Loading learning content...
What if you have 100 internal hosts that need Internet access, but only 10 public IP addresses? Static NAT would require 100 public IPs—one for each host. This is where Dynamic NAT provides an elegant solution.
Dynamic NAT maintains a pool of public IP addresses that are allocated to internal hosts on demand. When an internal host initiates an outbound connection, it receives a public IP from the pool for the duration of that session. When the connection ends, the public IP returns to the pool for use by other hosts.
This approach provides significant address conservation while maintaining the important property that each active internal host maps to a complete public IP (not just a port, as in PAT). This page explores Dynamic NAT in comprehensive depth: its configuration, operation, advantages, limitations, and appropriate use cases.
By the end of this page, you will understand how Dynamic NAT allocates addresses from a pool, the differences between Dynamic NAT and Static NAT, pool configuration and sizing, the translation lifecycle, oversubscription scenarios, and when Dynamic NAT is the appropriate choice versus PAT.
Dynamic NAT creates temporary, one-to-one mappings between internal host addresses and addresses from a configured pool of public IPs. Unlike Static NAT's permanent mappings, Dynamic NAT entries are created when traffic flows and expire after a timeout period.
Key Characteristics:
Pool-based allocation: Administrators define a range of public IPs (the "NAT pool") available for translation
First-come, first-served: Pool addresses are assigned dynamically as internal hosts request outbound access
Temporary mappings: Translations exist only while active and for a timeout period afterward, then the address returns to the pool
One-to-one while active: Each internal host receives a complete public IP during its session, not shared with others
No guaranteed address: The same internal host may receive different public IPs on different sessions
The Fundamental Trade-off:
Dynamic NAT occupies the middle ground—more address conservation than Static NAT, but less than PAT. Each internal host still gets a complete IP (not just ports), which matters for protocols that don't work well behind PAT.
Don't confuse 'Dynamic NAT' (pool-based allocation) with 'dynamic entries' in a NAT table. Even PAT creates dynamic entries. The term 'Dynamic NAT' specifically refers to allocating complete IP addresses from a pool without port translation. The key distinction is that Dynamic NAT maps entire addresses, while PAT maps address+port combinations.
Understanding Dynamic NAT's operation requires tracing the lifecycle of a translation from creation through expiration.
Phase 1: Pool Definition
The administrator configures:
NAT Pool Configuration:
┌────────────────────────────────────────────┐
│ Pool Name: INTERNET_POOL │
│ Addresses: 203.0.113.10 - 203.0.113.19 │
│ Available: 10 public IPs │
│ Timeout: 300 seconds (idle) │
└────────────────────────────────────────────┘
Phase 2: Translation Request
When internal host 192.168.1.50 initiates a connection to 198.51.100.10:
Dynamic NAT Translation Lifecycle=================================== Step 1: Initial State (pool fully available)─────────────────────────────────────────────Pool Status: 10/10 available[203.0.113.10] [203.0.113.11] [203.0.113.12] [203.0.113.13] [203.0.113.14][203.0.113.15] [203.0.113.16] [203.0.113.17] [203.0.113.18] [203.0.113.19] Active NAT Table: (empty) Step 2: Host A (192.168.1.50) initiates connection─────────────────────────────────────────────────Pool Status: 9/10 available[ALLOCATED] [203.0.113.11] [203.0.113.12] [203.0.113.13] [203.0.113.14][203.0.113.15] [203.0.113.16] [203.0.113.17] [203.0.113.18] [203.0.113.19] Active NAT Table:| Inside Local | Inside Global | Type | Timeout | State ||----------------|----------------|---------|---------|-----------|| 192.168.1.50 | 203.0.113.10 | DYNAMIC | 300s | ACTIVE | Step 3: Hosts B and C connect────────────────────────────Pool Status: 7/10 available Active NAT Table:| Inside Local | Inside Global | Type | Timeout | State ||----------------|----------------|---------|---------|-----------|| 192.168.1.50 | 203.0.113.10 | DYNAMIC | 300s | ACTIVE || 192.168.1.60 | 203.0.113.11 | DYNAMIC | 300s | ACTIVE || 192.168.1.70 | 203.0.113.12 | DYNAMIC | 300s | ACTIVE | Step 4: Host A finishes, timeout expires───────────────────────────────────────Pool Status: 8/10 available203.0.113.10 returned to pool Active NAT Table:| Inside Local | Inside Global | Type | Timeout | State ||----------------|----------------|---------|---------|-----------|| 192.168.1.60 | 203.0.113.11 | DYNAMIC | 150s | ACTIVE || 192.168.1.70 | 203.0.113.12 | DYNAMIC | 275s | ACTIVE |Phase 3: Translation Active Period
While the translation exists:
Phase 4: Translation Expiration
When no traffic flows for the timeout period:
Unlike Static NAT, Dynamic NAT does NOT allow external hosts to initiate connections to internal hosts. There's no permanent mapping—the pool address is only allocated when the internal host initiates outbound traffic. If no translation exists, inbound packets have no destination mapping and are dropped.
