IPv4 Addressing - NAT (Network Address Translation)

What is NAT?

NAT (Network Address Translation) is a method used by routers to translate private IP addresses to a public IP address (and vice versa) for internet communication.

Why is NAT used?

NAT helps conserve public IP addresses and adds a layer of security by hiding internal network structures.

What are the types of NAT?

Common types include Static NAT, Dynamic NAT, and PAT (Port Address Translation, also called NAT Overload).

What is Static NAT?

Maps one private IP address to one public IP address. Used when a device needs to be consistently reachable from the internet.

What is Dynamic NAT?

Maps a private IP to any available public IP from a pool. The mapping changes over time.

Does NAT provide security?

Yes, to some extent. It hides internal IP addresses from external networks, reducing direct attack surfaces.

Is NAT used in IPv6?

Generally no. IPv6 has a vast address space, eliminating the need for NAT.

Where is NAT configured?

NAT is typically configured on routers or firewalls at the network edge.

Is NAT Windows specific?

No, NAT is not Windows specific. It is supported on various platforms including routers, firewalls, and operating systems like Windows, Linux, and BSD.

Is NAT Linux specific?

No, NAT is not Linux specific. However, Linux systems commonly implement NAT using tools like iptables or nftables.

Which Transport Protocol is used by NAT?

NAT is transport protocol-agnostic. It works at the IP level and supports TCP, UDP, ICMP, and other IP-based protocols.

Which Port is used by NAT?

NAT does not use a specific port. It translates IP addresses and may modify port numbers (especially in PAT), but it itself does not operate on a particular port.

Is NAT using client-server model?

No, NAT is not a communication protocol and does not follow the client-server model. It is a network function that facilitates communication between clients and servers.

What is the difference between NAT and PAT?

NAT translates IP addresses, while PAT translates both IP addresses and port numbers to allow multiple devices to share a single public IP.

Can NAT cause problems for some applications?

Yes, NAT can interfere with protocols that embed IP information in the payload, such as FTP or SIP, unless NAT traversal techniques are used.

What is NAT traversal?

Techniques that enable protocols to work through NAT devices, such as STUN, TURN, and ICE, allowing peer-to-peer connections.

What is a NAT table?

A NAT table keeps track of active mappings between private and public IP addresses and ports.

What is NAT Overload?

Another term for PAT, where many private IPs share a single public IP by differentiating connections with port numbers.

Can NAT affect VPN connections?

Yes, NAT can complicate VPN setup and operation due to IP translation and may require special configuration like NAT Traversal.

Does NAT change the MAC address?

No, NAT operates at the network layer and does not modify MAC addresses.

Is NAT stateful or stateless?

NAT is stateful, tracking active sessions to maintain accurate IP and port mappings.

What happens if NAT runs out of available public IP addresses?

New outgoing connections cannot be established until existing mappings expire or more public IPs become available.

Can NAT be used with IPv4 and IPv6 simultaneously?

Yes, NAT64 allows IPv6-only devices to communicate with IPv4 networks using translation techniques.

What is Hairpin NAT?

A NAT feature that allows internal devices to communicate with other internal devices using the public IP address.

Does NAT improve network performance?

Not directly; NAT primarily manages IP address translation but may introduce slight latency.

Can NAT be used in data centers?

Yes, NAT is often used to manage IP addressing and secure internal networks in data centers.

What is Port Forwarding in relation to NAT?

Port forwarding redirects incoming traffic on a specific port to an internal device’s IP and port.

Does NAT support multicast traffic?

NAT generally does not support multicast traffic well because it’s designed for unicast IP translation.

What is the impact of NAT on end-to-end connectivity?

NAT breaks true end-to-end connectivity by modifying IP addresses, which can affect peer-to-peer applications.

Can NAT be bypassed?

Certain tunneling protocols or VPNs can bypass NAT restrictions by encapsulating traffic.

What role does NAT play in IPv4 exhaustion?

NAT helps mitigate IPv4 exhaustion by allowing multiple private devices to share fewer public IPs.

What is a NAT gateway?

A NAT gateway is a network device or service that performs NAT functions for a network segment.

Is NAT compatible with cloud environments?

Yes, cloud providers often use NAT gateways or instances to manage network address translation in virtual networks.

Topics in this section,

• Learnings in this section

• Terminology

• Version Info

• NAT Version&RFC Details

• NAT Basic Setup on Ubuntu using IPv4

• NAT Usecases

• NAT Basic Features

• NAT Feature : IP Address Translation

• NAT Feature : Port Address Translation (PAT)

• NAT Feature : Conserves IPv4 Addresses

• NAT Feature : Enhances Network Security

• NAT Feature : Supports Multiple NAT Types

• NAT Feature : Protocol-Aware Behavior

• NAT Feature : Enables Internet Access for Private Networks

• Reference links

Learnings in this section

• In this section, you are going to learn

Terminology

• Terminology

Version Info

• Version Info

NAT Version&RFC Details

Version & RFC Details
NAT Type	RFC Version	Year	Core Idea / Contribution
Basic NAT
	RFC 2663	1999	Introduced NAT terminology and basic concepts; defined Basic NAT and NAPT (Port Translation).
	RFC 3022	2001	Detailed Traditional NAT operation; clarified address translation and port multiplexing.
NAPT (PAT)
	RFC 2663	1999	Introduced NAT terminology and basic concepts; defined Basic NAT and NAPT (Port Translation).
	RFC 3022	2001	Detailed Traditional NAT operation; clarified address translation and port multiplexing.
NAT Behavioral Requirements (UDP)
	RFC 4787	2007	Standardized NAT behavior for UDP to improve application compatibility.
NAT Behavioral Requirements (TCP)
	RFC 5382	2008	Defined NAT behavior for TCP, including connection tracking and port preservation.
NAT Behavioral Requirements (ICMP)
	RFC 5508	2009	Extended NAT behavior guidelines to ICMP traffic.
NAT64
	RFC 6146	2011	Enables IPv6-only clients to communicate with IPv4 servers.
Carrier-Grade NAT (CGN)
	RFC 6888	2013	Requirements for large-scale NATs used by ISPs to conserve IPv4 addresses.
NAT Behavioral Updates
	RFC 7857	2016	Unified and updated NAT behavioral requirements across protocols.

Test Case 1: Basic NAT Implementation (ICMP Ping Test)

verify that a private host (PC1) can reach a public host (PC2) through a NAT-enabled router (R1)

Topology

[PC1 / LAN Host] — Fa0/0 — [R1 Router] — Fa0/1 — [PC2 / Internet Simulation]

• PC1 → 192.168.1.10/24

• Router R1 LAN (Fa0/0) → 192.168.1.1/24 → NAT inside

• Router R1 WAN (Fa0/1) → 10.0.0.2/24 → NAT outside

• PC2 → 10.0.0.1/24

Note

• The router performs NAT between the inside (LAN) and outside (WAN) networks.

• PC1 has only a private IP, but NAT enables it to communicate with PC2.

• The default gateway for PC1 must always point to the router (192.168.1.1).

PC1 (VM1) — LAN Host Setup

• Step-1 : Assign IP address and bring up the interface

  ip addr add 192.168.1.10/24 dev eth0
  ip link set eth0 up
  ip route add default via 192.168.1.1
  

  Note

  • Default route ensures traffic destined outside 192.168.1.0/24 goes through R1.

PC2 (VM2) — Internet Simulation Host

• Step-1 : Assign IP address and bring up the interface

  sudo ip addr add 10.0.0.1/24 dev enp0s8
  sudo ip link set enp0s8 up
  

  Note

  • PC2 acts as an “internet host” with a public IP (10.0.0.1).

