Your Ultimate NAT Configuration Guide for Cisco IOS – Pt. 2

Internet Protocol Version 4 (IPv4) uses a 32-bit address space, which allows for a limit of 4,294,967,296 addresses. However, the initial design of IPv4 did not factor in the rapid growth of the internet. Because of the scarcity of IPv4 addresses, many organizations implemented NAT to map multiple private IPv4 addresses to a single public IPv4 address.

It is time to dive into more detail on how NAT can be implemented. Part 1 of this series provided an overview of Network Address Translation (NAT), its benefits, and the available types. In Part 2, we will provide an overview of the three types of NAT and how to configure each one.  

Depending on whether only IP addresses are translated or IP addresses and port numbers, as well as the translation mechanism used, there are three types of NAT that you can implement: Static NAT, Dynamic NAT, and Port Address Translation (PAT).

Not the configuration guide you're looking for? View some of our others:

• Configuration Guide: Routing Between VLANs
• A Quick Guide to EIGRP Configuration with Stub Routing
• Configuration Guide: STP Extension in Cisco NX-OS

Static NAT Overview

Static NAT is a one-to-one mapping between an inside local address and an inside global address, without any port numbers being translated. In other words, each private IP address used on the internal devices will get translated into a public IP address when they need to send packets to the internet. Once the static mappings are defined, they stay inside the NAT table until they are manually removed because there is no timeout period for them.

In addition, besides configuring static mappings for IP addresses, it is also possible with Static NAT to translate TCP and UDP ports. This process is called port forwarding, and allows original ports, identifying the services and applications, to be translated into different ports. An example would be a web server using TCP port 80 locally inside the network to be accessed from the internet on TCP port 8080.

Best Use Case for Static NAT

Static NAT is best suited when a device must always be accessible from an external network such as the internet. As you can see from the image above, the most common use case is when a company has a web server locally hosted that should always be reachable from the internet.

However, remember that Static NAT requires a unique public IP address for each device that should get internet access. That’s why it is not the best translation choice for endpoints (users) but only for servers.

Explore your options here at PivIT. Click below to learn more about the router solutions we can bring to your network, whether it be the hardware itself, maintenance, or the field services you need to get online.

Static NAT Configuration Example

Let’s use the image above as a use case to configure Static NAT. The commands are as follows:

First, you need to create the static mapping for the IP address of the web server and then enable NAT on both interfaces, Fa0/1, and Fa0/2, where NAT is used. To verify the Static NAT configuration, you can use the “show ip nat translation” command:

Dynamic NAT Overview

Like Static NAT, Dynamic NAT works similarly. However, there are a few key differences between them. First, instead of defining a permanent mapping for a single IP address that needs to be translated, Dynamic NAT maps multiple private to multiple public addresses or, in other words, it performs a many-to-many translation.

As part of PivIT's EXTEND, we offer a secure, isolated, and remote environment to pre-configure your network, compute, and storage hardware prior to deployment to your locations around the world using our out-of-band (OOB) management platform. Find out more about how our Remote Staging Environment works.

How Dynamic NAT Differentiates From Static NAT

A pool of global IPv4 addresses is created. When devices need to access an outside network such as the internet, they are assigned an IP address from the pool available at the moment of translation. During translations, the IP addresses are assigned in a first-come-first-served manner.

Another difference with Static NAT is that an access list must be implemented with Dynamic NAT. The purpose of the Access Control List (ACL) is to define which IP addresses are permitted for NAT translation.

Best Use Case for Dynamic NAT

Keep in mind that with Dynamic NAT, the number of public IP addresses is the same as the number of devices that need to go to the internet, so the pool size should be sufficient to satisfy the translation requirements. Therefore, Dynamic NAT is not an appropriate choice for translating endpoints (users).

It is best suited for situations where two companies merge and have an IP address overlap. This way, instead of complete readdressing of the whole network, Dynamic NAT can translate the IP addresses of the packets when sent from one network to another.

Dynamic NAT Configuration Example

Let’s use the image above as a use case to configure Dynamic NAT. The goal is for the private IP addresses of the two computers inside the network to be translated into public IP addresses so they can access the internet. The commands are as follows:

The configuration consists of an ACL for permitting a set of IP addresses to be translated, a pool containing the IP addresses into which translations will occur, and the command “merging” these two commands. The last few commands enable NAT on the desired interfaces.

You need to use the same “show ip nat translation” command as in the previous example to verify the Dynamic NAT configuration.

PAT Overview

PAT is the most commonly implemented type of NAT and works differently than Static and Dynamic NAT. The unique feature of PAT is the support for translating many inside local addresses into one inside global IP address or performing a many-to-one translation.

In other words, many inside network devices that use private IPv4 addresses can access the internet simply by sharing a single public IPv4 address. This process is possible because not just the IP addresses are translated but also the source ports.

By default, the same port number is used during the NAT translation unless it is already occupied, so the next available one is assigned for the NAT session. Keep in mind that the key part of PAT is the translation of the ports. Since each internal device uses the same public IP address, the ports differentiate between the translations (NAT sessions) inside the NAT table.

PAT is also known as NAT overloading. The reason for that term is that one global IPv4 address gets overloaded until all available ports are exhausted. Theoretically, you can translate as many as 65535 IP addresses into one. However, this number is lower because not all ports can be used as source ports by the network devices.

As a result of this translation approach, PAT is very efficient and can accommodate many outbound connections to the internet by using just a single public IPv4 address.

Best Use Case for PAT

PAT is the most suitable form of NAT for providing internet access in networks with more than one endpoint. Such situations would be an enterprise network, where the number of employees is in the hundreds if not in the thousands, or a home network where you need internet access for several computers, smartphones, or tablets, or internet cafes and similar places.

Because just a single public IPv4 address is enough when using PAT, this solution is also the cheapest. However, if one IP address is not enough for the total number of devices in the network, you will need a second one.

PAT Configuration Example

Let’s use the image above as a use case to configure PAT. The goal is to provide access to the internet for each device in the network by using just a single public IPv4 address. Usually, this is the IP address on the exit interface, either statically configured or dynamically assigned by DHCP.

As shown in the commands above, the configuration requires an ACL that defines which IP addresses are allowed to get translated into the IP address used on the interface FastEthernet0/2. Besides this, NAT should be enabled in the appropriate direction on the router interfaces.

Because PAT performs dynamic translations, the NAT table contains translation details only when traffic passes through the NAT-enabled interfaces, which can be checked using the “show ip nat translation” command.

Now that you are familiar with the three types of NAT, the benefits they bring to the table, and how to configure them, you can easily implement one or another NAT type in your network based on your requirements and provide internet access to internal users.

Are you currently stuck with 90-120+ day lead times? Click below to cut your lead times down to a fraction of what they are, and get pricing in as little as 24 hours!