My Account|View Cart|Wishlist|Checkout|About Us|Contact Us

Main Menu

Static NAT, Dynamic NAT, NAT Overload, PAT & Configurations

 

We will begin by implementing Static NAT.

Static NAT is used to do a one-to-one mapping between an inside address and an outside address. Static NAT also allows connections from an outside host to an inside host. Usually, static NAT is used for servers inside your network. For example, you may have a web server with the inside IP address 192.168.0.10 and you want it to be accessible when a remote host makes a request to 209.165.200.10. For  this to work, you must do a static NAT mapping between those to IPs. In this example, we will use the FastEthernet 0/1 as the inside NAT interface, the interface connecting to our network, and the Serial 0/0/0 interface as the outside NAT interface, the one connecting to our service provider.

Router(config)#ip nat inside source static 192.168.0.10 209.165.200.10
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside

Static NAT provides a permanent mapping between the internal and the public IP address. In our example the private IP address 192.168.0.10 will always correspond to the public IP address 209.165.200.10.

Dynamic NAT is used when you have a “pool” of public IP addresses that you want to assign to your internal hosts dynamically. Don’t use dynamic NAT for servers or other devices that need to be accessible from the Internet.

In this example, we will define our internal network as 192.168.0.0/24. We also have the pool of public IP addresses from 209.165.200.226 to 209.165.200.240 and our assigned netmask is 255.255.255.224. When you configure dynamic NAT, you have to define an ACL to permit only those addresses that are allowed to be translated.

Router(config)#ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224
Router(config)#access-list 1 permit 192.168.0.0 0.255.255.255
Router(config)#ip nat inside source list 1 pool NAT-POOL
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside

We used the same interface configuration as from our static NAT example. This configuration allows addresses in the 192.168.0.0/24 to be translated to a public IP address in the 209.165.200.226 – 209.165.200.240 range. When an inside host makes a request to an outside host, the router dynamically assigns an available IP address from the pool for the translation of the private IP address. If there’s no public IP address available, the router rejects new connections until you clear the NAT mappings. However, you have as many public IP addresses as hosts in your network, you won’t encounter this problem.

NAT Overload, sometimes also called PAT, is probably the most used type of NAT. You can configure NAT overload in two ways, depending on how many public IP address you have available.

The first case, and one of the most often seen cases, is that you have only one public IP address allocated by your ISP. In this case, you map all your inside hosts to the available IP address. The configuration is almost the same as for dynamic NAT, but this time you specify the outside interface instead of a NAT pool.

Router(config)#access list 1 permit 192.168.0.0 0.255.255.255
Router(config)#ip nat inside source list 1 interface serial 0/0/0 overload
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside

In this case, the router automatically determines what public IP address to use for the mappings by checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are translated to the only public IP address available on your router. Routers are able to recognize the traffic flows by using port numbers, specified by the overload keyword.

The second case is that your ISP gave you more than one public IP addresses, but not enough for a dynamic or static mapping. The configuration is the same as for dynamic NAT, but this time we will add overload for the router to know to use traffic flow identification using port numbers, instead of mapping a private to a public IP address dynamically.

Router(config)#ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224
Router(config)#access-list 1 permit 192.168.0.0 0.255.255.255
Router(config)#ip nat inside source list 1 pool NAT-POOL overload
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside

If you feel sometimes works wrong in your configuration, you can always check the NAT translations and statistics with help of the show commands.
Router#show ip nat statistics

 

Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135  Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool net-208 refcount 2
pool net-208: netmask 255.255.255.240
start 172.16.233.208 end 172.16.233.221
type generic, total addresses 14, allocated 2 (14%), misses 0

Router#show ip nat translations
Pro Inside global        Inside local       Outside local      Outside global
udp 172.16.233.209:1220  192.168.1.95:1220  172.16.2.132:53   172.16.2.132:53
tcp 172.16.233.209:11012 192.168.1.89:11012 172.16.1.220:23   172.16.1.220:23
tcp 172.16.233.209:1067  192.168.1.95:1067  172.16.1.161:23   172.16.1.161:23

If you have to clear the NAT translation table, you can do it with clear ip nat translation.
Router#clear ip nat translation *
Router#show ip nat translations

Router#
When you begin to troubleshoot, first use the available show commands. If the show commands are not enough, you still have the debug. Careful when you use debug, because debug commands are using a lot of resource and you may end up disconnected from the router and being unable to reconnect.

Router# debug ip nat  
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] 
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] 
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] 
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] 
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] 
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] 
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]

An asterisk (*) next to NAT indicates that the translations occurs in the fast-switched path. The first packet of a connection is always process-switched, which is slower. The next packets go through the fast-switched path.

s=192.168.1.95->172.31.233.209 indicates that the source (s=) IP address 192.168.1.95 is translated to 172.31.233.209.
d=172.31.2.132 refers to the destination address.

[6825] is the IP identification number, which is useful for debugging and it enables correlation with other protocol analyzers.

This concludes our lesson. The information found here and in the other two articles is everything you need to know for passing the Cisco CCNA exam. You can also use this information for implementing NAT in real-life, in your home network, or at your job.

connect on facebook