E m a d A l - A t o u m P a g e 1 | 2

Configuring Network Address Translation

There are three main types of NAT that can be configured on a Cisco router. Here’s what they are and how to configure them.

The example configurations will use the following topology:

A. Static NAT

When we configure static NAT we want to translate our private IP addresses to a set of public IP addresses on a 1-to-1 basis. This

means we need to have the same number of public IP addresses as the number of private IP addresses that we wish to translate. In

this example we will configure the inside local address of 192.168.1.1 to the inside global address of 194.72.164.226.

First we configure the interfaces (which is inside and outside according to our NAT needs). Fa0/0 is the inside (192.168.1.254) and

Fa0/1 is the outside (194.72.164.225):

router#conf t

router(config)#int fa0/0

router(config-if)#ip nat inside

router(config-if)#int fa0/1

router(config-if)#ip nat outside

Then we configure the static mappings:

router(config)#ip nat inside source static 192.168.1.1 194.72.164.226

B. Dynamic NAT

Dynamic NAT is similar to static NAT but it allows a pool of outside IP addresses to be used dynamically. This is good because you

don’t have to statically map an inside IP address to an outside IP address but it is bad because you can only use the number of outside

IP addresses that you have been allocated. Once the outside IP addresses are in use any additional incoming packets will not be

translated. Configuring dynamic NAT is slightly more complicated. Like static NAT we configure the interfaces first:

router#conf t

router(config)#int fa0/0

router(config-if)#ip nat inside

router(config-if)#int fa0/1

router(config-if)#ip nat outside

Then we configure the pool of outside IP addresses we want to use (we have 14 in our example). This is fairly straightforward, we

give the pool a name and assign the IP addresses to the pool, as well as the network mask:

router(config)#ip nat pool myPool 194.72.164.225 192.72.164.239 netmask 255.255.255.240

Then we configure the access list to define which addresses we want to translate:

router(config)#ip access-list 1 permit 192.168.1.0 0.0.0.255

Finally configure NAT, specifying our source list and the pool we want to use dynamically:

router(config)#ip nat inside source list 1 pool myPool

Terms:

Inside Local - The IP address of a host on the inside network (usually a private IP address).

Inside Global - The IP address of the host on the inside network as seen from the outside network (usually a public IP address).

Outside Local - The IP address of the host on the outside network (usually a public IP address).

Outside Global - The IP address of the host on the outside network as seen from the inside network (rarely used).

E m a d A l - A t o u m P a g e 2 | 2

C. Port Address Translation (NAT Overload)

Port address translation (PAT) is probably the most common type of NAT used. PAT is how most ‘home grade’ routers handle the

translation of private IP addresses to the public IP addresses used on the internet. PAT translates many inside local IP addresses to a

single inside global IP address (194.72.164.225) by altering the source port of the outbound TCP/UDP segments.

The router keeps a reference to the translations it has made and changes them back to what they were before translation on return

from the internet.

Again we configure the interfaces:

router#conf t

router(config)#int fa0/0

router(config-if)#ip nat inside

router(config-if)#int fa0/1

router(config-if)#ip nat outside

Then we configure the access list to define which addresses we want to translate:

router(config)#ip access-list 1 permit 192.168.1.0 0.0.0.255

Finally configure NAT, specifying our source list and the interface on which to overload (PAT):

router(config)#ip nat inside source list 1 interface fa0/1 overload

To see the translations in the table simply issue the following command:

router#show ip nat translations