  • No special configuration is needed on PC2, it just replies to ICMP packets.

Router (R1) — NAT Configuration

• Step-1 : Configure LAN interface as inside

  R1#configure terminal
  R1(config)#interface FastEthernet0/0
  R1(config-if)#ip address 192.168.1.1 255.255.255.0
  R1(config-if)#ip nat inside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

  Note

  • ip nat inside must be applied on the private (LAN) interface.

• Step-2 : Configure WAN interface as outside

  R1(config)#interface FastEthernet1/0
  R1(config-if)#ip address 10.0.0.2 255.255.255.0
  R1(config-if)#ip nat outside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

  Note

  • ip nat outside must be applied on the public (WAN) interface.

• Step-3 : Configure Access Control List (ACL) for NAT

  R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
  

  Note

  • This ACL specifies which private IP range should be translated.

• Step-4 : Configure NAT Overload (PAT)

  R1(config)#ip nat inside source list 1 interface FastEthernet1/0 overload
  R1(config)#end
  

  Note

  • Overload (PAT) allows many inside hosts to share one public IP (10.0.0.2).

  • Translation is done using unique port numbers.

• Step-5 : Verify router interface status

  R1#show ip interface brief
  

  Expected Output:

  Interface              IP-Address      OK? Method Status   Protocol
  FastEthernet0/0        192.168.1.1     YES manual up       up
  FastEthernet1/0        10.0.0.2        YES manual up       up
  

  Note

  • Both interfaces must show up up for NAT to work.

PC1 — NAT Test

• Step-1 : Ping PC2 through NAT

  ping 10.0.0.1
  

  Expected Output:

  64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=12 ms
  64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=15 ms
  

  Note

  • Successful ping confirms NAT is working.

  • TTL decreases by 1 when packets pass through R1.

• Step-2 : Verify NAT Table on Router

  R1#show ip nat translations
  

  Example Output:

  Pro Inside global      Inside local       Outside local      Outside global
  icmp 10.0.0.2:2907     192.168.1.10:2907  10.0.0.1:2907      10.0.0.1:2907
  

  Note

  • Inside local = private IP (192.168.1.10).

  • Inside global = public IP assigned by NAT (10.0.0.2).

  • This confirms NAT translation is successful.

Step-8 : Wireshark Verification

• Capture on LAN side (Fa0/0): - Source: 192.168.1.10 - Destination: 10.0.0.1 - This is traffic before NAT.

  Download wireshark capture

• Capture on WAN side (Fa0/1): - Source: 10.0.0.2 - Destination: 10.0.0.1 - This is traffic after NAT.

  Download wireshark capture

Note

• Wireshark captures prove how NAT modifies source IP when leaving the router.

Explanation — Why NAT Needs Inside and Outside

ip nat inside

• Applied on LAN-facing interface (private network).

• Tells the router: “Packets arriving here are private and must be translated when leaving.”

ip nat outside

• Applied on WAN-facing interface (public/ISP side).

• Tells the router: “Packets leaving here are going to the public side.”

Why both are needed

• NAT translation happens only between inside and outside interfaces.

• Without interface labels: - Router would not know which traffic to translate. - ip nat inside source list … overload would fail.

Note

• Always double-check that the correct interfaces are marked as inside and outside.

• Wrong configuration will cause NAT to fail even if ACL and overload are set correctly.

Test Case 2: NAT Overload / PAT (Port Address Translation)

verify that multiple LAN hosts can share a single public IP (assigned dynamically via DHCP) using port translation

Topology

[PC1 192.168.1.10] — sw1(eth0) — Fa0/0 — [R1 Router] — Fa0/1 — [DHCP WAN / ISP] — [Internet Server 10.0.0.1] [PC2 192.168.1.20] — sw1(eth1) — Fa0/0 — [R1 Router]

Note

• The WAN interface (Fa0/1) gets its IP dynamically from a DHCP server.

• NAT overload (PAT) allows multiple LAN hosts to share that single public IP.

• Translation is based on unique source port numbers.

Router (R1) — PAT Configuration

• Step-1 : Configure the outside interface (WAN) to get IP via DHCP

  R1(config)#interface FastEthernet1/0
  R1(config-if)#ip address dhcp
  R1(config-if)#ip nat outside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-2 : Configure the inside interface (LAN)

  R1(config)#interface FastEthernet0/0
  R1(config-if)#ip address 192.168.1.1 255.255.255.0
  R1(config-if)#ip nat inside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-3 : Configure ACL for private subnet

  R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
  

• Step-4 : Enable NAT Overload (PAT)

  R1(config)#ip nat inside source list 1 interface FastEthernet1/0 overload
  R1(config)#end
  

• Step-5 : Verify WAN IP

  R1#show ip interface brief
  

PC1 — LAN Host Setup

ip addr add 192.168.1.10/24 dev enp0s8
ip route add default via 192.168.1.1

PC2 — LAN Host Setup

ip addr add 192.168.1.20/24 dev enp0s8
ip route add default via 192.168.1.1

NAT / PAT Test

• Step-1 : From PC1 and PC2, ping or reach an external host (e.g., 8.8.8.8).

• Step-2 : Verify NAT translations on the router.

Example Output:

Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.122.85:3193 192.168.1.10:3193 8.8.8.8:3193      8.8.8.8:3193
icmp 192.168.122.85:1147 192.168.1.20:1147 8.8.8.8:1147      8.8.8.8:1147

Wireshark Verification

• Step-1 : Capture on PC1 - Source IP: 192.168.1.10 - Destination: 8.8.8.8 - Shows private IP before NAT.

  Download PC1 capture

• Step-2 : Capture on PC2 - Source IP: 192.168.1.20 - Destination: 8.8.8.8 - Shows private IP before NAT.

  Download PC2 capture

• Step-3 : Capture on Router (Fa0/1 - WAN side) - Source IP: Router’s DHCP WAN IP (192.168.122.85) - Destination: 8.8.8.8 - Both PC1 & PC2 traffic merged into same public IP, differentiated by ports.

  Download Router capture

Note

• PC1 & PC2 both use the same global IP but different ports → proves PAT.

• Router capture confirms NAT translation.

Test Case 3: Static NAT (One-to-One Mapping)

verify that a specific private host is permanently mapped to a public IP (static translation)

Topology

[VM1 192.168.1.10] — sw1(eth0) — Fa0/0 — [R1 Router] — Fa0/1 — [DHCP WAN / ISP 192.168.122.85] — sw2 — [VM2 192.168.122.20]

Note

• Static NAT creates a permanent one-to-one mapping between private and public IP.

• In this case → 192.168.1.10 ↔ 192.168.122.85.

• Works both inbound & outbound.

Router (R1) — Static NAT Configuration

• Step-1 : Configure inside (LAN) interface

  R1(config)#interface FastEthernet0/0
  R1(config-if)#ip address 192.168.1.1 255.255.255.0
  R1(config-if)#ip nat inside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-2 : Configure outside (WAN) interface (DHCP)

  R1(config)#interface FastEthernet1/0
  R1(config-if)#ip address dhcp
  R1(config-if)#ip nat outside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-3 : Apply Static NAT mapping

  R1(config)#ip nat inside source static 192.168.1.10 192.168.122.85
  R1(config)#end
  

• Step-4 : Verify NAT table

  R1#show ip nat translations
  

  Example Output:

  Pro Inside global      Inside local       Outside local      Outside global
  --- 192.168.122.85     192.168.1.10       ---                ---
  

VM1 — Inside Host Setup

sudo ip addr add 192.168.1.10/24 dev enp0s8
sudo ip link set enp0s8 up
sudo ip route add default via 192.168.1.1

VM2 — Outside Host Setup

sudo ip addr add 192.168.122.20/24 dev enp0s8
sudo ip link set enp0s8 up
sudo ip route add default via 192.168.122.1

Static NAT Test

• Step-1 : From outside VM2, ping the public IP of R1 (192.168.122.85)

  ping 192.168.122.85
  

• Step-2 : Verify NAT translations on router

  Example Output:

  Pro Inside global      Inside local       Outside local      Outside global
  icmp 192.168.122.85:1139 192.168.1.10:1139 192.168.122.20:1139 192.168.122.20:1139
  --- 192.168.122.85       192.168.1.10       ---                ---
  

Note

• Inside local = private IP (192.168.1.10).