Dynamic NAT's value comes from oversubscription—having more internal hosts than public addresses, betting that not all hosts need translations simultaneously. Proper pool sizing is critical for avoiding exhaustion.
The Oversubscription Calculation:
Oversubscription Ratio = Internal Hosts / Pool Size
Example: 100 internal hosts / 10 pool addresses = 10:1 oversubscription
Factors Affecting Required Pool Size:
| Factor | Impact on Pool Size | Consideration |
|---|---|---|
| Concurrent Usage | Higher = More addresses needed | What % of hosts are active simultaneously? |
| Session Duration | Longer = More addresses needed | Do connections persist for hours or seconds? |
| Timeout Configuration | Longer = More addresses held | Balance between reuse and premature expiration |
| Peak vs Average | Size for peaks, not averages | Consider 9 AM login storms, business hours |
| Growth Projections | Plan for 2-3x current scale | Address exhaustion impacts users immediately |
What Happens When the Pool Exhausts?
When all pool addresses are in use and a new internal host requests translation:
Monitoring Pool Utilization:
Proactive monitoring prevents exhaustion surprises:
12345678910111213141516171819202122232425262728
# Cisco IOS Pool MonitoringRouter# show ip nat statisticsTotal active translations: 247 (5 static, 242 dynamic; 150 extended)Peak translations: 312, occurred 14:23:05 agoOutside interfaces: GigabitEthernet0/1Inside interfaces: GigabitEthernet0/0 Pool INTERNET_POOL: total addresses 10, allocated 8, misses 3 ^^^^^^^^ Pool exhaustion events! # If you see "misses" increasing, pool is undersized # Linux conntrack statistics$ conntrack -C # Current connection count$ conntrack -S # Detailed statistics cpu=0 found=0 invalid=0 insert=0 insert_failed=0 drop=0 ... ^^^^ Drops indicate issues # Set up alerting thresholdPOOL_SIZE=10CURRENT=$(conntrack -C)THRESHOLD=8 # 80%if [ $CURRENT -gt $THRESHOLD ]; then echo "NAT pool at $(( CURRENT * 100 / POOL_SIZE ))% - approaching exhaustion"fiFor office networks with typical browsing patterns: • Conservative: 1 pool address per 10 concurrent users • Moderate: 1 pool address per 5-8 concurrent users • Safe: 1 pool address per 3-5 concurrent users
For servers or heavy users (video conferencing, streaming), consider 1:2 or 1:3 ratios. Always monitor actual usage before right-sizing.
Configuring Dynamic NAT requires defining the pool, specifying which internal hosts can use it, and associating the two.
12345678910111213141516171819202122232425262728293031323334353637383940
! Cisco IOS Dynamic NAT Configuration! ===================================== ! Step 1: Define the NAT pool! Syntax: ip nat pool <name> <start-ip> <end-ip> netmask <mask>ip nat pool INTERNET_POOL 203.0.113.10 203.0.113.19 netmask 255.255.255.0 ! Alternative: use prefix-length instead of netmask! ip nat pool INTERNET_POOL 203.0.113.10 203.0.113.19 prefix-length 24 ! Step 2: Define which internal hosts can use NAT (Access Control List)access-list 10 permit 192.168.1.0 0.0.0.255access-list 10 permit 192.168.2.0 0.0.0.255 ! Step 3: Associate the ACL with the pool! Syntax: ip nat inside source list <acl> pool <pool-name>ip nat inside source list 10 pool INTERNET_POOL ! Step 4: Identify inside and outside interfacesinterface GigabitEthernet0/0 description LAN Interface ip address 192.168.1.1 255.255.255.0 ip nat inside!interface GigabitEthernet0/1 description Internet Interface ip address 203.0.113.1 255.255.255.0 ip nat outside! ! Verification Commands:! show ip nat pool name INTERNET_POOL! Pool INTERNET_POOL: ! start 203.0.113.10 end 203.0.113.19, total addresses 10! misses 0!! show ip nat translations! Pro Inside global Inside local Outside local Outside global! --- 203.0.113.10 192.168.1.50 --- ---! --- 203.0.113.11 192.168.1.60 --- ---Understanding when to use Dynamic NAT versus Static NAT requires understanding their fundamental differences and appropriate use cases.
