NAT Configuration

NAT translates private IP addresses to public IP addresses - allows internal devices to access the internet using a limited pool of public IPs.

Why Use NAT?

You need NAT when:

• Your internal network uses private IPs (192.168.x.x, 10.x.x.x, 172.16-31.x.x) but needs internet access
• You have more internal devices than available public IPs
• You want to hide your internal network structure from the outside world
• Your ISP only gives you one or a few public IPs

NAT Direction Diagram

Understanding “inside” vs “outside” is critical for NAT configuration:

Private Network (Inside)          NAT Router              Internet (Outside)
┌─────────────────────┐         ┌─────────────┐         ┌──────────────────┐
│                     │         │             │         │                  │
│  PC: 192.168.10.10  ├─────────┤   G0/0/0    │         │  Web Server      │
│  (Inside Local)     │  INSIDE │    (NAT)    │ OUTSIDE │  1.1.1.1         │
│                     │         │             │ S0/1/0  │  (Outside Global)│
│                     │         │  Translates ├─────────┤                  │
└─────────────────────┘         │     to      │         └──────────────────┘
                                │ 203.0.113.5 │
                                │  (Inside    │
                                │   Global)   │
                                └─────────────┘

Inside = Your private network (where devices live) Outside = The internet or ISP network (where you’re going)

• Inside Local: Private IP address (e.g., 192.168.10.10)
• Inside Global: Public IP address seen by the outside (e.g., 203.0.113.5)
• Outside Local: IP address of external host as seen from inside (usually same as Outside Global)
• Outside Global: Public IP address of external host (e.g., 8.8.8.8)

Static NAT (One-to-One)

When to use: When you have a server (web, email, FTP) that external users need to access. The server always needs the same public IP.

Maps one private IP to one public IP permanently.

Create static mapping:

Router(config)# ip nat inside source static 192.168.10.100 203.0.113.10

Parameters:

• 192.168.10.100 - Replace with the private IP address of your internal server.
• 203.0.113.10 - Replace with the public IP address assigned by your ISP.

Configure interfaces:

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface Serial0/1/0
Router(config-if)# ip nat outside

Parameters:

• GigabitEthernet0/0/0 - Replace with your inside interface name (the one facing your internal network).
• Serial0/1/0 - Replace with your outside interface name (the one facing your ISP/internet).

Full example:

! Map internal web server to public IP
Router(config)# ip nat inside source static 192.168.10.100 203.0.113.10

! Inside interface (LAN)
Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip address 192.168.10.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit

! Outside interface (Internet)
Router(config)# interface Serial0/1/0
Router(config-if)# ip address 203.0.113.1 255.255.255.252
Router(config-if)# ip nat outside

Parameters:

• 192.168.10.0/24 - Replace with your internal network range.
• 203.0.113.0/30 - Replace with your ISP-provided public IP block.

Dynamic NAT (Pool-Based)

When to use: When you have multiple public IPs from your ISP and want to share them among internal users. Once the pool is exhausted, no more translations can occur until an IP is freed.

Multiple private IPs share a pool of public IPs on a first-come, first-served basis.

Step 1: Create ACL to identify inside addresses

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255

Why an ACL? The ACL tells the router which internal IPs are allowed to be translated. This way, you can control exactly which devices get NAT and which don’t. For example, you might want to NAT only user PCs but not servers.

Parameters:

• 1 - ACL number. Can be any standard ACL number (1-99 or 1300-1999).
• 192.168.10.0 0.0.0.255 - Replace with your internal network and wildcard mask.

Step 2: Create NAT pool

Router(config)# ip nat pool PUBLIC-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.240

Parameters:

• PUBLIC-POOL - Pool name. Replace with any descriptive name.
• 203.0.113.10 - First public IP in the pool. Replace with your ISP-provided IP.
• 203.0.113.20 - Last public IP in the pool. Replace with your ISP-provided IP.
• 255.255.255.240 - Netmask for the public IP range.

Step 3: Bind ACL to pool

Router(config)# ip nat inside source list 1 pool PUBLIC-POOL

This links the ACL (which IPs to translate) with the pool (what to translate them to).