• Inside global = mapped public IP (192.168.122.85).

• Router correctly forwards inbound & outbound traffic.

Wireshark Verification

• Step-1 : Capture on VM1 (LAN side) - Destination IP: 192.168.1.10 - Shows translated packet delivered to private host.

  Download VM1 capture

• Step-2 : Capture on VM2 (outside host) - Destination IP: 192.168.122.85 - Shows packet sent to public IP.

  Download VM2 capture

• Step-3 : Capture on Router (Fa0/1 - WAN side) - Destination IP: 192.168.122.85 (public) → translated to 192.168.1.10 (private). - Reply source: 192.168.122.85.

  Download Router capture

Note

• Outside host (VM2) talks to public IP 192.168.122.85.

• Router translates → delivers traffic to VM1 (192.168.1.10).

• Reply goes back via same static mapping.

• Confirms static one-to-one NAT works.

Test Case 4: Dynamic NAT (Pool of Public IPs)

verify that multiple private hosts are dynamically mapped to a pool of public IPs

Topology

[PC1 192.168.1.10] — sw1(eth0) — Fa0/0 — [R1 Router] — Fa0/1 — [192.168.122.0/24 WAN] — [WAN Host 192.168.122.1]

Note

• Dynamic NAT assigns private IPs to a pool of available public IPs.

• Unlike PAT, no port translation is done.

• Each inside host gets a unique IP from the pool.

Router (R1) — Dynamic NAT Configuration

• Step-1 : Configure inside (LAN) interface

  R1(config)#interface FastEthernet0/0
  R1(config-if)#ip address 192.168.1.1 255.255.255.0
  R1(config-if)#ip nat inside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-2 : Configure outside (WAN) interface

  R1(config)#interface FastEthernet0/1
  R1(config-if)#ip address 192.168.122.2 255.255.255.0
  R1(config-if)#ip nat outside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-3 : Define access list for inside subnet

  R1(config)#access-list 10 permit 192.168.1.0 0.0.0.255
  

• Step-4 : Create NAT pool with two public IPs

  R1(config)#ip nat pool MYPOOL 192.168.122.100 192.168.122.101 netmask 255.255.255.0
  

• Step-5 : Bind access list to pool

  R1(config)#ip nat inside source list 10 pool MYPOOL
  R1(config)#end
  

• Step-6 : Verify NAT pool usage

  R1#show ip nat translations
  

  Example Output:

  Pro Inside global      Inside local       Outside local      Outside global
  icmp 192.168.122.100:4898 192.168.1.10:4898 192.168.122.1:4898 192.168.122.1:4898
  --- 192.168.122.100       192.168.1.10       ---                ---
  icmp 192.168.122.101:1125 192.168.1.20:1125 192.168.122.1:1125 192.168.122.1:1125
  --- 192.168.122.101       192.168.1.20       ---                ---
  

PC1 — Inside Host Setup

sudo ip addr add 192.168.1.10/24 dev eth0
sudo ip link set eth0 up
sudo ip route add default via 192.168.1.1

PC2 — Inside Host Setup

sudo ip addr add 192.168.1.20/24 dev eth0
sudo ip link set eth0 up
sudo ip route add default via 192.168.1.1

WAN Host Setup

sudo ip addr add 192.168.122.1/24 dev eth0
sudo ip link set eth0 up

Dynamic NAT Test

• Step-1 : From PC1, ping WAN Host (192.168.122.1)

  ping 192.168.122.1
  

• Step-2 : From PC2, ping WAN Host (192.168.122.1)

  ping 192.168.122.1
  

• Step-3 : Verify NAT translations on router

  Pro Inside global      Inside local       Outside local      Outside global
  icmp 192.168.122.100:4898 192.168.1.10:4898 192.168.122.1:4898 192.168.122.1:4898
  --- 192.168.122.100       192.168.1.10       ---                ---
  icmp 192.168.122.101:1125 192.168.1.20:1125 192.168.122.1:1125 192.168.122.1:1125
  --- 192.168.122.101       192.168.1.20       ---                ---
  

Note

• PC1 is mapped to 192.168.122.100.

• PC2 is mapped to 192.168.122.101.

• Pool allocation is automatic.

Wireshark Verification

• Step-1 : Capture on Fa0/0 (LAN side) - Source IPs: 192.168.1.10, 192.168.1.20 - Destination: 192.168.122.1

  Download LAN capture Download WAN capture

• Step-2 : Capture on Fa0/1 (WAN side) - Source IPs: 192.168.122.100, 192.168.122.101 - Destination: 192.168.122.1

  Download WAN capture

Note

• Inside captures show private IPs going out.

• Outside captures show translated public IPs from pool.

• Confirms that Dynamic NAT pool works correctly.

Test Case 5: Protocol-Aware NAT (TCP & UDP)

verify that NAT correctly translates TCP and UDP traffic, not just ICMP

Topology

[PC1 192.168.1.10] — sw1(eth0) — Fa0/0 — [R1 Router] — Fa0/1 — [WAN Host 10.0.0.1]

Note

• NAT must handle protocol-specific translations for TCP and UDP.

• WAN Host runs a web server (TCP) and DNS server (UDP) for testing.

WAN Host Setup

sudo apt-get update
sudo apt-get install -y apache2 bind9
sudo ip addr add 10.0.0.1/24 dev eth0
sudo ip link set eth0 up

PC1 — Inside Host Setup

sudo ip addr add 192.168.1.10/24 dev eth0
sudo ip link set eth0 up
sudo ip route add default via 192.168.1.1

Router (R1) — PAT Configuration

• Step-1 : Configure inside interface

  R1(config)#interface FastEthernet0/0
  R1(config-if)#ip address 192.168.1.1 255.255.255.0
  R1(config-if)#ip nat inside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-2 : Configure outside interface

  R1(config)#interface FastEthernet0/1
  R1(config-if)#ip address 10.0.0.2 255.255.255.0
  R1(config-if)#ip nat outside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-3 : Define ACL for inside subnet

  R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
  

• Step-4 : Enable NAT overload (PAT)

  R1(config)#ip nat inside source list 1 interface FastEthernet0/1 overload
  R1(config)#end
  

Protocol-Aware NAT Test

• TCP Test — Web Request

  curl http://10.0.0.1
  

  Example NAT Translation on Router:

  Pro Inside global      Inside local       Outside local      Outside global
  tcp 10.0.0.2:35036     192.168.1.10:35036 10.0.0.1:80        10.0.0.1:80
  

• UDP Test — DNS Query

  dig @10.0.0.1 google.com
  

  Example NAT Translation on Router:

  Pro Inside global      Inside local       Outside local      Outside global
  tcp 10.0.0.2:35036     192.168.1.10:35036 10.0.0.1:80        10.0.0.1:80
  udp 10.0.0.2:37934     192.168.1.10:37934 10.0.0.1:53        10.0.0.1:53
  

Wireshark Verification

• TCP Traffic (HTTP)

  • Inside Interface (Fa0/0) - Source IP: 192.168.1.10 - Destination IP: 10.0.0.1 - Protocol: TCP, Destination Port 80

    Download LAN TCP capture

  • Outside Interface (Fa0/1) - Source IP: 10.0.0.2 - Destination IP: 10.0.0.1 - Source Port: NAT-assigned unique port

    Download WAN TCP capture

• UDP Traffic (DNS)

  • Inside Interface (Fa0/0) - Source IP: 192.168.1.10 - Destination IP: 10.0.0.1 - Source Port: client-assigned - Destination Port: 53

    Download LAN UDP capture

  • Outside Interface (Fa0/1) - Source IP: 10.0.0.2 - Destination IP: 10.0.0.1 - Source Port: NAT-assigned unique port

    Download WAN UDP capture

Note

• Inside captures show original private IPs.

• Outside captures show translated public IPs with unique ports.

• Confirms NAT handles TCP & UDP correctly, proving protocol-aware translation.

Test Case 6: NAT Timeout / Session Expiry

verify that NAT table entries expire after inactivity

Topology

[PC1 192.168.1.10] — sw1(eth0) — Fa0/0 — [R1 Router] — Fa0/1 — [WAN Host 10.0.0.1]

Note

• NAT entries have timeouts to prevent stale sessions.

• Default timeouts: ICMP ~30 sec, TCP ~24 hrs, UDP ~1 min.

• We adjust ICMP timeout to 10 sec for testing purposes.

PC1 — Inside Host Setup

sudo ip addr add 192.168.1.10/24 dev eth0
sudo ip link set eth0 up
sudo ip route add default via 192.168.1.1

Router (R1) — PAT Configuration with Timeout

• Step-1 : Configure inside interface

  R1(config)#interface FastEthernet0/0
  R1(config-if)#ip address 192.168.1.1 255.255.255.0
  R1(config-if)#ip nat inside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-2 : Configure outside interface

  R1(config)#interface FastEthernet0/1
  R1(config-if)#ip address 10.0.0.2 255.255.255.0
  R1(config-if)#ip nat outside
  R1(config-if)#no shutdown
  R1(config-if)#exit
  

• Step-3 : Define ACL for inside subnet

  R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
  

• Step-4 : Enable NAT overload (PAT) and adjust timeouts

  R1(config)#ip nat inside source list 1 interface FastEthernet0/1 overload
  R1(config)#ip nat translation timeout 60
  R1(config)#ip nat translation icmp-timeout 10
  R1(config)#end
  

Note

• ip nat translation timeout 60 → sets global timeout to 60 sec.

• ip nat translation icmp-timeout 10 → sets ICMP timeout to 10 sec for faster testing.

NAT Timeout Test

• Step-1 : Create a NAT entry

  R1# clear ip nat translation *
  ping -c 3 10.0.0.1
  

  Example NAT Translation:

  Pro Inside global      Inside local       Outside local      Outside global
  icmp 10.0.0.2:3196     192.168.1.10:3196  10.0.0.1:3196      10.0.0.1:3196
  

  Note

  • NAT entry appears for the ICMP session.

• Step-2 : Verify session expiration

  # Wait 15 seconds (longer than ICMP timeout)
  R1# show ip nat translations
  

  Expected Result: NAT entry has disappeared.

Wireshark Verification

• ICMP Traffic (Ping)

  • Inside Interface (Fa0/0) - Source IP: 192.168.1.10 - Destination IP: 10.0.0.1 - Protocol: ICMP, Type=8 Echo Request

    Download LAN ICMP capture

  • Outside Interface (Fa0/1) - Source IP: 10.0.0.2 - Destination IP: 10.0.0.1 - Protocol: ICMP, Type=8 Echo Request

    Download WAN ICMP capture

Note

• Inside captures show private IP traffic before translation.

• Outside captures show translated public IPs.

• NAT table automatically removes idle entries, confirming session expiry works.

NAT Usecases

NAT - Use Cases
S.no	Use Case	Description
1	IP Address Conservation	Allows multiple devices on a private network to share a single public IP address.
2	Private Network Isolation	Hides internal IP addresses from external networks, adding a layer of security.
3	Home and Small Office Networking	Enables internet access for all devices in a home or small office using one public IP.
4	Enterprise Network Management	Simplifies IP address management by using private IPs internally and NAT at the gateway.
5	Carrier-Grade NAT (CGN)	Allows ISPs to serve many customers with limited public IPv4 addresses.
6	IPv6 Transition (NAT64)	Enables IPv6-only clients to communicate with IPv4 servers during the transition to IPv6.
7	Load Balancing	Distributes incoming traffic to multiple internal servers using NAT with port forwarding.
8	VPN and Remote Access	Supports secure remote access by translating between internal and external IPs.

NAT Basic Features

NAT - Basic Features
S.no	Features	Description
1	IP Address Translation	Translates private IP addresses to public IP addresses and vice versa.
2	Port Address Translation (PAT)	Allows multiple devices to share a single public IP using different port numbers.
3	Conserves IPv4 Addresses	Reduces the need for public IPv4 addresses by enabling address reuse.
4	Enhances Network Security	Hides internal network structure from external networks, adding a layer of security.
5	Supports Multiple NAT Types	Includes Static NAT, Dynamic NAT, PAT, NAT64, and Carrier-Grade NAT.
6	Protocol-Aware Behavior	Can be configured to handle TCP, UDP, and ICMP traffic differently.
7	Enables Internet Access for Private Networks	Allows devices with private IPs to access the internet.

