Skip to content

Dynamic NAT

    Dynamic NAT

    This article is a part of a series on Network Address Translation (NAT). Use the navigation boxes to view the rest of the articles.


    Network Address Translation

    According to the definitions outlined in the NAT Terminology article, a Dynamic NAT implies a translation of just the IP address, where the post-translation attributes are selected by the router.

    In a Dynamic NAT, a multitude of hosts with private IP addresses can share an equal or fewer amount of public IP addresses.

    It may seem very similar to a Dynamic PAT, but the major difference is this is a NAT – the port number is not changing, only the IP address. Which means a single public IP address cannot be shared among multiple internal Hosts at the same time (as occurs with a Dynamic PAT).

    It is best explained with an illustration.

    Dynamic NAT Illustration

    Dynamic NAT - Four hosts sharing three IPs

    In the image we have a Router with an Inside network ( with four hosts (.71, .72, .73, .74). The Router is configured with a Dynamic NAT which states the hosts on the Inside network can share three public IP addresses:,, and

    Host A ( initiates a connection to, and the Router assigns Host A the public IP

    Host B ( initiates a connection to, and the Router assigns Host B the public IP

    Host C ( initiates a connection to, and the Router assigns Host C the public IP

    At this point, all the shared IP addresses have been used. Because of this, when Host D ( attempts to initiate a connection to, the packet is dropped because there are no available public IP addresses the router can use to translate Host D’s private IP address.

    While Host A/B/C have active connections through the Dynamic NAT, communication to those hosts are Bidirectional. Which means any host on the Internet can send packets to, .2, and .3 to reach Host A/B/C, respectively. We will expand on this in a moment.

    When Host A is finished with its connection, the IP address it was assigned ( becomes available again for the next internal host to use:

    Dynamic NAT - IP Address becomes available

    Here, we see Host D can now initiate a connection through the Dynamic NAT and receives the next available IP address.

    In all cases, since this is a Dynamic NAT, only the IP address changed – the source port picked by the internal host remains the source port in the packet after translation.

    Additionally, a Dynamic NAT has the potential to conserve IP addresses if configured as above where multiple internal hosts are sharing fewer Public IP addresses. However, you’ll see in a moment that Dynamic NAT is not always configured in that fashion.


    Benefits and Use Cases for Dynamic NAT

    The main use case for a Dynamic NAT is that while the translation is active it has the benefit of being bidirectional, just like a Static NAT.

    For example, in the images above, Host B ( has an active connection and was assigned the public IP address So long as the connection is active in the Router’s translation able, any host on the Internet can send packets to and they will reach Host B.

    In a way, a Dynamic NAT assigns a temporary “dedicated IP” to each internal host (so long as IP addresses are available). Or, said another way, a Dynamic NAT creates a temporary Static NAT.

    There are two primary use cases for Dynamic NAT. The first is to allow for protocols which create a secondary, dynamic connection back to the client. The second is if you need a Bidirectional mapping of Private IPs to Public IPs, but don’t particularly care about the explicit mapping between the two.

    File Transfer Protocol and Dynamic NAT

    The initial intent of a Dynamic NAT was to allow for protocols which create a second, dynamic connection back to the client. The main example of which is the File Transfer Protocol, or FTP.

    FTP clients initiate outbound connections to FTP servers over destination port TCP/21. This connection serves as what FTP considers the control channel.

    Over the control channel, a FTP client makes a request for a file and provides a random port number to the Server. The FTP Server then initiates a second connection back to the client from source port TCP/20, to the destination port provided by the client in the control channel. It is over this second connection that the file is actually transferred – this second connection is what FTP considers the data channel.

    The issue is the data channel is a connection initiated from an external host on the Internet, destined to a host behind the Router. In a Dynamic PAT, which only allows connections initiated from the internal hosts, the data channel connection would be dropped.

    But with a Dynamic NAT, the inbound data channel connection would be able to pass through the translation and the clients on the Inside server would be able to successfully use FTP to access files on the Internet.

    The above describes the classic implementation of FTP known as Active FTP. There is a more modern implantation of FTP known as Passive FTP which does not require FTP clients to sit behind a Dynamic NAT, and instead allows them to sit behind the much more ubiquitous Dynamic PAT.


    Dynamic Bidirectional Mappings

    Beyond the case of dynamic protocols described above, one other usage for a Dynamic NAT is if you have an equal number of Public IP addresses as you do Private hosts, and don’t particularly care which host get which public IP address, so long as each host gets one.

    An example of such a case would be if the Router above could be configured to Dynamic NAT the entire network into the entire network. All 256 IP addresses in the Private range would receive an associated IP address on the Public range.

    This would be the same effect of creating 256 individual Static NAT entries, except since the Dynamic NAT is Dynamic, there wouldn’t be an explicit mapping of a Private IP to a Public IP. The Router would be choosing which Private addresses map to which Public addresses.

