There are three kinds of Network Address Translation protocols:
• Dynamic NAT: private addresses are dynamically linked to public addresses on a one-to-one basis. So the number of concurrent private IPs cannot exceed that of public IPs.
• Static NAT: private addresses are statically linked to public addresses on a one-to-one basis. So the number of private IPs cannot exceed that of public IPs.
• Public Address Translation or PAT: allows for many private addresses to use a one or few public address by using distinct ports for each.
Dynamic NAT example:
# define “office” pool, first and last PUBLIC IPs plus netmask
R1(config)# ip nat pool office 165.65.65.2 165.65.65.63 netmask 255.255.255.192
.
# define ACL 1 with PRIVATE network allowed through
R1(config)# access-list 1 permit 192.168.0.0 0.0.0.255
.
# link the PRIVATE IPs in ACL 1 with the PUBLIC IPs in “office” pool
R1(config)# ip nat inside source list 1 pool office
R1(config)# int fa 0/1
.
# PRIVATE IPs are to use this interface
R1(config-if)# ip nat inside
.
R1(config-if)# exit
.
# PUBLIC IPs are to use this interface
R1(config)# int se 0/1
R1(config-if)# ip nat outside
R1(config-if)# exit
.
# create static route for PUBLIC IPs to public interface
R1(config)# ip route 165.65.65.0 255.255.255.192 se 0/1
PAT example 1 (same as Dynamic NAT except for “overload” in the “ip nat inside source” command)
/* define “office” pool, first and last PUBLIC IPs plus netmask */
R1(config)# ip nat pool office 165.65.65.2 165.65.65.63 netmask 255.255.255.192
.
/* define ACL 1 with PRIVATE network allowed through */
R1(config)# access-list 1 permit 192.168.0.0 0.0.0.255
.
/* link the PRIVATE IPs in ACL 1 with the PUBLIC IPs in “office” pool */
R1(config)# ip nat inside source list 1 pool office overload
R1(config)# int fa 0/1
.
/* PRIVATE IPs are to use this interface */
R1(config-if)# ip nat inside
R1(config-if)# exit
R1(config)# int se 0/1
.
/* PUBLIC IPs are to use this interface */
R1(config-if)# ip nat outside
R1(config-if)# exit
.
/* create static route for PUBLIC IPs to public interface */
R1(config)# ip route 165.65.65.0 255.255.255.192 se 0/1
PAT example 2:
/* define “office” pool, first and last PUBLIC IPs plus netmask */
R1(config)# ip nat pool office 165.65.65.2 165.65.65.63 netmask 255.255.255.192
.
/* define ACL 1 with PRIVATE network allowed through */
R1(config)# access-list 1 permit 192.168.0.0 0.0.0.255
.
/* PRIVATE IPs in ACL 1 are to use interface serial 0/1 */
R1(config)# ip nat inside source list 1 int se 0/1 overload
R1(config)# int fa 0/1
.
/* PRIVATE IPs are to use this interface */
R1(config-if)# ip nat inside
R1(config-if)# exit
R1(config)# int se 0/1
.
/* PUBLIC IPs are to use this interface */
R1(config-if)# ip nat outside
R1(config-if)# exit
.
/* create static route for PUBLIC IPs to public interface */
R1(config)# ip route 165.65.65.0 255.255.255.192 se 0/1
Static NAT example:
/* statically map PRIVATE to PUBLIC address */
R1(config)# ip nat inside source static 172.16.1.2 80.54.54.2
R1(config)# ip nat inside source static 172.16.1.3 80.54.54.3
R1(config)# ip nat inside source static 172.16.1.4 80.54.54.4
R1(config)# int fa 0/1
.
/* PRIVATE IPs are to use this interface */
R1(config-if)# ip nat inside
R1(config-if)# exit
R1(config)# int se 0/1
.
/* PUBLIC IPs are to use this interface */
R1(config-if)# ip nat outside
R1(config-if)# exit
.
/* create static route for PUBLIC IPs to public interface */
R1(config)# ip route 80.54.54.0 255.255.255.224 se 0/1
To check NAT configuration we can use:
R1# show access-list
R1# show ip nat translations
R1# show ip nat statistics
To delete some Static NAT translations:
R1# clear ip nat translation inside 172.16.1.2 172.16.1.3 outside 80.54.54.2 80.54.54.3
To clear all translations:
R1# clear ip nat translation *
To debug NAT: