Logo

MonoCalc

/

NAT Subnet Planner

Networking

NAT Type

Many-to-one; all hosts share a public IP via unique source ports.

Optional Labels (for config output)

About This Tool

🌐 NAT Subnet Planner – Design and Document Your Network Address Translation Policies

Network Address Translation (NAT) is the cornerstone technology that allows organisations to connect private IPv4 networks to the public internet using a small pool of public IP addresses. This planner covers all three major NAT modes — Static NAT, Dynamic NAT, and PAT/Overload — and generates ready-to-paste Cisco IOS configuration snippets, structured JSON output, and full NAT translation tables.

Understanding the Three NAT Types

Static NAT (One-to-One)

Static NAT creates a permanent, bidirectional mapping between one private (inside local) IP address and one public (inside global) IP address. Because the mapping is fixed, inbound sessions initiated from the internet can reach the internal host — making Static NAT ideal for servers that must be publicly accessible, such as web servers, mail relays, and VPN concentrators.

Key formula: You need at least as many public IPs as usable private hosts. For a /24 inside subnet (254 usable hosts), you need 254 public IPs in your pool. If the public pool is smaller, the tool flags a pool exhaustion warning and shows how many hosts remain unserviced.

Dynamic NAT (Pool-Based)

Dynamic NAT maps private hosts to the next available IP from a finite public poolon demand. When all pool IPs are in use, additional translation attempts are dropped until a slot frees up. This mode works well when concurrent internet usage is predictable and lower than the total host count.

The oversubscription ratio (inside hosts ÷ public IPs) indicates demand pressure. A ratio of 5:1 means five private hosts compete for each public IP. Dynamic NAT tolerates moderate oversubscription if not all hosts are active simultaneously, but ratios above 10:1 risk frequent translation failures.

PAT / NAT Overload (Many-to-One)

Port Address Translation (PAT), also called NAT Overload, multiplexes thousands of private hosts behind a single public IP address by tagging each session with a unique source port number. The NAT device maintains a translation table mapping eachinsideLocalIP:port to publicIP:assignedPort.

Maximum simultaneous sessions equal the number of ports in the configured range. The standard ephemeral range 1024–65535 provides 64,512 ports per public IP — enough for most enterprise networks. The planner estimates sessions-per-host so you can verify your PAT pool can handle peak load.

RFC-1918 Private Address Ranges

RFC-1918 reserves three IPv4 blocks for private use that must never appear as source addresses on the public internet:

RangeCIDRHosts
Class A10.0.0.0/816,777,214
Class B172.16.0.0/121,048,574
Class C192.168.0.0/1665,534

The planner warns you if you enter a non-RFC-1918 range as your inside network (unusual but valid for certain carrier-grade scenarios) or use a private range as your outside pool (which would indicate a double-NAT topology rather than direct internet access).

Key Metrics Explained

The planner generates five summary metrics at a glance:

  • Inside Hosts — Usable host count in the inside subnet:2^(32 − prefix) − 2 (network and broadcast addresses are excluded).
  • Public IPs — Usable IPs in the outside pool, calculated the same way for CIDR input or counted directly for a single IP.
  • Oversubscription RatioinsideHosts / publicIPs. Colour-coded green (≤1:1), amber (1:1–10:1), or red (>10:1).
  • PAT Max SessionsportEnd − portStart + 1; the total port capacity of the PAT translation table.
  • Sessions per HostpatSessions / insideHosts; estimated port budget available per device.

Cisco IOS Configuration Output

Switch to the Cisco IOS output tab to generate a ready-to-paste configuration block for Cisco routers and ASA firewalls. The snippet includes interface NAT direction statements (ip nat inside / ip nat outside), extended ACL definitions, pool declarations, and source translation commands — tailored to your selected NAT type. Customise the interface names, pool name, and ACL name using the optional label fields before calculating.

Typical Workflow

  1. Select the NAT type appropriate to your design (PAT for internet access, Static for servers).
  2. Enter the inside subnet in CIDR notation (e.g., 192.168.1.0/24).
  3. Enter the public IP or CIDR pool allocated by your ISP (e.g., 203.0.113.0/28).
  4. Optionally fill in interface labels, pool name, and ACL name for config generation.
  5. Click Calculate to view the summary, translation table, and config snippet.
  6. Copy the Cisco IOS snippet directly into your change-management ticket or router terminal.

Frequently Asked Questions

Is the NAT Subnet Planner free?

Yes, NAT Subnet Planner is totally free :)

Can I use the NAT Subnet Planner offline?

Yes, you can install the webapp as PWA.

Is it safe to use NAT Subnet Planner?

Yes, any data related to NAT Subnet Planner only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does the NAT Subnet Planner work?

Enter your inside (private) subnet in CIDR notation and your outside (public) IP pool, then choose a NAT type. The tool computes usable host counts, oversubscription ratios, and generates a full NAT translation table or Cisco IOS config snippet depending on the selected mode.

What is the difference between Static NAT, Dynamic NAT, and PAT?

Static NAT permanently maps each private IP to a dedicated public IP (one-to-one). Dynamic NAT assigns a public IP from a pool on demand (first-come, first-served). PAT (Port Address Translation, also called NAT Overload) multiplexes all private hosts behind a single public IP using unique source port numbers.

What does oversubscription ratio mean?

The oversubscription ratio (insideHosts / publicIPs) shows how many private hosts compete for each public IP. A ratio of 10:1 means 10 private hosts share one public IP via Dynamic NAT, which is fine for Dynamic NAT but only possible with PAT where ports distinguish sessions.

How many concurrent sessions can PAT support?

PAT capacity equals the number of ports in the configured range (default 1024–65535 = 64,512 ports per public IP). Each active session consumes one port, so maximum simultaneous sessions equals the port range size. The planner also estimates sessions per host based on your inside subnet size.

Why does my Static NAT show an error when the public pool is too small?

Static NAT requires a one-to-one mapping: you need at least as many usable public IPs as there are usable private hosts. If your public pool has fewer IPs than your inside subnet has hosts, the tool flags a pool exhaustion error and shows how many hosts are left unserviced.

What are RFC-1918 private address ranges?

RFC-1918 defines three private IPv4 ranges that should not be routed on the public internet: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These are the typical 'inside local' addresses in NAT configurations. The planner warns you if you use a non-RFC-1918 range as your inside network or a private range as your outside pool.