Step 4: Configure interfaces

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface Serial0/1/0
Router(config-if)# ip nat outside

Full example:

! Define which inside addresses can be translated
Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255

! Create pool of public IPs
Router(config)# ip nat pool PUBLIC-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.240

! Bind ACL to pool
Router(config)# ip nat inside source list 1 pool PUBLIC-POOL

! Inside interface
Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

! Outside interface
Router(config)# interface Serial0/1/0
Router(config-if)# ip nat outside

Note: In this example, the pool contains 11 public IPs, meaning only 11 internal devices can be online simultaneously. Once all public IPs are in use, additional devices must wait for one to become available.

PAT - Single IP (Overload)

When to use: This is the MOST COMMON type of NAT. Use this when your ISP gives you only ONE public IP but you have many internal devices. Perfect for home/small office.

Many private IPs share one public IP using different port numbers. The router tracks connections by port number, allowing thousands of devices to share one IP.

Using interface IP address:

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface Serial0/1/0 overload

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface Serial0/1/0
Router(config-if)# ip nat outside

Why an ACL here? Same reason as Dynamic NAT - the ACL specifies which internal IPs are allowed to use NAT. This prevents unauthorized devices from accessing the internet through your router.

Parameters:

• Serial0/1/0 - Replace with your outside interface name. The router will use this interface’s IP address for NAT.

Using a specific public IP:

If you want to specify the exact public IP instead of using the interface’s IP:

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255
Router(config)# ip nat pool PAT-POOL 203.0.113.5 203.0.113.5 netmask 255.255.255.255
Router(config)# ip nat inside source list 1 pool PAT-POOL overload

Parameters:

• PAT-POOL - Pool name. Replace with any name.
• 203.0.113.5 - Public IP address. Replace with your ISP-provided public IP (same IP for start and end creates a single-IP pool).
• 255.255.255.255 - Netmask for a single IP address.

PAT - Address Pool (Overload)

When to use: When you have multiple public IPs and LOTS of users. The router uses PAT on multiple IPs to handle more simultaneous connections than a single IP could handle.

Multiple public IPs with port translation - scales better than single IP PAT.

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255
Router(config)# ip nat pool PAT-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.240
Router(config)# ip nat inside source list 1 pool PAT-POOL overload

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface Serial0/1/0
Router(config-if)# ip nat outside

Note: This combines the benefits of Dynamic NAT (multiple public IPs) with PAT (port translation). If one public IP’s ports are exhausted, the router moves to the next IP in the pool.

Multiple Inside Interfaces

When to use: When your router connects to multiple internal networks (different VLANs or physical LANs) that all need internet access.

Mark all interfaces facing internal networks as “inside”:

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/0/1
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface Serial0/1/0
Router(config-if)# ip nat outside

Parameters:

• GigabitEthernet0/0/0, GigabitEthernet0/0/1 - Replace with your actual inside interface names.
• Serial0/1/0 - Replace with your outside interface name.

Clear NAT Translations

Remove active NAT entries (useful for testing).

Clear all dynamic translations:

Router# clear ip nat translation *

Clear specific translation:

Router# clear ip nat translation inside 192.168.10.10 203.0.113.5

⚠️ Static NAT entries cannot be cleared - they persist until removed from config.

Verify Configuration

Router# show ip nat translations
Router# show ip nat translations verbose
Router# show ip nat statistics
Router# show running-config | include nat
Router# show access-lists

Typical output:

Router# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 203.0.113.5:1024  192.168.10.10:1024 8.8.8.8:80         8.8.8.8:80
tcp 203.0.113.5:1025  192.168.10.11:1025 1.1.1.1:443        1.1.1.1:443
--- 203.0.113.10      192.168.10.100     ---                ---

Statistics:

Router# show ip nat statistics
Total active translations: 3 (1 static, 2 dynamic; 2 extended)
Outside interfaces:
  Serial0/1/0
Inside interfaces:
  GigabitEthernet0/0/0
Hits: 1247  Misses: 15

Troubleshooting

No translations happening?

• Verify ACL permits the correct inside addresses
• Confirm inside/outside interfaces are configured
• Check if pool is exhausted (show ip nat statistics)

Clear statistics before testing:

Router# clear ip nat statistics