverse the algorithm if its rule set differs from what the CE used to encode the addresses.

Design Considerations

  • PAT overload can introduce challenges with applications that embed IP addresses in the payload (such as certain VoIP protocols), since only the header is translated.
  • NAT64 requires careful DNS handling (often paired with DNS64) so that IPv6 clients can resolve IPv4-only destinations.
  • MAP-T uses port set restrictions based on the PSID (Port Set Identifier), which means each subscriber gets a defined range of ports rather than the full 65,535. Plan capacity accordingly.

Summary

  • NAT with PAT overload uses route maps and pools to translate private IPv4 addresses to shared public addresses, with port numbers differentiating sessions.
  • NAT64 is enabled per-interface on Cisco IOS XE and translates between IPv6 and IPv4 at the network boundary, requiring a valid IPv6 address on the LAN interface.
  • MAP-T provides IPv4 connectivity over IPv6-only networks using stateless translation at the Customer Edge (CE) and Border Relay (BR), encoding IPv4 addresses and ports directly into IPv6 addresses using hexadecimal representation.
  • The MAP-T architecture uses a dual-stack endpoint operating mode with shared public IPv4 addressing, where the Basic Mapping Rule governs how addresses and ports are distributed.
  • Understanding these translation technologies is essential as networks transition from IPv4 to IPv6, ensuring connectivity is maintained throughout the migration.

Next, continue building your NAT and IPv6 transition skills by exploring stateful NAT64 configurations, DNS64 integration, and troubleshooting translation tables with show and debug commands in your lab environment.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security