Mastering NAT: From Basics to Advanced Configurations

Introduction to NAT

IP addresses are divided into public addresses, allocated globally by IANA for Internet connectivity, and private addresses, which can be freely assigned within internal networks. The rapid growth of Internet users led to the exhaustion of IPv4 public addresses on 25 Nov 2019, prompting the use of Network Address Translation (NAT) to extend IPv4 address availability.

NAT converts private addresses to public ones, allowing internal hosts to access the Internet using a limited pool of public addresses. However, NAT is a transitional solution; the long‑term fix is the adoption of IPv6, which offers an effectively unlimited address space.

NAT Technology

Three private address ranges are reserved for internal use, while the remaining address space is managed as public addresses by IANA.

Typical NAT deployment splits the network into a private side (using private address space such as 10.0.0.0/24) and a public side (using public addresses). A NAT device—usually a router or firewall—performs address conversion at the network boundary.

Basic NAT

Basic NAT operates at the IP layer and includes two modes:

Static NAT : a one‑to‑one mapping between a public IP and a private IP, maintained in a static translation table.

Dynamic NAT : a many‑to‑one mapping where a pool of public IPs is allocated to private hosts as needed, recorded in a dynamic translation table.

Dynamic NAT Example

Host A (10.0.0.1) sends a packet to Server (61.144.249.229) via router RT. The source address is 10.0.0.1, destination 61.144.249.229.

RT receives the packet, looks up its routing table, and because the egress interface has NAT enabled, it selects the first available public address (219.134.180.11) from the pool and replaces the source address.

RT adds a translation entry mapping 10.0.0.1 to 219.134.180.11 and forwards the packet to the server.

The server replies to 219.134.180.11; RT translates the destination back to 10.0.0.1 and delivers the packet to Host A.

If another host B also accesses the server, RT assigns a different public address (e.g., 219.134.180.12) and creates a corresponding mapping.

NAPT (Network Address Port Translation)

NAPT extends NAT by translating not only the IP address but also the transport‑layer port number, greatly improving public IP utilization. A typical NAPT example mirrors the dynamic NAT flow but also maps source ports (e.g., 10.0.0.1:1024 → 219.134.180.11:2001).

Easy IP

Easy IP, also known as interface‑based address translation, works like NAPT but uses the actual public interface IP as the translated source address, making it suitable for dial‑up connections where the public IP is assigned dynamically.

NAT Server

NAT Server provides static mapping of internal services to public addresses, enabling external users to reach internal servers (e.g., mapping 10.0.0.1:8080 to 219.134.180.11:80 for web access).

NAT ALG (Application Layer Gateway)

ALG inspects application‑layer protocols (FTP, DNS, SIP, H.323) and rewrites embedded IP/port information during NAT translation. An FTP active‑mode example shows how ALG creates additional mappings for the data channel.

NAT Lab Exercises

Basic NAT Lab

Topology: PC ↔ RT ↔ ISP.

Configure interfaces according to the IP address table.

On RT, configure static NAT with

nat static global <global‑address> inside <host‑address>

.

Verify connectivity from the PC and capture packets on RT’s internal and external interfaces to observe NAT translation.

NAPT Lab

Topology similar to the basic lab but with multiple VLANs and a pool of four public addresses (202.0.0.3‑202.0.0.6).

Configure ACLs to define private IP ranges for VLAN 10 and VLAN 20.

Define address groups for the public address pool and bind them to outbound NAT.

Validate connectivity from PCs in both VLANs and capture packets to confirm port translation.

Common NAT Commands display nat static – view static NAT entries. display nat address-group – view address‑group configuration. display nat outbound – view outbound NAT mappings. display nat session all – list active NAT sessions. nat alg all enable – enable NAT ALG.