NAT Feature : IP Address Translation

IP Address Translation - Testcases

IP Address Translation - Test Cases
#	Test Case	Description	Expected Result
1	Static NAT Mapping	Map one private IP to one public IP	Traffic is translated correctly
2	Dynamic NAT Pool	Use a pool of public IPs for translation	Private IPs are mapped dynamically
3	PAT Configuration	Map multiple private IPs to one public IP using ports	All sessions are uniquely translated
4	NAT Overload	Exceed available public IPs in dynamic NAT	New sessions are dropped
5	NAT Entry Timeout	Wait for NAT session timeout	Entry is removed from NAT table
6	NAT Table Verification	Check NAT table after traffic	Correct mappings are listed
7	NAT with TCP	Translate TCP traffic	TCP sessions are translated correctly
8	NAT with UDP	Translate UDP traffic	UDP sessions are translated correctly
9	NAT with ICMP	Translate ICMP traffic	ICMP identifiers are translated
10	NAT with FTP	Translate active FTP session	Control and data channels are translated
11	NAT with Passive FTP	Translate passive FTP session	Translation works for both channels
12	NAT with SIP	Translate SIP traffic	SIP headers are translated
13	NAT with DNS	Translate DNS queries	DNS traffic is translated correctly
14	NAT with HTTP	Translate HTTP traffic	HTTP sessions are translated
15	NAT with HTTPS	Translate HTTPS traffic	Encrypted traffic is translated
16	NAT with VPN	Translate VPN traffic	VPN tunnels are established
17	NAT with IPsec	Translate IPsec traffic	NAT-T is used if required
18	NAT with GRE	Translate GRE traffic	GRE sessions are translated
19	NAT with Multicast	Send multicast traffic	Multicast is not translated
20	NAT with Broadcast	Send broadcast traffic	Broadcast is not translated
21	NAT with Fragmented Packets	Send fragmented IP packets	All fragments are translated
22	NAT with Large Packets	Send jumbo frames	Frames are translated correctly
23	NAT with Port Range	Use port range in PAT	Ports are allocated from range
24	NAT with Port Exhaustion	Exhaust available ports	New sessions are dropped
25	NAT with Static Port Mapping	Map specific port to internal host	Port is translated as configured
26	NAT with Overlapping Subnets	Use overlapping private IPs	NAT resolves conflict
27	NAT with Dual Stack	Translate IPv4 in dual-stack network	IPv4 traffic is translated
28	NAT with IPv6	Attempt to translate IPv6	NAT not applied (NAT66 not supported)
29	NAT with Hairpinning	Internal host accesses another via public IP	Traffic is looped back correctly
30	NAT with Loopback	Access own public IP from inside	Traffic is translated and routed
31	NAT with ACL	Apply ACL to NAT traffic	Only permitted traffic is translated
32	NAT with QoS	Apply QoS to NAT traffic	QoS markings are preserved
33	NAT with Logging	Enable NAT logging	Translations are logged
34	NAT with SNMP	Monitor NAT stats via SNMP	NAT counters are visible
35	NAT with Failover	Failover to backup NAT device	Sessions are re-established
36	NAT with Load Balancing	Distribute traffic across NAT pool	Load is balanced
37	NAT with Redundant Links	Use redundant WAN links	NAT works across links
38	NAT with VRF	Use NAT in VRF context	NAT operates per VRF
39	NAT with Static Route	Use static route for NAT traffic	Traffic is routed and translated
40	NAT with Dynamic Routing	Use OSPF/BGP for NAT traffic	Routing and NAT coexist
41	NAT with DNS Rewrite	Rewrite DNS responses	Internal IPs are hidden
42	NAT with Application Layer Gateway	Use ALG for SIP/FTP	Application headers are translated
43	NAT with NAT64	Translate IPv6 to IPv4	IPv6 clients access IPv4 servers
44	NAT with NAT46	Translate IPv4 to IPv6	IPv4 clients access IPv6 servers
45	NAT with Static NAT and PAT	Combine static NAT and PAT	Both mappings work correctly
46	NAT with Interface Overload	Use interface IP for PAT	All sessions use interface IP
47	NAT with Multiple Interfaces	Use NAT on multiple interfaces	NAT works per interface
48	NAT with Asymmetric Routing	Use different paths for in/out	NAT handles return traffic
49	NAT with Connection Tracking	Track NAT sessions	Sessions are correctly tracked
50	NAT with High Availability	Use NAT in HA setup	Sessions persist across failover

NAT Feature : Port Address Translation (PAT)

Port Address Translation (PAT) - Testcases

Port Address Translation (PAT) - Test Cases
#	Test Case	Description	Expected Result
1	Basic PAT Functionality	Translate multiple private IPs to one public IP using ports	All sessions are uniquely translated
2	PAT with TCP Traffic	Send TCP traffic from multiple hosts	Each session uses a unique port
3	PAT with UDP Traffic	Send UDP traffic from multiple hosts	Each session uses a unique port
4	PAT with ICMP Traffic	Send ICMP traffic	PAT assigns unique identifiers
5	PAT Port Range Allocation	Configure specific port range	PAT uses ports within the range
6	PAT Port Exhaustion	Exhaust available ports	New sessions are dropped
7	PAT with Static NAT	Combine PAT with static NAT	Both mappings work correctly
8	PAT with Dynamic NAT	Combine PAT with dynamic NAT	PAT handles overflow sessions
9	PAT with DNS	Translate DNS queries	PAT assigns unique ports
10	PAT with HTTP	Translate HTTP sessions	Each session is uniquely translated
11	PAT with HTTPS	Translate HTTPS sessions	Secure sessions are translated
12	PAT with FTP	Translate FTP sessions	Control and data ports are handled
13	PAT with SIP	Translate SIP sessions	SIP headers are translated
14	PAT with GRE	Send GRE traffic	PAT does not apply (no ports)
15	PAT with VPN	Translate VPN traffic	VPN tunnels are established
16	PAT with IPsec	Translate IPsec traffic	NAT-T is used if required
17	PAT with Fragmented Packets	Send fragmented packets	All fragments are translated
18	PAT with Large Packets	Send jumbo frames	Frames are translated correctly
19	PAT with Port Reuse	Reuse port after timeout	Port is reassigned safely
20	PAT with Port Timeout	Wait for session timeout	Port is released
21	PAT Table Verification	Check PAT table	Correct mappings are listed
22	PAT with Logging Enabled	Enable logging	PAT translations are logged
23	PAT with Logging Disabled	Disable logging	No logs generated
24	PAT with SNMP Monitoring	Monitor via SNMP	PAT stats are visible
25	PAT with CLI Monitoring	Use CLI to check PAT status	PAT entries are shown
26	PAT with ACL	Apply ACL to PAT traffic	Only permitted traffic is translated
27	PAT with QoS	Apply QoS policy	QoS markings are preserved
28	PAT with Load Balancing	Use PAT with multiple public IPs	Load is distributed
29	PAT with Redundant Links	Use PAT across redundant links	PAT works on both links
30	PAT with Interface Overload	Use interface IP for PAT	All sessions use interface IP
31	PAT with Multiple Interfaces	Use PAT on multiple interfaces	PAT works per interface
32	PAT with Hairpinning	Internal host accesses another via public IP	Traffic is looped back correctly
33	PAT with Loopback	Access own public IP from inside	Traffic is translated and routed
34	PAT with NAT Pool	Use PAT with NAT pool	PAT selects available IP and port
35	PAT with Overlapping Subnets	Use overlapping private IPs	PAT resolves conflict
36	PAT with Dual Stack	Use PAT in dual-stack network	IPv4 traffic is translated
37	PAT with IPv6	Attempt to use PAT with IPv6	Not supported (NAT66 not standard)
38	PAT with Static Port Mapping	Map specific port to internal host	Port is translated as configured
39	PAT with Port Forwarding	Forward specific port to internal host	Traffic is routed correctly
40	PAT with Application Layer Gateway	Use ALG for SIP/FTP	Application headers are translated
41	PAT with DNS Rewrite	Rewrite DNS responses	Internal IPs are hidden
42	PAT with High Load	Simulate high traffic volume	PAT handles sessions efficiently
43	PAT with Failover	Failover to backup PAT device	Sessions are re-established
44	PAT with NAT64	Translate IPv6 to IPv4	PAT applies to IPv4 side
45	PAT with NAT46	Translate IPv4 to IPv6	PAT applies to IPv4 side
46	PAT with Connection Tracking	Track PAT sessions	Sessions are correctly tracked
47	PAT with Asymmetric Routing	Use different paths for in/out	PAT handles return traffic
48	PAT with VRF	Use PAT in VRF context	PAT operates per VRF
49	PAT with Static Route	Use static route for PAT traffic	Traffic is routed and translated
50	PAT with Dynamic Routing	Use OSPF/BGP for PAT traffic	Routing and PAT coexist

