ip nat inside source list
Configures dynamic Network Address Translation (NAT) and Port Address Translation (PAT). By tying an Access Control List (ACL) to a public interface or IP pool, this command allows an entire subnet of private internal users to masquerade behind a single public IP address using randomized Layer 4 port numbers to track sessions.
Quick Reference
Router(config)#(PAT / Overload)show ip nat translationsSyntax Breakdown
Unlike static NAT, this command operates like a conditional logic gate: "If a packet's source IP is permitted by [acl], change its source IP to match the public IP assigned to [exit-int], and keep track of the session."
- list [acl]: References a Standard Access List (e.g., 1). This tells the router who is allowed to be translated.
- interface [exit-int]: Usually the router's WAN port connected to the ISP (e.g., GigabitEthernet0/0). This tells the router what public IP to stamp onto the packets.
- overload: The most critical keyword. It activates PAT. It tells the router to assign a unique Layer 4 source port (like :54321) to every outbound connection so it can untangle the return traffic and send it back to the correct internal PC.
CLI Deployment Scenarios
Scenario 1: Standard Enterprise Internet Access
You need to provide internet access to your entire internal 10.0.0.0/8 network. You will map them to your single public interface (g0/1).
Scenario 2: The Dynamic NAT Pool Alternative
If your enterprise owns a block of public IPs (e.g., 203.0.113.10 to 203.0.113.20), you can spread the translation load across all of them by replacing the interface keyword with a pool.
CCNA Exam Gotchas
The Missing 'Overload' Disaster
If you type ip nat inside source list 1 interface g0/1 and forget the overload keyword, you have configured Dynamic NAT, not PAT. Dynamic NAT maps one private IP to one public IP until all public IPs are exhausted. Because you only have one public IP on that interface, the very first internal PC to open a web browser will claim the IP, and every other device in the entire company will be completely blocked from the internet.
Applying the ACL to the Interface by Mistake
The ACL used for NAT (e.g., access-list 1) is strictly meant to be referenced by the global NAT command. A common junior engineer mistake is entering the interface configuration mode and accidentally applying it as a traffic filter using ip access-group 1 in. This will cause erratic traffic dropping. Let NAT use the ACL logically in the background.