    If a particular deployment doesn’t necessarily care for a permanent, explicit mapping of private to public IP addresses, then Dynamic NAT could be used as a type of short cut to configuring 256 individual Static NAT entries.

    When configured in this manner, a Dynamic NAT does not actually conserve any IP addresses, since it would be necessary to have a public IP address for each private host.

    Disadvantages of Dynamic NAT

    Despite the potential use cases outlined above, in the grand scheme of things, a Dynamic NAT is the least common type of translation deployed. This is due to the mapping created by a Dynamic NAT being temporary by nature, and therefore inconsistent.

    In the first illustration above, Host A/B/C received the IP addresses,, respectively. A moment later, in the second illustration, Host A’s connection terminated, and Host D received the IP address If a moment after that, Host A attempted to communicate, there would be no available IP addresses and Host A’s packet would be dropped:

    Dynamic NAT - IP Address no longer available

    From Host A’s perspective, there was connectivity one moment, and no connectivity the next. This creates a generally poor experience for the user. And some of the most difficult for the network administrator to troubleshoot, as the connectivity issue is intermittent.


    Of course, running out of available addresses and losing connectivity would only occur when there are less public IP addresses available in your translation pool than you have internal hosts – as is the case above with four internal hosts sharing three public IP addresses.

    If you had a similar number of internal hosts and external IP addresses, as discussed in our second use-case example, you wouldn’t run into the inconsistent connectivity problem. However, you would still run into the issue of inconsistent IP addresses.

    For example, if there were no Host D in our illustration and there were just Hosts A/B/C sharing the IP addresses,, Host A may get for the first connection, for the next, and for the third. At any given time, Host A would have connectivity, but there is no telling which public IP address Host A would receive at any given time.

    Strictly speaking, this isn’t intrinsically a bad thing if you are using a Dynamic NAT for the specific case described above where you don’t necessarily need an explicit mapping.

    But non-deterministic configurations can lead to unexpected and unintended results. So as a general rule in the Network Engineering field, deterministic designs are more favorable than non-deterministic designs.

    Hence, if you have the public IP addresses available to give each of your private hosts a unique address, it is generally looked at as more favorable to configure multiple Static NAT translations instead of a single Dynamic NAT.


    It should be noted that often when discussing address translation people will use the term Dynamic NAT when they actually mean Dynamic PAT. For the reasons mentioned above, Dynamic NAT is rarely used in production. If a single IP address is shared among many internal users, and if the port number changes, than it is indeed a Dynamic PAT.


    Series Navigation

    Dynamic PAT >>Policy NAT and Twice NAT >>

    5 7 votes
    Article Rating
    Notify of

    Newest Most Voted
    Inline Feedbacks
    View all comments

    In this article, u r talking about active type of FTP which ofcourse would be possible in dynamic nat case but if it is a passive connection then dynamic pat should work i guess.

    Sorry i just read the yellow post and u have mentioned it there ..i guess i skiped that part by mistake

    This is a very well written article. Mentioning and recommending the deterministic design patterns as you noted in latter part of your article is a good foundation block for building security. I have a specific question regarding . Is there ever a use case to dynamically NAT an interface to a single ip address. E.G. Nat(inside,outside) dynamic . Is there a difference between that and this – Nat(inside,outside) static
    I would appreciate your insight

    Hi Ed,

    I have a single public IP – which is already NATted to (Proxy) using a Manual NAT as follows:

    ASA#config t
    object-group network Proxy-Out-Int
    network-object host

    object-group network Public-Int
    network-object host

    nat (inside,outside) source static Proxy-Out-Int Public-Int

    Now I have additional two proxies to deploy to leverage on the existing public IP (

    Can I create additional two STATIC NAT to achieve this, and will still get the new proxies to work, as shown below ?

    ASA#config t
    object-group network Proxy-Out-Int2
    network-object host

    ASA#config t
    object-group network Proxy-Out-Int3
    network-object host

    nat (inside,outside) source static Proxy-Out-Int2 Public-Int
    nat (inside,outside) source static Proxy-Out-Int3 Public-Int

    OR should I just remove the existing MANUAL (STATIC) NAT and put in an entire new config for MANUAL (DYNAMIC) NAT ?, see below

    ASA#config t
    object-group network Proxy-Out-Int

    object-group network Public-Int
    network-object host

    nat (inside,outside) source dynamic Proxy-Out-Int Public-Int

    I would appreciate your help on this, thanks.

    Thanks, nice post

    If a single IP address is shared among many internal users, and if the port number changes, than it is indeed a Dynamic PAT.

    Typo: then

    Excellent articles; thanks.

    Great article, Ed! Thank you so much.

    Hi Ed,

    Thanks for the great articles. I continuously come back to these.

    In the dynamic NAT diagrams, the port is listed in the translation table. Is traffic from the outside that hits the NAT device with a destination address matching a post-translation address that is currently in the translation table untranslated and forwarded, or does this only happen if the destination port also matches the post-translation port?

    If so, is it true to say that strictly speaking dynamic NAT does not translate the port, but it does consider it?