NAT Feature : Conserves IPv4 Addresses

Conserves IPv4 Addresses - Testcases

Conserves IPv4 Addresses - Test Cases
#	Test Case	Description	Expected Result
1	Single Public IP for Multiple Hosts	Use one public IP for many private hosts	All hosts access internet via same public IP
2	PAT with 100 Clients	100 clients share one public IP	All sessions are translated using unique ports
3	Dynamic NAT Pool with Limited IPs	Use a pool of 2 public IPs for 50 clients	Clients are mapped dynamically
4	Static NAT for Critical Hosts	Assign static NAT to servers	Only critical hosts consume public IPs
5	PAT with Port Reuse	Reuse ports after timeout	Public IP is reused efficiently
6	NAT with DHCP	Assign private IPs via DHCP	Public IPs are conserved
7	NAT with Private Subnet	Use 10.0.0.0/8 for internal network	No public IPs used internally
8	NAT with Overlapping Subnets	Handle overlapping private IPs	NAT resolves conflicts without extra public IPs
9	NAT with VPN Clients	VPN clients use private IPs	Only VPN gateway uses public IP
10	NAT with Guest Network	Guest users share public IP via PAT	Public IP usage is minimized
11	NAT with IoT Devices	IoT devices use private IPs	No public IPs assigned to devices
12	NAT with Mobile Devices	Mobile clients use PAT	Public IPs are conserved
13	NAT with Static IP Reservation	Reserve static private IPs	Public IPs are not wasted
14	NAT with Port Forwarding	Forward specific ports to internal hosts	No need for multiple public IPs
15	NAT with Load Balancer	Load balancer uses one public IP	Backend servers use private IPs
16	NAT with DMZ	DMZ hosts use static NAT	Only exposed services use public IPs
17	NAT with ACL	Restrict NAT access via ACL	Reduces unnecessary public IP usage
18	NAT with QoS	Prioritize traffic without more IPs	Efficient use of limited public IPs
19	NAT with DNS Rewrite	Rewrite DNS to internal IPs	Avoids exposing public IPs
20	NAT with Hairpinning	Internal access via public IP	No extra public IPs needed
21	NAT with Redundant Links	Use same public IP across links	IPs are reused efficiently
22	NAT with Failover	Failover device uses same IP	No additional IPs required
23	NAT with VRF	Use NAT per VRF	Public IPs are shared across VRFs
24	NAT with IPv6 Transition	Use NAT64 for IPv6 clients	Conserves IPv4 addresses
25	NAT with NAT46	IPv4 clients access IPv6 servers	No extra IPv4 addresses needed
26	NAT with DNS Proxy	Proxy DNS queries internally	Reduces public IP exposure
27	NAT with Application Gateway	Gateway uses one IP for many apps	Public IPs are conserved
28	NAT with Cloud Services	Cloud VMs use private IPs	NAT gateway uses one public IP
29	NAT with Container Networks	Containers use private IPs	Host NATs traffic using one IP
30	NAT with Kubernetes	Pods use private IPs	Node IP is used for external access
31	NAT with Static Routing	Route private IPs via NAT	No need for public IPs
32	NAT with Dynamic Routing	Use OSPF/BGP internally	Public IPs not exposed
33	NAT with SNMP Monitoring	Monitor NAT usage	Confirms IP conservation
34	NAT with Logging	Log NAT translations	Shows efficient IP usage
35	NAT with Port Exhaustion	Simulate port exhaustion	Confirms limits of IP reuse
36	NAT with High Load	Simulate 1000 clients	Public IPs are reused efficiently
37	NAT with Low Bandwidth	Low usage clients share IP	No need for dedicated IPs
38	NAT with Static Mapping Limits	Limit static NAT entries	Forces use of PAT
39	NAT with ACL Logging	Log denied NAT attempts	Helps optimize IP usage
40	NAT with DNS Load Balancing	Use DNS to distribute traffic	One IP serves multiple services
41	NAT with IPv4 Exhaustion	Simulate no public IPs left	PAT still allows access
42	NAT with ISP NAT	Use carrier-grade NAT	ISP conserves public IPs
43	NAT with Home Router	Home devices use private IPs	One public IP for entire home
44	NAT with Enterprise Gateway	Enterprise users share IPs	Public IPs are conserved
45	NAT with Cloud NAT Gateway	Cloud NAT handles all egress	One IP per region or zone
46	NAT with Static IP Leak Prevention	Prevent static IP misuse	Ensures IPs are not wasted
47	NAT with Port Mapping Limits	Limit port mappings per host	Prevents IP exhaustion
48	NAT with Session Tracking	Track active sessions	Confirms efficient IP reuse
49	NAT with Idle Timeout	Remove idle sessions	Frees up ports and IPs
50	NAT with Connection Limits	Limit connections per IP	Prevents overuse of public IPs

NAT Feature : Enhances Network Security

Enhances Network Security - Testcases

Enhances Network Security - Test Cases
#	Test Case	Description	Expected Result
1	Hide Internal IPs	Verify internal IPs are not visible externally	External hosts see only public IP
2	Block Inbound Unsolicited Traffic	Send unsolicited traffic to NAT IP	Traffic is dropped
3	Allow Established Sessions	Allow return traffic for established sessions	Return traffic is allowed
4	Prevent Direct Access to Internal Hosts	Try accessing internal IP from outside	Access is denied
5	NAT with Port Forwarding	Allow specific inbound ports	Only allowed ports are accessible
6	NAT with ACL	Apply ACL to restrict NAT traffic	Only permitted traffic is allowed
7	NAT with Logging	Enable logging of NAT translations	Logs show source/destination mappings
8	NAT with DoS Protection	Simulate DoS attack	NAT drops excessive connections
9	NAT with IP Spoofing	Send spoofed IP packets	NAT drops invalid packets
10	NAT with SYN Flood	Simulate SYN flood	NAT limits half-open connections
11	NAT with Session Timeout	Idle sessions are removed	Reduces attack surface
12	NAT with Port Randomization	Use random source ports	Makes tracking harder for attackers
13	NAT with Static Mapping	Limit static NAT to known hosts	Reduces exposure
14	NAT with PAT	Share one IP among many users	Minimizes public IP exposure
15	NAT with VPN	Securely tunnel traffic through NAT	Traffic is encrypted
16	NAT with IPsec	Use NAT-T for IPsec	Secure tunnels are maintained
17	NAT with DNS Rewrite	Rewrite DNS responses	Prevents IP leakage
18	NAT with Application Gateway	Inspect and secure application traffic	Prevents protocol abuse
19	NAT with IDS/IPS	Integrate with intrusion detection	Malicious traffic is blocked
20	NAT with Firewall	Combine NAT with firewall	Enhances perimeter security
21	NAT with DMZ	Isolate public-facing services	Internal network is protected
22	NAT with VLAN Segmentation	Segment internal network	Limits lateral movement
23	NAT with Logging Alerts	Generate alerts on suspicious activity	Admins are notified
24	NAT with SNMP Monitoring	Monitor NAT activity	Detect anomalies in real time
25	NAT with Rate Limiting	Limit connections per IP	Prevents abuse
26	NAT with Port Filtering	Block unused ports	Reduces attack surface
27	NAT with Geo-IP Filtering	Block traffic from specific regions	Enhances security posture
28	NAT with MAC Binding	Bind NAT to MAC addresses	Prevents spoofing
29	NAT with Static ARP	Use static ARP entries	Prevents ARP spoofing
30	NAT with DHCP Snooping	Validate DHCP messages	Prevents rogue DHCP servers
31	NAT with IP Blacklisting	Block known malicious IPs	Enhances threat prevention
32	NAT with Connection Limits	Limit concurrent sessions	Prevents resource exhaustion
33	NAT with Session Tracking	Track active sessions	Detect unusual patterns
34	NAT with High Availability	Failover without exposing internal IPs	Maintains security during failover
35	NAT with Redundant Links	Secure traffic across multiple links	No exposure of internal IPs
36	NAT with DNS Proxy	Proxy DNS queries	Prevents DNS-based attacks
37	NAT with DNSSEC	Secure DNS responses	Prevents spoofing
38	NAT with IPv6 Disabled	Disable IPv6 if not used	Prevents bypassing NAT
39	NAT with IPv6 Tunneling	Secure IPv6 over IPv4 NAT	Maintains encryption
40	NAT with Logging Retention	Retain logs for audit	Supports forensic analysis
41	NAT with Time-Based Rules	Allow NAT only during business hours	Reduces risk during off-hours
42	NAT with User Authentication	Authenticate users before NAT	Prevents unauthorized access
43	NAT with Device Fingerprinting	Identify devices behind NAT	Detect rogue devices
44	NAT with Anomaly Detection	Detect unusual NAT behavior	Alerts on suspicious activity
45	NAT with Cloud Integration	Secure cloud-bound traffic	Prevents data leakage
46	NAT with Container Isolation	Isolate containers using NAT	Prevents cross-container attacks
47	NAT with Zero Trust Architecture	Enforce least privilege	NAT supports micro-segmentation
48	NAT with Endpoint Protection	Combine with endpoint security	Enhances overall defense
49	NAT with Threat Intelligence	Block traffic from known threats	Uses real-time threat feeds
50	NAT with Compliance Logging	Log for compliance (e.g., GDPR)	Ensures auditability and traceability

