Network Address Translation Lab
Static NAT Configuration
Static NAT Configuration
- Static NAT requires the fewest configuration steps as compared to other NAT implementations.
Each interface needs to be identified as either an inside or outside interface with the ip nat
{inside | outside} interface subcommand, as well as the configuration for static mapping
between each pair of inside local and inside global addresses. Only packets arriving on an inside
or outside NAT interface are subject for translation.
- Static NAT configuration on NAT:
NAT#conf t
Enter configuration commands, one per line. End with CNTL/Z.
NAT(config)#int e0/0
NAT(config-if)#ip nat inside
NAT(config-if)#int e0/1
NAT(config-if)#ip nat outside
NAT(config-if)#exit
NAT(config)#ip nat inside source static 172.16.1.2 200.1.1.2
NAT(config)#ip nat inside source static 172.16.1.3 200.1.1.3
NAT(config)#^Z
NAT#
NAT#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.2 172.16.1.2 --- ---
--- 200.1.1.3 172.16.1.3 --- ---
NAT#
NAT#sh ip nat statistics
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0/1
Inside interfaces:
Ethernet0/0
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
NAT#
- Below shows the IP NAT debugging messages when PC1 (172.16.1.2) telnet into ServerA
(200.1.1.200). The debug ip nat privileged command displays every packet that is being
translated by the NAT operation.
NAT#debug ip nat
IP NAT debugging is on
NAT#
00:10:10: NAT: s=172.16.1.2->200.1.1.2, d=200.1.1.200 [0]
00:10:10: NAT: s=200.1.1.200, d=200.1.1.2->172.16.1.2 [0]
00:10:10: NAT*: s=172.16.1.2->200.1.1.2, d=200.1.1.200 [1]
00:10:10: NAT*: s=172.16.1.2->200.1.1.2, d=200.1.1.200 [2]
00:10:10: NAT*: s=172.16.1.2->200.1.1.2, d=200.1.1.200 [3]
00:10:10: NAT*: s=200.1.1.200, d=200.1.1.2->172.16.1.2 [1]
00:10:10: NAT*: s=200.1.1.200, d=200.1.1.2->172.16.1.2 [2]
00:10:10: NAT*: s=200.1.1.200, d=200.1.1.2->172.16.1.2 [3]
NAT#
- Below shows the output of netstat command at ServerA.
C:\>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ServerA:telnet 200.1.1.2:1050 ESTABLISHE
- The static mappings are created with the ip nat inside source static {inside-local-addr}
{inside-global-addr} global configuration command. The inside keyword tells NAT to translate
the IP addresses in packets sourced from the inside network destined to the outside network.
The source keyword tells NAT to translate the source IP address of the packets. The static
keyword indicates a static entry, which will not be removed from the NAT table due to timeout
or the clear ip nat translation * privileged command.
- The show ip nat translations EXEC command displays the active NAT mappings.
- The show ip nat statistics EXEC command displays the counters for translated packets and
NAT table entries, as well as some basic configuration information.
- The ip nat inside source static {tcp | udp} {inside-local-addr} {local-port-num} {inside-
global-addr | interface {inside-global-intf type num}} {global-port-num} global
configuration command can be used when outside users would like to access an inside resource,
eg: an FTP Server. This command seems to be difficult to understand at the first glance.
However, it would work, as inside source would translate the destination IP addresses in
packets that travel from outside to inside network. This is also known as port forwarding.
- inside source translates the source IP addresses in packets traverse from inside to outside,
and translates the destination IP addresses in packets traverse from outside to inside.
- inside destination translates the destination IP addresses in packets traverse from inside to outside, and translates the source IP addresses in packets traverse from outside to inside.
- outside source translates the source IP addresses in packets traverse from outside to inside, and translates the destination IP addresses in packets traverse from inside to outside. Mostly used when translating overlapping addresses.
Dynamic NAT Configuration
- An access list is created to include all the hosts on the inside network that are allowed to use
NAT to communicate with outside network. The ip nat pool {pool-name} {start-ip} {end-ip}
{netmask netmask | prefix-length prefix-length} global configuration command defines the
pool of inside global addresses that can be dynamically allocated for dynamic NAT operation.
- Dynamic NAT configuration on NAT:
- The access list indicates whether a NAT router should translate the source IP address in a packet.
Only packets with the source or destination addresses that are permitted (matched) in the access
list will be translated. Packets with the source or destination addresses that are not matched by
the access list will not be translated and the will be forwarded normally.
- With the ip nat inside source list 1 pool pool01 command configured, packets that traverse
from inside to outside with a source IP address matched by ACL 1 (172.16.1.2, 172.16.1.3)
will be translated to the an inside global address in the NAT pool pool01 (200.1.1.1, 200.1.1.2).
- The entries in the NAT table will be removed after a period of inactivity (timeout). The clear ip
nat translation * privileged command can be used to forcefully remove all dynamic NAT
entries in the NAT table. The NAT table is stored in memory and is cleared upon router reboot.
Note: Static NAT entries can only be removed with the no form of the static NAT commands in
the global configuration mode.
PAT Configuration
- PAT configuration on NAT:
Alternative configuration:
NAT(config)#ip nat pool pool02 200.1.1.254 200.1.1.254 netmask 255.255.255.252
NAT(config)#ip nat inside source list 1 pool pool02 overload