CCNP ROUTE 2.0: Network Address Translation (NAT)

NAT Overview

NAT (Network Address Translation) is a protocol that is used to connect multiple private IP addresses to the internet using a limited number of public IP addresses. Private IP address ranges are not routable over the internet so NAT must be performed to translate the private IP address in to a public IP address. There are 3 NAT Types:

Static NAT – Maps 1 private IP address to 1 public IP address (one to one). It is primarily used to allow external devices on the internet to connect to internal devices, such as Web Servers, RAS, Mail servers.

Dynamic NAT – Maps a pool of private IP addresses to a pool of public addresses

PAT – Maps multiple private IP addresses to a single public IP address (many to one), this allows multiple devices to share a single IP address when connecting to the internet. PAT ensures each session is unique by modifying the port numbers when performing the translations. Incoming packets are matched in the NAT translation table. PAT is also referred to as overloading and is the most common use of NAT for internet access.


NAT includes four types of addresses:

Inside local address – IP address (private) assigned to a device on the internal network
Inside Global address – IP address (public) of an internal device as once translated and as it appears to the external network
Outside local address – IP address of an external device as it appears on the internal network
Outside global address – IP address assigned to a device on an external network

Inside “local” and “global” addresses refer to devices within your internal network. Outside “local” and “global” refer to devices on the internet accessing your internal server using the “Global” which is subsequently translated to the private IP address. It is required that the interfaces leading to the internal network is configured with the command “ip nat inside” and the WAN interface with “ip nat outside“.

Configuring Static NAT

Configure the Internal interface with an IP address and the “ip nat inside” command

R2 (config)# interface fastethernet 0/0
R2 (config)# description “INTERNAL INTERFACE”
R2 (config)# ip address 192.168.0.1 255.255.255.0
R2 (config-if)# ip nat inside
R2 (config-if)# exit

Configure the WAN Interface with an IP address and “ip nat outside” command

R2 (config)# interface fastethernet 1/0
R2 (config-if)# description “WAN INTERFACE”
R2 (config-if)# ip address 1.1.1.1 255.255.255.0
R2 (config-if)# ip nat outside
R2 (config-if)# exit 

Configure a static one-to-one NAT, mapping the private IP address (inside local) of a device on the internal network “192.168.0.10” to a public IP address (global inside).

R2 (config)# ip nat inside source static 192.168.0.10 1.1.1.10

To verify the static NAT is working as expected use the “show ip nat translation” command. The screenshot below shows that the IP address on the internet 2.2.2.1 accessed the inside global address 1.1.1.10 which was successfully translated to the inside local (private) IP address 192.168.0.10.


Configuring Dynamic NAT

Use the same “Internal Interface” and “WAN Interface” as used in the Static NAT example.

Configure an ACL with defining the local subnet(s) of inside local addresses and a NAT Pool of global inside addresses

R2 (config)# access-list 1 permit 192.168.0.0 0.0.0.255
R2 (config)# ip nat pool NAT_POOL 1.1.1.100 1.1.1.200 netmask 255.255.255.0

Define the Pool mapping

R2 (config)# ip nat inside source list 1 pool NAT_POOL

Establish communication from inside to outside and then use the “show ip nat translation” command. This will show the mapping, you can see in the screenshot below the inside local IP address 192.168.0.10 was assigned a global inside IP address of 1.1.1.100 which was the first IP address in the NAT_POOL.


Configuring PAT

Use the same “Internal Interface” and “WAN Interface” as used in the Static NAT and Dynamic NAT examples.

Configure an ACL with defining the local subnet(s) of inside local addresses

R2 (config)# access-list 1 permit 192.168.0.0 0.0.0.255

Configure NAT specifying the source list “1” previously configured ACL and translate all inside local IP addresses to the address of the outside interface

R2 (config)# ip nat inside source list 1 interface fastethernet 1/0 overload

Verify that all traffic is being NATTED using the WAN Interface IP address using the “show ip nat translation” command.


NAT Virtual Interface

NAT Virtual Interface removes the requirement to define an interface as inside or outside. The NAT order on an NVI is different to Classic NAT. In Classic NAT traffic is first routed then translated when going from an inside interface to an outside interface, then vice versa from outside to inside. NVI performs the routing twice, before and after translation. This addition routing post translation means packets can flow from an inside network to an inside network (in old classic NAT terms) which would have previously caused an issue and failed. The new command configured on both inside and outside interfaces is “ip nat enable“. NVI can still be used with Static, Dynamic and PAT.

Configure the Internal and WAN interfaces with IP address and the “ip nat enable” command

R2 (config)# interface fastethernet 0/0
R2 (config-if)# ip nat enable
R2 (config)# interface fastethernet 1/0
R2 (config-if)# ip nat enable
R2 (config-if)# exit 

Use the same ACL configured in the PAT example, defining the local subnet(s) of inside local addresses

R2 (config)# access-list 1 permit 192.168.0.0 0.0.0.255

Configure a static one-to-one NAT, mapping the private IP address (inside local) of a device on the internal network “192.168.0.10” to a public IP address (global inside).

R2 (config)# ip nat source list 1 interface fastethernet 1/0 overload

** Notice the command “inside” is not used in the configuration above as in the previous PAT configuration.

To view the NAT NVI translations you must use a new command “show ip nat nvi translations“.


** Unfortunately my GNS3 IOS image 7200 router v15.2(4) evidently does not support NVI, so the screenshot above is from my actual physical Cisco 1811 router IOS v12.4(24)T1, hence the different IP addresses.

AS NVI no longer uses the terms “Inside” and “Outside” these have been replaced with “Source” and “Destination”. You will notice in the screenshot Source global, Source local, Destin local and Destin global. This should be obvious what they refer to.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s