Network Address Translation (NAT) maps one network address space to another by modify the source and/or destination IP addresses of IP packets as they are forwarded by a router. There are a number of possible use-cases for NAT, but by far the most common is to allow hosts using private IP addresses to send traffic over the Internet. Importantly, NAT can allow multiple hosts to route traffic through a single public-facing IP address. Because of this, it has become a primary method of conserving the global IPv4 address space.
Note
There are several types of NAT, but only source NAT is required by the CCNA Exam Topics (topic 4.1), so that’s all we’ll be covering here for now.
Inside/Outside, Local/Global
When dealing with NAT, there can be up to four addresses to keep track of for any given connection. These are the Cisco-specific terms for each:
- Inside Local: The IP address of the inside host, from the perspective of the local network
- The IP address actually configured on the inside host, usually a private address
- Inside Global: The IP address of the inside host, from the perspective of outside hosts
- The IP address of the inside host after translation, usually a public address
- Outside Local: The IP address of the outside host, from the perspective of the local network
- Outside Global: The IP address of the outside host, from the perspective of the outside network
- This address may or may not be translated
Note
Regarding Inside/Outside Global: Since we are usually only configuring devices on one side of a connection that uses NAT (i.e. we’re only configuring the devices in the local network) we usually only ever see the Outside Global address. With the exception of destination NAT, the Outside Global and Outside Local fields in
show
commands will pretty much always show the same values.
Source NAT
In Source NAT, only the source IP address of packets is translated to the public IP before it is forwarded to the destination.
Static NAT
Static NAT is a type of source NAT. Static NAT is statically configuring private IP addresses to public IP addresses one-to-one.
- An inside local IP address is mapped to an inside global IP address
- Inside Local: The IP address of the inside host, from the perspective of the local network
- The IP address actually configured on the insider host, usually a private address
- Inside Global: The IP address of the inside host, from the perspective of outside hosts
- The IP address of the inside host after NAT, usually a public address
- Inside Local: The IP address of the inside host, from the perspective of the local network
- There’s also outside local and outside global. Not sure where else to put them, so they’ll live here for now.
- Outside Local: The IP address of the outside host, from the perspective of the local network
- Outside Global: The IP address of the outside host, from the perspective of the outside network
Info
Static NAT allows devices with private IP addresses to communicate over the Internet, but since it requires one-to-one IP address mapping (one unique global address for every private address), it does nothing to preserve IPv4 addresses.
Static NAT Configuration
These configurations are needed on a router that borders the external network. It must have at least one internal and one external interface.
(config-if)#ip nat [inside | outside]
- Configure an interface as
inside
oroutside
. Static NAT requires at least one of each. - The inside interface will be connected to devices on the local network, the outside will be connected to an outside network (likely to the Internet).
- Configure an interface as
(config)#ip nat inside source static inside-local-ip inside-global-ip
- Configure a one-to-one mapping for a local address to a global address. Global addresses must be unique.
- You’ll need to run this command for every individual address you want to map.
Dynamic NAT
As you might imagine, one of the main differences between Static NAT and Dynamic NAT is that the latter can automatically assign translations for local IPs to global IPs, where you would have had to manually configure each translation separately in Static NAT. These mappings are made dynamically (as needed), meaning that multiple hosts within a network can use the same public IP to route their traffic, although not all at the same time.
An ACL is used to identify which traffic should be translated.
- If the source IP is permitted, the source IP will be translated.
- If the source IP is denied, the source IP will not be translated and the packet will NOT be dropped.
A NAT pool is used to define the available inside global addresses (public addresses).
Info
Although they are dynamically assigned, the mappings are still one-to-one i.e. although different hosts can use the same address, they can’t use it at the same time. If there aren’t enough inside global IP addresses available it is called ‘NAT pool exhaustion’. If this happens, any additional hosts that need to send traffic with a public IP will need to wait for an inside global address to become available.
Dynamic NAT entries time out automatically if not used, or they can be cleared manually.
NAT Pool Exhaustion
A router will only have a certain number of inside global addresses in its NAT pool that it can use for translations. This limits the number of outgoing transmissions it can make at one time.
