Configure and verify inside source NAT using static and pools - CSU359 - Shoolini University

Configure and verify inside source NAT using static and pools

2024, September 9

0. Inside Source NAT

Inside Source NAT is a technique where the source IP address of packets originating from inside a private network is translated to a public IP address before the packet reaches the external (public) network. This allows internal devices with private IP addresses to communicate with external networks, such as the internet, using a public IP address.

If you did not understand the above paragraph, don't worry. We will break it down into simpler terms below.

0.1 Key Concepts of Inside Source NAT

0.2 Types of Inside Source NAT

There are two primary types of Inside Source NAT:

0.3 Inside Source NAT Configuration

To configure Inside Source NAT, the router or firewall must be configured to translate the private inside local address to a public inside global address.

For Static NAT:

Router(config)# ip nat inside source static {inside-local} {inside-global}

For Dynamic NAT (using a pool):


Router(config)# ip nat pool {pool-name} {start-ip} {end-ip} netmask {netmask}
Router(config)# access-list {access-list-number} permit {inside-local-subnet}
Router(config)# ip nat inside source list {access-list-number} pool {pool-name}

Example: Configure a NAT pool for dynamic NAT:


Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL

0.4 Verifying Inside Source NAT

Once Inside Source NAT is configured, you can verify it using the following command:

Router# show ip nat translations

This command will display the NAT translations, showing how inside local IPs are mapped to inside global IPs.

0.5 Inside Source NAT Use Cases

Inside Source NAT is widely used in scenarios where internal devices with private IPs need to access external networks. For instance, in a corporate network, employees' computers with private IP addresses can access the internet by having their internal IPs translated into the organization's public IP range.

1. Static NAT

Static NAT provides a fixed, one-to-one mapping between a private IP address and a public IP address. This method is suitable when you need a specific device, such as a web server, to be reachable from the outside network using the same public IP address.

1.1 Key Concepts of Static NAT

1.2 Static NAT Configuration

To configure Static NAT, you create a direct mapping between the inside local (private) IP and the inside global (public) IP. This mapping remains constant and does not change unless manually reconfigured.

Use the following command syntax to configure Static NAT:

Router(config)# ip nat inside source static {inside-local} {inside-global}

Example: Map internal IP 192.168.1.10 to public IP 203.0.113.10.

Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10

1.3 Verifying Static NAT

Once Static NAT is configured, you can verify that the translation has been established and is functioning properly by using the following command:

Router# show ip nat translations

This command will display the static NAT mappings, showing the relationship between the inside local and inside global addresses.

1.4 Static NAT Use Case

Static NAT is commonly used in scenarios where a specific device, such as a web server, must always be accessible using a particular public IP. For example, a business may map its web server’s internal IP address to a fixed public IP so that users can consistently access the website.

2. NAT Pools

NAT Pools allow dynamic translation of multiple inside local (private) IP addresses to a pool of inside global (public) IP addresses. This is more flexible than Static NAT, as multiple devices inside the network can share a pool of public IPs for outbound communication.

2.1 Key Concepts of NAT Pools

2.2 NAT Pool Configuration

To configure a NAT Pool, define a range of public IP addresses and associate it with an access list that defines which internal devices (inside local addresses) are eligible for translation. The router will dynamically assign IPs from this pool as internal devices send traffic to the external network.

Use the following commands to configure a NAT Pool:


Router(config)# ip nat pool {pool-name} {start-ip} {end-ip} netmask {netmask}
Router(config)# access-list {access-list-number} permit {inside-local-subnet}
Router(config)# ip nat inside source list {access-list-number} pool {pool-name}

Example: Create a NAT pool with public IP addresses from 203.0.113.10 to 203.0.113.20 and apply it to devices in the 192.168.1.0/24 subnet:


Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL

2.3 Verifying NAT Pools

To verify that the NAT Pool is functioning correctly and that public IP addresses are being dynamically assigned from the pool, use the following command:

Router# show ip nat translations

This command displays all current NAT translations, showing the inside local addresses (private IPs) and the inside global addresses (public IPs) assigned from the pool.

To check the utilization of the NAT pool and see how many addresses have been used, you can use:

Router# show ip nat statistics

This command shows pool utilization, the number of translations, and translation hits and misses.

2.4 NAT Pools Use Case

NAT Pools are ideal for networks where multiple internal devices need to communicate with the internet but do not require a fixed public IP. For example, a company with many employees could use NAT Pools to dynamically assign public IPs to users when they access the internet.