NAT Feature : Supports Multiple NAT Types

Supports Multiple NAT Types - Testcases

Supports Multiple NAT Types - Test Cases
#	Test Case	Description	Expected Result
1	Static NAT Mapping	Map one private IP to one public IP	Traffic is translated 1:1
2	Dynamic NAT Pool	Use a pool of public IPs for translation	Private IPs are mapped dynamically
3	PAT with Single Public IP	Map multiple private IPs to one public IP using ports	All sessions are uniquely translated
4	PAT with Port Range	Use specific port range for PAT	Ports are allocated from the range
5	NAT64 Translation	Translate IPv6 to IPv4	IPv6 clients access IPv4 servers
6	NAT46 Translation	Translate IPv4 to IPv6	IPv4 clients access IPv6 servers
7	Static NAT with Port Forwarding	Forward specific port to internal host	Port is translated as configured
8	Dynamic NAT with ACL	Apply ACL to dynamic NAT	Only permitted traffic is translated
9	PAT with TCP	Translate TCP traffic using PAT	Each session uses a unique port
10	PAT with UDP	Translate UDP traffic using PAT	Each session uses a unique port
11	PAT with ICMP	Translate ICMP traffic using PAT	ICMP identifiers are translated
12	Static NAT with DNS	Use static NAT with DNS	DNS resolves to public IP
13	NAT64 with DNS64	Use DNS64 with NAT64	IPv6 clients resolve IPv4 addresses
14	NAT with FTP	Translate FTP control and data channels	Both channels are translated
15	NAT with SIP	Translate SIP headers and media ports	SIP sessions are translated
16	NAT with GRE	Translate GRE traffic	GRE sessions are translated
17	NAT with IPsec	Use NAT-T for IPsec	IPsec tunnels are established
18	NAT with VPN	Translate VPN traffic	VPN tunnels are maintained
19	NAT with Hairpinning	Internal host accesses another via public IP	Traffic is looped back correctly
20	NAT with Loopback	Access own public IP from inside	Traffic is translated and routed
21	NAT with Overlapping Subnets	Handle overlapping private IPs	NAT resolves conflicts
22	NAT with Dual Stack	Use NAT in dual-stack network	IPv4 traffic is translated
23	NAT with IPv6 Only	Attempt NAT on IPv6-only traffic	NAT not applied (unless NAT64)
24	NAT with Static Mapping Limits	Limit static NAT entries	Forces use of dynamic NAT or PAT
25	NAT with Port Exhaustion	Exhaust available ports in PAT	New sessions are dropped
26	NAT with NAT Pool Exhaustion	Exhaust public IP pool in dynamic NAT	New sessions are dropped
27	NAT with Interface Overload	Use interface IP for PAT	All sessions use interface IP
28	NAT with Multiple Interfaces	Use NAT on multiple interfaces	NAT works per interface
29	NAT with Redundant Links	Use NAT across redundant links	NAT works on both links
30	NAT with Failover	Failover to backup NAT device	Sessions are re-established
31	NAT with Load Balancing	Distribute traffic across NAT pool	Load is balanced
32	NAT with VRF	Use NAT in VRF context	NAT operates per VRF
33	NAT with Static Route	Use static route for NAT traffic	Traffic is routed and translated
34	NAT with Dynamic Routing	Use OSPF/BGP for NAT traffic	Routing and NAT coexist
35	NAT with ACL Logging	Log NAT traffic based on ACL	Logs show permitted/denied translations
36	NAT with SNMP Monitoring	Monitor NAT stats via SNMP	NAT counters are visible
37	NAT with CLI Monitoring	Use CLI to check NAT status	NAT entries are shown
38	NAT with Logging Enabled	Enable NAT logging	Translations are logged
39	NAT with Logging Disabled	Disable logging	No logs generated
40	NAT with DNS Rewrite	Rewrite DNS responses	Internal IPs are hidden
41	NAT with Application Gateway	Use ALG for SIP/FTP	Application headers are translated
42	NAT with High Load	Simulate high traffic volume	NAT handles sessions efficiently
43	NAT with Low Bandwidth	Low usage clients share IP	No need for dedicated IPs
44	NAT with Static IP Reservation	Reserve static private IPs	Public IPs are not wasted
45	NAT with Port Mapping Limits	Limit port mappings per host	Prevents IP exhaustion
46	NAT with Connection Tracking	Track NAT sessions	Sessions are correctly tracked
47	NAT with Session Timeout	Idle sessions are removed	Frees up ports and IPs
48	NAT with Connection Limits	Limit connections per IP	Prevents overuse of public IPs
49	NAT with DNSSEC	Secure DNS responses	Prevents spoofing in NAT64
50	NAT with Compliance Logging	Log for compliance (e.g., GDPR)	Ensures auditability and traceability

