Network Address Translation (NAT)

Network address translation allows a set of private IP addresses to be translated into another IP address or  addresses, normally publicly routed addresses. This ability comes in handy when there aren't enough public IPv4 addresses to support a large network or when switching internet service providers. Cisco supports three types of NATs static, dynamic and overload (PAT).

Static one-to-one mapping  of a private address to a public address
Dynamic many-to-many mapping of  private addresses to a pool of public addresses
PAT many-to-one mapping of a group of private addresses to a public address using port numbers

NAT terms that describe the type of address doing the translation:

Inside local- private IP address before translation
Inside global- public address at the router's interface
Outside local- private IP address after translation
Outside global- destination host address

Router(config)#ip nat inside source static 10.1.1.2 172.16.1.1
Router(config)#int fastEthernet 0/0
Router(config-if)#ip nat outside
Router(config-if)#int fastEthernet 0/1
Router(config-if)#ip nat inside




Verifying NAT translations with show ip nat translations

Inside global = 172.16.1.1 private address after translation
Inside local = 10.1.1.2 private address before translation



Router#show ip nat translations 
Pro  Inside global     Inside local       Outside local      Outside global
icmp 172.16.1.1:8      10.1.1.2:8         192.168.10.2:8     192.168.10.2:8
icmp 172.16.1.1:9      10.1.1.2:9         192.168.10.2:9     192.168.10.2:9


If I wanted to allow the entire 10.1.1.0 network translated to the 172.16.1.0 network , dynamic NAT is the way to go. Dynamic NAT allows pools of addresses to be translated one-to-one, one private to one NAT address.  Access-list are used in Dynamic NAT to specify the range of hosts needing translation.

Router(config)#access-list 10 permit 10.1.1.0 0.0.0.255
Router(config)#ip nat pool Ant 172.16.1.1 172.16.1.254 netmask 255.255.255.0

Router(config)#ip nat inside source list 10 pool Ant
Router(config)#int fastethernet 0/0
Router(config-if)#ip nat inside
Router(config-if)#int fastethernet 0/1
Router(config-if)#ip nat outside


Below I can see that each client in the 10.1.1.0 network got translated to a different NAT address in the 172.16.1.0 network.


Router#show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
icmp 172.16.1.1:7      10.1.1.2:7         192.168.10.2:7     192.168.10.2:7
icmp 172.16.1.2:7      10.1.1.3:7         192.168.10.2:7



If I had more private IP addresses that need to be translated then I  had public addresses , I would use NAT overload or PAT . PAT is setup very similar to dynamic NAT with the exception of one extra command, overload.


Router(config)#access-list 10 permit 10.1.1.0 0.0.0.255
Router(config)#ip nat pool Ant 172.16.1.1 172.16.1.1 netmask 255.255.255.0

Router(config)#ip nat inside source list 10 pool Ant overload
Router(config)#int fastethernet 0/0
Router(config-if)#ip nat inside
Router(config-if)#int fastethernet 0/1
Router(config-if)#ip nat outside



Below I can see that both client are using 172.16.1.1 but on different port numbers.


Router#show ip nat translations 
Pro  Inside global     Inside local       Outside local      Outside global
icmp 172.16.1.1:15     10.1.1.2:15        192.168.10.2:15    192.168.10.2:15
icmp 172.16.1.1:20     10.1.1.3:20        192.168.10.2:20    192.168.10.2:20


Router#show ip nat statistics 
Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: FastEthernet0/1
Inside Interfaces: FastEthernet0/0.10
Hits: 15  Misses: 38
Expired translations: 9
Dynamic mappings:
-- Inside Source
access-list 10 pool Ant refCount 0
 pool Ant: netmask 255.255.255.0
       start 172.16.1.1 end 172.16.1.1
       type generic, total addresses 1 , allocated 0 (0%), misses 0