We will begin by implementing Static NAT.
Static NAT is used to do a one-to-one mapping between an inside address and an outside address. Static NAT also allows connections from an outside host to an inside host. Usually, static NAT is used for servers inside your network. For example, you may have a web server with the inside IP address 192.168.0.10 and you want it to be accessible when a remote host makes a request to 209.165.200.10. For this to work, you must do a static NAT mapping between those to IPs. In this example, we will use the FastEthernet 0/1 as the inside NAT interface, the interface connecting to our network, and the Serial 0/0/0 interface as the outside NAT interface, the one connecting to our service provider.
Router(config)#ip nat inside source static 192.168.0.10 209.165.200.10
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside
Static NAT provides a permanent mapping between the internal and the public IP address. In our example the private IP address 192.168.0.10 will always correspond to the public IP address 209.165.200.10.
Dynamic NAT is used when you have a “pool” of public IP addresses that you want to assign to your internal hosts dynamically. Don’t use dynamic NAT for servers or other devices that need to be accessible from the Internet.
In this example, we will define our internal network as 192.168.0.0/24. We also have the pool of public IP addresses from 209.165.200.226 to 209.165.200.240 and our assigned netmask is 255.255.255.224. When you configure dynamic NAT, you have to define an ACL to permit only those addresses that are allowed to be translated.
Router(config)#ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224
Router(config)#access-list 1 permit 192.168.0.0 0.255.255.255
Router(config)#ip nat inside source list 1 pool NAT-POOL
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside
We used the same interface configuration as from our static NAT example. This configuration allows addresses in the 192.168.0.0/24 to be translated to a public IP address in the 209.165.200.226 – 209.165.200.240 range. When an inside host makes a request to an outside host, the router dynamically assigns an available IP address from the pool for the translation of the private IP address. If there’s no public IP address available, the router rejects new connections until you clear the NAT mappings. However, you have as many public IP addresses as hosts in your network, you won’t encounter this problem.
NAT Overload, sometimes also called PAT, is probably the most used type of NAT. You can configure NAT overload in two ways, depending on how many public IP address you have available.
The first case, and one of the most often seen cases, is that you have only one public IP address allocated by your ISP. In this case, you map all your inside hosts to the available IP address. The configuration is almost the same as for dynamic NAT, but this time you specify the outside interface instead of a NAT pool.
Router(config)#access list 1 permit 192.168.0.0 0.255.255.255
Router(config)#ip nat inside source list 1 interface serial 0/0/0 overload
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside
In this case, the router automatically determines what public IP address to use for the mappings by checking what IP is assigned to the Serial 0/0/0 interface. All the inside addresses are translated to the only public IP address available on your router. Routers are able to recognize the traffic flows by using port numbers, specified by the overload keyword.
The second case is that your ISP gave you more than one public IP addresses, but not enough for a dynamic or static mapping. The configuration is the same as for dynamic NAT, but this time we will add overload for the router to know to use traffic flow identification using port numbers, instead of mapping a private to a public IP address dynamically.
Router(config)#ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224
Router(config)#access-list 1 permit 192.168.0.0 0.255.255.255
Router(config)#ip nat inside source list 1 pool NAT-POOL overload
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip nat inside
Router(config-if)#interface Serial 0/0/0
Router(config-if)#ip nat outside
If you feel sometimes works wrong in your configuration, you can always check the NAT translations and statistics with help of the show commands.
Router#show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
— Inside Source
access-list 1 pool net-208 refcount 2
pool net-208: netmask 255.255.255.240
start 172.16.233.208 end 172.16.233.221
type generic, total addresses 14, allocated 2 (14%), misses 0
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 172.16.233.209:1220 192.168.1.95:1220 172.16.2.132:53 172.16.2.132:53
tcp 172.16.233.209:11012 192.168.1.89:11012 172.16.1.220:23 172.16.1.220:23
tcp 172.16.233.209:1067 192.168.1.95:1067 172.16.1.161:23 172.16.1.161:23
If you have to clear the NAT translation table, you can do it with clear ip nat translation.
Router#clear ip nat translation *
Router#show ip nat translations
Router#
When you begin to troubleshoot, first use the available show commands. If the show commands are not enough, you still have the debug. Careful when you use debug, because debug commands are using a lot of resource and you may end up disconnected from the router and being unable to reconnect.
Router# debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132[6825]NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]An asterisk (*) next to NAT indicates that the translations occurs in the fast-switched path. The first packet of a connection is always process-switched, which is slower. The next packets go through the fast-switched path.
s=192.168.1.95->172.31.233.209 indicates that the source (s=) IP address 192.168.1.95 is translated to 172.31.233.209.
[6825] is the IP identification number, which is useful for debugging and it enables correlation with other protocol analyzers.
d=172.31.2.132 refers to the destination address.This concludes our lesson. The information found here and in the other two articles is everything you need to know for passing the Cisco CCNA exam. You can also use this information for implementing NAT in real-life, in your home network, or at your job.