Example
Say, for example, a network has 11 hosts with unique inside local IP addresses. It has 10 inside global addresses in its NAT pool to use for translations. Over time, ten of these hosts start transmitting data outside the network, and are each dynamically assigned one of the inside global addresses. Then the 11th host tries to send traffic outside the network. What happens? The router has no inside global addresses to translate to, so it’s forced to drop the packet(s)!
Dynamic NAT Configuration
First you need to define at ‘inside’ and ‘outside’ interfaces (at least one of each)
(config-if)#ip nat [inside | outside]
- Configure an interface as
inside
oroutside
. Dynamic NAT requires at least one of each. - This is the same as with Static NAT
- Configure an interface as
You’ll also need to configure an ACL to permit traffic to be translated. See Configuration for more info on ACLs.
(config)#access-list acl-number permit ip-address wildcard-mask
- Anything addresses not permitted will be denied by default.
Next, define the NAT pool of inside global IP addresses:
(config)#ip nat pool pool-name low-ip high-ip prefix-length length
- You can define a netmask (e.g.
255.255.255.0
instead ofprefix-length 24
)
- You can define a netmask (e.g.
Finally, actually configure the dynamic NAT:
(config)#ip nat inside source list acl-number pool pool-name
- Naturally, use the ACL and Pool you defined in the previous steps.
Port Address Translation (PAT)
AKA NAT Overload
PAT translates both the IP address and the port number if necessary. By using a unique port number for each communication flow, a single public IP address can be used by many different internal hosts.
- As port numbers are 16 bits, there are over 65,000 available port numbers (65,535)
- The router keeps track of which inside local address is using which inside global address and port.
PAT allows many hosts to share a single public IP address making it very useful for conserving the IPv4 address space. Because of this PAT is widely used around the world.
PAT Configuration
There are two ways to configure PAT: Pool and Interface
Pool Configuration
Like with static & dynamic NAT, you’ll need to define an ‘inside’ and ‘outside’ interface on the router:
(config-if)#ip nat [inside | outside]
And like with dynamic NAT, you’ll need an ACL to tell the router which IPs to translate and which to ignore.
(config)#access-list acl-number permit ip-address wildcard-mask
- Check the ACL page if you need a refresher on their configuration. The above is the simplest way to configure one, but you can get more complex.
Make a NAT pool. Unlike with static/dynamic NAT, you shouldn’t need very many public IPs with PAT. Not in any normal network, at least.
(config)#ip nat pool pool-name low-ip high-ip prefix-length length
- In many networks, you can probably get away with a single IP in the pool, but you can specify more if it’s a large network, or if you want to leave room for scalability.
Finally, configure the NAT:
(config)#ip nat inside source list acl pool pool-name overload
overload
designates PAT instead of dynamic NAT
Interface Configuration
This is nearly the same as Pool configuration, except we don’t specify a NAT pool for public IPs; we’ll tell the router to use the public IP configured on its outside interface for translations. This limits us to a single public IP per configured interface, but in most cases that will be enough.
You’ll still need ‘inside’ & ‘outside’ interfaces and an ACL:
(config-if)#ip nat [inside | outside]
(config)#access-list acl-number permit ip-address wildcard-mask
The NAT configuration will look like this:
(config)#ip nat inside source list acl interface interface-id overload
As you can see, this way is a little easier to configure and achieves largely the same results.
Verify NAT Configurations
Use these commands to view/check a device’s current NAT configurations.
show ip nat translations
- Show a list of all address translations the router is currently making. This may be a long list if you’re using static NAT.
show ip nat statistics
- Shows some information about the number and types of translations being made.
Configuration
Cisco IOS
clear ip nat translation *
- Removes all dynamic NAT translations from the translation table
-
(config-if)#ip nat [inside | outside]
- Configure an interface as
inside
oroutside
. Static & Dynamic NAT require at least one of each. - The inside interface will be connected to devices on the local network, the outside will be connected to an outside network (likely to the Internet).
- Configure an interface as