NAT Feature : Protocol-Aware Behavior

Protocol-Aware Behavior - Testcases

Protocol-Aware Behavior - Test Cases
#	Test Case	Description	Expected Result
1	FTP Active Mode	Translate FTP control and data channels	Both channels are translated correctly
2	FTP Passive Mode	Translate passive FTP session	NAT handles dynamic port negotiation
3	SIP with NAT	Translate SIP signaling and media	SIP headers and RTP ports are translated
4	H.323 with NAT	Translate H.323 protocol	NAT handles embedded IPs and ports
5	PPTP with NAT	Translate PPTP control and GRE data	NAT supports GRE and control channel
6	IPsec with NAT-T	Translate IPsec traffic	NAT-T encapsulation is used
7	DNS with NAT	Translate DNS queries and responses	NAT handles DNS traffic normally
8	TFTP with NAT	Translate TFTP sessions	NAT handles dynamic UDP ports
9	RTSP with NAT	Translate RTSP control and media	NAT handles embedded IPs in RTSP
10	SNMP with NAT	Translate SNMP traffic	NAT handles UDP ports correctly
11	LDAP with NAT	Translate LDAP queries	NAT handles TCP/UDP ports
12	SMTP with NAT	Translate SMTP traffic	NAT handles TCP port 25 correctly
13	POP3 with NAT	Translate POP3 traffic	NAT handles TCP port 110
14	IMAP with NAT	Translate IMAP traffic	NAT handles TCP port 143
15	HTTP with NAT	Translate HTTP traffic	NAT handles TCP port 80
16	HTTPS with NAT	Translate HTTPS traffic	NAT handles TCP port 443
17	SSH with NAT	Translate SSH sessions	NAT handles TCP port 22
18	Telnet with NAT	Translate Telnet sessions	NAT handles TCP port 23
19	RDP with NAT	Translate RDP sessions	NAT handles TCP port 3389
20	SMB with NAT	Translate SMB traffic	NAT handles TCP ports 445/139
21	NFS with NAT	Translate NFS traffic	NAT handles dynamic ports via portmapper
22	DHCP with NAT	Handle DHCP relay	NAT does not interfere with DHCP
23	ICMP with NAT	Translate ICMP echo requests/replies	NAT tracks ICMP identifiers
24	GRE with NAT	Translate GRE tunnels	NAT handles GRE protocol (47)
25	L2TP with NAT	Translate L2TP sessions	NAT handles UDP port 1701
26	ALG for FTP	Enable FTP ALG	FTP sessions are translated correctly
27	ALG for SIP	Enable SIP ALG	SIP headers and ports are rewritten
28	ALG for H.323	Enable H.323 ALG	H.323 sessions are translated
29	ALG for RTSP	Enable RTSP ALG	RTSP control and media are handled
30	ALG Disabled	Disable ALG for FTP	FTP fails due to incorrect port translation
31	NAT with Embedded IPs	Translate protocols with embedded IPs	NAT rewrites payload IPs
32	NAT with Encrypted Protocols	Translate HTTPS traffic	NAT does not inspect encrypted payloads
33	NAT with Custom Protocol	Use custom protocol with embedded IP	NAT does not translate payload
34	NAT with DNSSEC	Translate DNSSEC traffic	NAT handles UDP/TCP 53 without inspection
35	NAT with SIP over TLS	Translate SIP over TLS	NAT cannot inspect encrypted SIP
36	NAT with RTP	Translate RTP media streams	NAT rewrites IP/port in SDP
37	NAT with RTCP	Translate RTCP control packets	NAT handles RTP/RTCP pair correctly
38	NAT with WebRTC	Translate WebRTC traffic	NAT handles STUN/TURN/ICE negotiation
39	NAT with STUN	Translate STUN messages	NAT allows STUN discovery
40	NAT with TURN	Translate TURN relay traffic	NAT allows relay via TURN server
41	NAT with ICE	Handle ICE negotiation	NAT supports candidate exchange
42	NAT with SIP Reinvite	Handle SIP reinvite with new media IP	NAT updates translation
43	NAT with SIP Registration	Handle SIP REGISTER messages	NAT rewrites contact IP
44	NAT with FTP File Transfer	Transfer file via FTP	NAT handles data channel correctly
45	NAT with TFTP File Transfer	Transfer file via TFTP	NAT handles dynamic UDP ports
46	NAT with SNMP Traps	Receive SNMP traps	NAT allows inbound UDP 162
47	NAT with Syslog	Send syslog messages	NAT handles UDP 514
48	NAT with NTP	Send NTP requests	NAT handles UDP 123
49	NAT with BGP	Translate BGP sessions	NAT handles TCP 179
50	NAT with Custom ALG	Implement custom ALG for proprietary protocol	NAT rewrites embedded IPs and ports

NAT Feature : Enables Internet Access for Private Networks

Enables Internet Access for Private Networks - Testcases

Enables Internet Access for Private Networks - Test Cases
#	Test Case	Description	Expected Result
1	Basic Internet Access	Private host accesses public website	NAT translates IP and allows access
2	Multiple Hosts Access Internet	Multiple private hosts browse internet	NAT handles all translations
3	PAT with Single Public IP	Multiple hosts share one public IP	All sessions are uniquely translated
4	Dynamic NAT Pool	Use pool of public IPs for internet access	Hosts are dynamically assigned IPs
5	Static NAT for Server	Internal server accesses internet	Static mapping allows access
6	DNS Resolution	Private host resolves domain name	DNS query and response are translated
7	HTTP Access	Access HTTP website from private host	NAT translates TCP port 80 traffic
8	HTTPS Access	Access HTTPS website from private host	NAT translates TCP port 443 traffic
9	FTP Access	Access FTP server from private host	NAT handles control and data channels
10	Email Access	Send/receive email via SMTP/IMAP	NAT translates email protocol ports
11	Streaming Access	Stream video from public service	NAT handles continuous media flow
12	Gaming Access	Connect to online game server	NAT translates game-specific ports
13	VPN Access	Establish VPN tunnel from private host	NAT-T encapsulation used if needed
14	IPsec Tunnel	Create IPsec tunnel from private host	NAT-T allows tunnel establishment
15	NAT with DHCP	Assign private IP via DHCP	NAT translates traffic for DHCP clients
16	NAT with Static IP	Use static private IP	NAT translates traffic normally
17	NAT with IPv4	Access internet using IPv4	NAT translates IPv4 traffic
18	NAT with IPv6	Access IPv6 internet via NAT64	IPv6 translated to IPv4
19	NAT with DNS Proxy	Use DNS proxy for resolution	NAT handles DNS traffic
20	NAT with Web Proxy	Use web proxy for browsing	NAT translates proxy traffic
21	NAT with ACL	Restrict internet access via ACL	Only allowed traffic is translated
22	NAT with QoS	Apply QoS to internet-bound traffic	QoS markings are preserved
23	NAT with Logging	Log internet access via NAT	Logs show translated sessions
24	NAT with SNMP Monitoring	Monitor NAT usage via SNMP	Internet access stats are visible
25	NAT with CLI Monitoring	Use CLI to check NAT status	Internet-bound sessions are listed
26	NAT with Port Forwarding	Allow inbound traffic to internal host	Specific ports are forwarded
27	NAT with Hairpinning	Internal host accesses public IP of peer	Traffic is looped back correctly
28	NAT with Loopback	Access own public IP from inside	Traffic is translated and routed
29	NAT with Redundant Links	Use multiple WAN links	Internet access works across links
30	NAT with Failover	Failover to backup NAT device	Internet access resumes automatically
31	NAT with Load Balancing	Distribute internet traffic	Load is balanced across public IPs
32	NAT with VRF	Internet access per VRF	NAT operates per routing instance
33	NAT with Static Route	Route internet traffic via NAT	Traffic is routed and translated
34	NAT with Dynamic Routing	Use OSPF/BGP for internet traffic	Routing and NAT coexist
35	NAT with DNSSEC	Access DNSSEC-enabled domains	NAT handles secure DNS traffic
36	NAT with WebRTC	Use WebRTC for video calls	NAT handles STUN/TURN/ICE protocols
37	NAT with STUN	Discover public IP via STUN	NAT allows STUN messages
38	NAT with TURN	Relay media via TURN server	NAT allows relay traffic
39	NAT with ICE	Negotiate media path via ICE	NAT supports candidate exchange
40	NAT with Cloud Services	Access cloud APIs from private host	NAT translates traffic to cloud endpoints
41	NAT with Container Networks	Containers access internet	Host NATs container traffic
42	NAT with Kubernetes	Pods access internet via node IP	NAT translates pod traffic
43	NAT with IoT Devices	IoT devices access cloud services	NAT translates traffic securely
44	NAT with Mobile Devices	Mobile clients access internet	NAT handles dynamic sessions
45	NAT with Guest Network	Guest users browse internet	NAT isolates and translates traffic
46	NAT with Endpoint Protection	Secure internet access	NAT works with endpoint security tools
47	NAT with Threat Intelligence	Block malicious destinations	NAT enforces security policies
48	NAT with Compliance Logging	Log internet access for audit	Logs meet compliance standards
49	NAT with Time-Based Rules	Allow internet access during specific hours	NAT enforces schedule
50	NAT with User Authentication	Authenticate users before access	NAT translates traffic post-authentication

Reference links

• Reference links