| Characteristic | Static NAT | Dynamic NAT |
|---|---|---|
| Mapping Duration | Permanent (until removal) | Temporary (timeout-based) |
| Configuration | Each mapping explicitly defined | Pool defined, mappings automatic |
| Inbound Connections | Always allowed (mapping exists) | Only while translation active |
| Address Consistency | Same IP every time | Different IP possible each session |
| Address Conservation | None (1:1 always) | Good (pool shared) |
| Primary Use | Servers needing external access | Clients needing different IPs |
| Pool Exhaustion Risk | None (no pool) | Yes, if pool undersized |
In most modern networks, Dynamic NAT (pure pool) is rarely used alone. The typical choice is:
• Servers: Static NAT (permanent mapping) • Clients: PAT (port-based sharing of one IP)
Dynamic NAT fits a narrow use case: when you have adequate pool addresses AND need each client to have a distinct IP (not just port). This scenario is uncommon, making Dynamic NAT the least frequently deployed NAT type in practice.
A common production configuration combines Dynamic NAT with PAT fallback. This provides the benefits of distinct IP addresses when available, with the safety net of PAT when the pool exhausts.
How it works:
Cisco IOS Configuration:
12345678910111213141516171819202122232425262728293031
! Dynamic NAT with PAT Fallback (Overload)! ========================================= ! Define the poolip nat pool DYNAMIC_POOL 203.0.113.10 203.0.113.14 netmask 255.255.255.0 ! Define internal hostsaccess-list 10 permit 192.168.1.0 0.0.0.255 ! Associate with OVERLOAD keyword! When pool exhausts, PAT using last pool addressip nat inside source list 10 pool DYNAMIC_POOL overload ! Workflow:! ---------! First 5 unique hosts → Dynamic NAT (get 203.0.113.10-14)! 6th+ hosts → PAT on 203.0.113.14 (port differentiated) ! Alternative: PAT fallback to interface addressinterface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside!ip nat inside source list 10 pool DYNAMIC_POOL overload! If pool exhausts, uses interface 203.0.113.1 for PAT ! View combined translations:! show ip nat translations! Pro Inside global Inside local Outside local Outside global! --- 203.0.113.10 192.168.1.50 --- --- (Dynamic)! tcp 203.0.113.14:1024 192.168.1.80:5000 198.51.100.1:80 198.51.100.1:80 (PAT)Unless you have a specific requirement for pure Dynamic NAT (each host MUST have a unique IP), always configure with 'overload'. This ensures connections never fail due to pool exhaustion. The minor cost is that some hosts share IPs via PAT, which is typically acceptable.
Dynamic NAT occupies a niche position between Static NAT and PAT. Understanding its appropriate applications prevents both underutilization and misapplication.
Why Dynamic NAT is Uncommon:
In practice, most organizations face this decision:
The "unique IPs required" scenario is uncommon because:
This is why you'll encounter PAT (covered next) far more frequently than pure Dynamic NAT.
While Dynamic NAT is a testable exam topic, in production environments PAT dominates client NAT scenarios by a large margin. Many networks never deploy pure Dynamic NAT. Understanding it matters for complete NAT knowledge, but PAT proficiency is more practically relevant.
We've thoroughly examined Dynamic NAT, the pool-based address translation mechanism that provides address conservation while maintaining one-to-one IP mappings per session.
What's Next:
While Dynamic NAT conserves addresses compared to Static NAT, it still requires multiple public IPs. The ultimate address conservation technology is Port Address Translation (PAT), also called NAT Overload. PAT allows thousands of internal hosts to share a single public IP by differentiating connections based on port numbers. This is by far the most common NAT type in production networks, and we'll explore it comprehensively in the next page.
You now understand Dynamic NAT's pool-based operation, configuration, sizing considerations, and appropriate use cases. You can evaluate when Dynamic NAT is appropriate versus Static NAT or PAT, and configure it with PAT fallback for production resilience.