Mastering NAT: From Basics to Advanced Configurations and Real-World Examples

NAT Overview

IPv4 addresses managed by IANA were exhausted in 2011, so private IP addresses are used internally and translated to public IPs for Internet access.

A: 10.0.0.0 – 10.255.255.255

B: 172.16.0.0 – 172.31.255.255

C: 192.168.0.0 – 192.168.255.255

Enterprises obtain a public IP from the ISP, use private IP ranges internally, and NAT converts internal packets to the public IP.

NAT Technical Principles

NAT translates IP addresses in packets and is typically deployed on routers or firewalls at the network edge.

Typical scenario: private networks use private addresses; outbound traffic is translated to a public address, and inbound traffic is translated back to the private address.

Ports: TCP and UDP use ports 0‑65535; well‑known ports ( e.g., 21 for FTP, 80 for HTTP, 443 for HTTPS) are below 1024, while temporary ports are usually 1024‑5000.

NAT functions

Convert private IP to public IP

Hide internal network

Mitigate IPv4 address exhaustion

Resolve return‑path routing for public devices

NAT Types

Static NAT

One‑to‑one mapping between a private address and a fixed public address, supporting bidirectional communication.

Suitable when multiple public addresses are available and few internal hosts.

Configuration example:

# 1、Interface view configure static NAT
[Huawei-GigabitEthernet0/0/0] nat static global {global-address} inside {host-address}
# 2、System view configure static NAT
[Huawei] nat static global {global-address} inside {host-address}
# Enable on interface
[Huawei-GigabitEthernet0/0/0] nat static enable

Dynamic NAT

Uses an address pool of public addresses; when an internal host accesses the Internet, an unused address is temporarily assigned and marked “In Use”. When the host stops, the address is released.

Configuration example:

# Create address pool
[Huawei] nat address-group group-index start-address end-address
# Create ACL to match traffic
[Huawei] acl number
[Huawei-acl-basic-number] rule permit source source-address source-wildcard
# Configure outbound NAT with address pool
[Huawei-GigabitEthernet0/0/0] nat outbound acl-number address-group group-index [no-pat]
# Show NAT sessions
dis nat session all

NAPT

Network Address and Port Translation converts both IP address and port, achieving 1:n mapping and better public address utilization.

Configuration example:

# Enable outbound NAT without no-pat
[R1-GigabitEthernet0/0/1] nat outbound 2000 address-group 1

Example of port communication when accessing Baidu:

Host selects a source port in 1024‑65535, e.g., 55508.

Destination is www.baidu.com, port 80 (HTTP) or 443 (HTTPS).

Outbound translation: 192.168.1.1:55508 → 111.21.8.5:62105 → www.baidu.com:443.

Router records the translation for return traffic.

Easy IP

Similar to NAPT but uses the interface’s own address as the public address, without an address pool.

Applicable when the ISP provides a dynamic public address via DHCP or PPPoE.

NAT Server

Maps a specific public address and port to a private address and port, enabling internal servers to be reachable from the Internet.

Configuration example:

# Enter interface
[R1] interface GigabitEthernet0/0/1
# Set IP address
[R1-GigabitEthernet0/0/1] ip address 122.1.2.1 24
# Map TCP/UDP ports
[R1-GigabitEthernet0/0/1] nat server protocol tcp global 202.10.10.1 80 inside 192.168.1.1 8080

Used when a fixed public address is available and multiple ports need to be exposed.

Typical Network Lab Configuration

Topology diagram:

Core switch configuration (VLANs, IPs, trunk/access ports):

# Core switch VLAN and gateway configuration
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
interface Vlanif30
 ip address 10.0.0.2 255.255.255.252
# Default route
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

Outbound router configuration with NAT:

# Interface and NAT
interface GigabitEthernet0/0/0
 ip address 122.12.1.1 255.255.255.252
 nat outbound 2000
interface GigabitEthernet0/0/1
 ip address 10.0.0.1 255.255.255.252
# Static routes and ACL
ip route-static 0.0.0.0 0.0.0.0 122.12.1.2
ip route-static 192.168.10.0 255.255.255.0 10.0.0.2
ip route-static 192.168.20.0 255.255.255.0 10.0.0.2
acl number 2000
 rule 5 permit

Intermediate router and Internet (Baidu) configurations are omitted for brevity.

In practice, enterprises with limited public IPs rely on NAT (NAPT or Easy IP) to enable internal hosts to access the Internet, and use NAT Server for exposing internal services.