Mastering NAT: From Static to Dynamic, PAT, NAPT, and NAT Server Configurations

Network Address Translation (NAT) converts private IP addresses to public ones, enabling broadband sharing, security, and IP conservation while introducing latency and configuration complexity.

NAT Functions

Provides bandwidth sharing, security against external attacks, and hides internal computers.

Advantages: saves public IPs, resolves address overlap, enhances flexibility and security.

Disadvantages: increased latency, complex configuration, incompatibility with some applications (e.g., VPN).

Static NAT

Implements a one‑to‑one mapping between private and public addresses. Each private address requires a dedicated public address; it does not conserve IPs but hides internal network.

When internal hosts send packets outward, the source IP is replaced with the corresponding public IP; inbound responses have the destination IP swapped back to the private address.

Configuration methods:

Global mode: nat static global 12.0.0.1 inside 192.168.10.10 Enable on interface:

int g0/0/1

nat static enable

Interface declaration:

int g0/0/1

nat static global 12.0.0.1 inside 192.168.10.10

View configuration:

dis nat static

Dynamic NAT

Maps multiple private IPs to multiple public IPs using an address pool for one‑to‑one translation.

Configuration steps:

Set IPs on external and internal interfaces.

Define a valid address pool: nat address-group 1 212.0.0.100 212.0.0.200 Create an ACL:

acl 2000

rule permit source 192.168.20.0 0.0.0.255

rule permit source 11.0.0.0 0.0.0.255

Apply outbound NAT on the external interface:

int g0/0/1

nat outbound 2000 address-group 1 no-pat

Verify:

dis nat outbound

PAT (Port Address Translation)

PAT (also called NAPT) maps one public IP to many private IPs by translating source ports, conserving public IPs.

PAT Functions

Changes packet IP address and port.

Significantly saves public IP addresses.

PAT Types

Dynamic PAT: includes NAPT and EasyIP.

Static PAT: includes NAT Server.

NAPT

Multiple private addresses share a fixed public IP (e.g., 200.1.1.10). Configuration is similar to Dynamic NAT.

Set interface IPs.

Define address pool: nat address-group 1 200.1.1.10 200.1.1.10 Create ACL:

acl 2000

rule permit source 192.168.30.0 0.0.0.255

Apply outbound NAT:

int g0/0/1

nat outbound 2000 address-group 1

EasyIP

Maps multiple private addresses to the public address of the external interface.

Set interface IPs.

Define IP pool.

Create ACL:

acl 3000

rule permit ip source 192.168.30.0 0.0.0.255

NAT Server

Enables client access to private servers or server‑to‑client communication.

int g0/0/1
nat server protocol tcp global 9.9.9.9 www inside 192.168.10.100 www
nat server protocol tcp global current-interface 8080 inside 10.1.1.1 www
nat server protocol tcp global current-interface 2121 inside 10.1.1.2 ftp

Summary

NAT translates internal addresses and ports to legal public ones for communication.

Static NAT provides one‑to‑one private‑public mapping.

PAT converts multiple private source IPs to a single public IP using different ports.

NAT Server allows client‑to‑private‑server or server‑to‑client access.