Understanding NAT: Types, Principles, and Practical Configuration Examples

NAT Overview

IPv4 addresses managed by IANA were exhausted in 2011, leading to the need for translating private IP addresses to public ones for Internet access.

Reserved private address ranges: A class 10.0.0.0‑10.255.255.255, B class 172.16.0.0‑172.31.255.255, C class 192.168.0.0‑192.168.255.255.

In enterprise networks, a public IP is obtained from the ISP and applied to the outbound device; internal hosts use private address ranges, and NAT converts internal packets to the public address.

NAT Technical Principles

NAT (Network Address Translation) modifies IP addresses in packet headers and is typically deployed on routers or firewalls at network edges.

Typical scenario: private networks use private addresses; outbound NAT translates source addresses to a public address; inbound traffic has destination addresses translated back to private addresses.

Ports: TCP/UDP use 0‑65535; ports <256 are well‑known; common ports include 21 (FTP), 80 (HTTP), 25 (SMTP), 443 (HTTPS).

NAT Functions

Convert private IP to public IP.

Hide internal network.

Mitigate IPv4 address exhaustion.

Resolve return‑path routing for public devices.

NAT Types

Static NAT

One‑to‑one mapping between a private address and a fixed public address, supporting bidirectional communication.

Suitable when multiple public addresses are available and few internal hosts require one‑to‑one translation.

# 1. Configure static NAT in interface view
[Huawei-GigabitEthernet0/0/0] nat static global {global-address} inside {host-address}
# 2. Or in system view
[Huawei] nat static global {global-address} inside {host-address}
# Enable NAT on the interface
[Huawei-GigabitEthernet0/0/0] nat static enable

Dynamic NAT

Uses an address pool to allocate public addresses to internal hosts on demand, avoiding waste of one‑to‑one static mappings.

When a host finishes its session, the address is returned to the pool.

# Create address pool
[Huawei] nat address-group group-index start-address end-address
# Create ACL to select traffic for NAT
[Huawei] acl number
[Huawei-acl-basic-number] rule permit source source-address source-wildcard
# Configure outbound NAT with address pool
[Huawei-GigabitEthernet0/0/0] nat outbound acl-number address-group group-index [no-pat]
# View NAT sessions
dis nat session all

NAPT

Network Address and Port Translation extends dynamic NAT by also translating transport‑layer ports, achieving a 1:n mapping and better public address utilization.

# Configure NAPT (omit no‑pat)
[R1-GigabitEthernet0/0/1] nat outbound 2000 address-group 1

Example of port communication when accessing a web site.

Host selects a source port (e.g., 55508).

Destination is www.baidu.com:80/443.

Outbound translation: 192.168.1.1:55508 → 111.21.8.5:62105 → www.baidu.com:443.

The device records the translation for return traffic.

Easy IP

Functions like NAPT but uses the interface’s own address as the public address, without an explicit address pool.

Useful for connections that obtain a dynamic public address via DHCP or PPPoE.

# Use the current interface address for source IP and port mapping
[R1-GigabitEthernet0/0/1] nat outbound 2000

NAT Server

Provides a one‑to‑one mapping of a specific public address and port to a private address and port, enabling internal servers to be reachable from the Internet.

# Enter interface
[R1] interface GigabitEthernet0/0/1
# Assign IP address
[R1-GigabitEthernet0/0/1] ip address 122.1.2.1 24
# Map TCP/UDP port
[R1-GigabitEthernet0/0/1] nat server protocol tcp global 202.10.10.1 80 inside 192.168.1.1 8080

This is typically used when a fixed public IP is available and services need to be published.

Typical Network Configuration Lab

Topology includes a core switch, access switches, and an outbound router performing NAT.

# Core switch VLAN and gateway configuration
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
interface Vlanif30
 ip address 10.0.0.2 255.255.255.252
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
# Default route to router
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
# Outbound router NAT and routing
interface GigabitEthernet0/0/0
 ip address 122.12.1.1 255.255.255.252
 nat outbound 2000
interface GigabitEthernet0/0/1
 ip address 10.0.0.1 255.255.255.252
# Static routes
ip route-static 0.0.0.0 0.0.0.0 122.12.1.2
ip route-static 192.168.10.0 255.255.255.0 10.0.0.2
ip route-static 192.168.20.0 255.255.255.0 10.0.0.2
# ACL for NAT
acl number 2000
 rule 5 permit

In practice, enterprises usually have one or a few public IPs; NAT (NAPT or Easy IP) translates internal private addresses, and NAT Server maps internal servers to specific public ports.