Mastering NAT: From Basics to Advanced Configurations

NAT Overview

IPv4 addresses managed by IANA were exhausted in 2011, making it necessary to translate private IP addresses to public ones for Internet connectivity. Private address ranges reserved in the A, B, and C classes are:

A: 10.0.0.0 – 10.255.255.255

B: 172.16.0.0 – 172.31.255.255

C: 192.168.0.0 – 192.168.255.255

Enterprises obtain a public IP from the ISP for their outbound interface; internal devices use private IPs, and NAT converts internal packets to the public IP for external communication.

NAT Technical Principles

NAT modifies IP addresses in packet headers and is widely deployed on network edge devices such as routers or firewalls. Typical scenarios involve private networks (e.g., campus or home) using private addresses, with outbound traffic having its source address translated to a public address, and inbound traffic having its destination address translated back to the private address.

Ports are used by the transport layer (TCP/UDP) to differentiate services; port numbers range from 0 to 65535, with well‑known ports below 256 (e.g., FTP 21, HTTP 80, SMTP 25, HTTPS 443).

NAT Role

Convert private IP to public IP

Hide internal network

Mitigate IPv4 address exhaustion

Solve return‑path routing for public devices

NAT Classification

Static NAT

Each private address maps to a fixed public address (one‑to‑one). Both inbound and outbound traffic are translated, enabling bidirectional communication. Suitable when multiple public IPs are available and the number of internal hosts is small.

# 1、接口视图下配置静态NAT
[Huawei-GigabitEthernet0/0/0] nat static global {global-address} inside {host-address}
# 2、系统视图下配置静态NAT
[Huawei] nat static global {global-address} inside {host-address}
# 在接口开启
[Huawei-GigabitEthernet0/0/0] nat static enable

Dynamic NAT

Dynamic NAT introduces an address pool of public IPs. When an internal host initiates traffic, an unused address from the pool is temporarily assigned and marked “In Use”. After the session ends, the address is released back to the pool.

# 创建地址池
[Huawei] nat address-group 1 122.1.0.1 122.1.0.10
# 创建ACL，仅匹配特定流量进行NAT
[Huawei] acl number 2000
[Huawei-acl-basic-number] rule permit source 192.168.0.0 0.0.0.255
# 接口视图下配置带地址池的Outbound NAT（no-pat表示不转换端口）
[Huawei-GigabitEthernet0/0/0] nat outbound 2000 address-group 1 no-pat
# 查看NAT会话
display nat session all

NAPT

NAPT (Network Address and Port Translation) extends dynamic NAT by also translating transport‑layer ports, achieving a 1:n mapping between public and private addresses and improving public IP utilization.

# 在动态NAT配置上不添加--no-pat即可
[R1-GigabitEthernet0/0/1] nat outbound 2000 address-group 1

Easy IP

Easy IP works like NAPT but does not use an address pool; the interface’s own IP serves as the public address for translation. It is suitable for scenarios without a fixed public IP, such as DHCP or PPPoE connections.

# 将当前接口地址作为公网地址进行源IP和端口的映射
[R1-GigabitEthernet0/0/1] nat outbound 2000

NAT Server

NAT Server defines a one‑to‑one mapping between a specific public address:port and a private address:port, allowing internal servers to be accessed from the Internet.

# 进入对应接口
[R1] interface GigabitEthernet0/0/1
# 配置接口IP
[R1-GigabitEthernet0/0/1] ip address 122.1.2.1 255.255.255.0
# 配置NAT Server映射（TCP示例）
[R1-GigabitEthernet0/0/1] nat server protocol tcp 122.10.10.1 80 inside 192.168.1.1 8080

Typical Network Configuration Experiment

The following topology demonstrates a complete NAT deployment in an enterprise network.

Core Switch Configuration

# Core switch VLAN and interface configuration
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
interface Vlanif30
 ip address 10.0.0.2 255.255.255.252
interface MEth0/0/1
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
# Default route to router
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

Outbound Router Configuration

# Interface with public IP and NAT outbound
interface GigabitEthernet0/0/0
 ip address 122.12.1.1 255.255.255.252
 nat outbound 2000
interface GigabitEthernet0/0/1
 ip address 10.0.0.1 255.255.255.252
# Routing
ip route-static 0.0.0.0 0.0.0.0 122.12.1.2
ip route-static 192.168.10.0 255.255.255.0 10.0.0.2
ip route-static 192.168.20.0 255.255.255.0 10.0.0.2
# ACL for NAT
acl number 2000
 rule 5 permit

Intermediate Router Configuration

# No extra NAT configuration needed
interface GigabitEthernet0/0/0
 ip address 122.12.1.2 255.255.255.252
interface GigabitEthernet0/0/1
 ip address 23.12.1.2 255.255.255.252

Internet (Baidu) Router Configuration

# Interface and default route
interface GigabitEthernet0/0/1
 ip address 23.12.1.1 255.255.255.252
ip route-static 0.0.0.0 0.0.0.0 23.12.1.2

In practice, an enterprise typically has only one or a few public IP addresses; NAT (often NAPT or Easy IP) translates private addresses to public ones, and NAT Server is used to expose internal services with specific port mappings.