3. NAT (Network Address Translation)

Network Address Translation (NAT) is a method used to modify IP address information in packet headers while they are in transit. It is primarily used to translate private IP addresses, which are not routable on the internet, into public IP addresses. NAT facilitates the communication between internal private networks and external public networks, like the internet.

3.1 Types of NAT

There are several types of NAT, each serving a different purpose depending on the network's needs:

3.2 Source NAT

Source NAT (SNAT) is a specific type of NAT where the source IP address in the packet header is translated from a private IP to a public IP as the packet leaves the internal network and heads to the external network.

This is commonly used to allow devices in a private network to communicate with external networks, like the internet, by using the public IP address of the NAT-enabled router or firewall.

3.2.1 How Source NAT Works

When a packet is sent from a device in the internal network, the device’s private IP (inside local) is replaced with a public IP (inside global) at the NAT router or firewall. The return packet is then routed back to the correct internal device based on this translation.

3.2.2 Configuration of Source NAT

There are two primary methods to configure Source NAT:

3.3 Source NAT Configuration

To configure Source NAT using dynamic NAT Pools:


Router(config)# ip nat pool {pool-name} {start-ip} {end-ip} netmask {netmask}
Router(config)# access-list {access-list-number} permit {inside-local-subnet}
Router(config)# ip nat inside source list {access-list-number} pool {pool-name}

Example: Set up a pool with addresses 203.0.113.10 to 203.0.113.20 and apply it to the 192.168.1.0/24 internal network:


Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL

3.4 Verifying Source NAT

After configuring Source NAT, verify it using:

Router# show ip nat translations

This command will show the mappings between inside local and inside global addresses.

4. Configure and Verify Inside Source NAT Using Static and Pools

Network Address Translation (NAT) is essential for translating private, internal IP addresses to public, external IP addresses, and vice versa. "Inside source NAT" focuses on translating the source address of packets originating from inside a network to a globally routable address. The two main methods of configuring inside source NAT are Static NAT and NAT Pools. We will explore both methods below.

4.1 Static NAT

Static NAT is a one-to-one mapping between an internal (private) IP address and a public IP address. It is ideal for devices that need to be accessible from the outside world with the same IP, like web servers.

4.1.1 How Static NAT Works

Static NAT provides a fixed mapping. For each inside local IP (private), there is an inside global IP (public). This mapping never changes.

4.1.2 Static NAT Configuration

To configure Static NAT, use the following command:

Router(config)# ip nat inside source static {inside-local} {inside-global}

Example: Map internal IP 192.168.1.10 to public IP 203.0.113.10.

Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10
4.1.3 Verifying Static NAT

To verify the Static NAT configuration, use the following command:

Router# show ip nat translations

This command will display the static mapping and any active translations.

4.2 NAT Pools

NAT Pools allow you to dynamically map a range of inside local addresses to a pool of inside global addresses. This is useful when there are multiple internal devices needing translation to a pool of public addresses.

4.2.1 How NAT Pools Work

Unlike static NAT, where each inside device is assigned a fixed public IP, NAT Pools provide a dynamic translation, assigning available public IPs from a defined pool. When an internal device initiates communication with the outside, the router selects an available public IP from the pool.

4.2.2 NAT Pool Configuration

To configure a NAT Pool, use the following commands:


Router(config)# ip nat pool {pool-name} {start-ip} {end-ip} netmask {netmask}
Router(config)# ip nat inside source list {access-list-number} pool {pool-name}

Example: Define a pool with IPs ranging from 203.0.113.10 to 203.0.113.20 and associate it with an access list:


Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL
4.2.3 Verifying NAT Pools

To verify the NAT Pool configuration, use the following commands:

Router# show ip nat translations

This command displays active translations, showing the mappings between inside local and inside global addresses.

Router# show ip nat statistics

This command shows pool utilization, translation hits, and misses.

4.3 Inside/Outside NAT Interface Configuration

NAT requires defining which interfaces are inside and outside. The inside interface is connected to the internal network, and the outside interface is connected to the external (public) network.


Router(config)# interface {interface-name}
Router(config-if)# ip nat inside
Router(config)# interface {outside-interface-name}
Router(config-if)# ip nat outside

Example: Configure the inside interface as GigabitEthernet 0/0 and the outside interface as Serial 0/1:


Router(config)# interface gigabitEthernet 0/0
Router(config-if)# ip nat inside
Router(config)# interface serial 0/1
Router(config-if)# ip nat outside

4.4 Troubleshooting NAT

Common commands for troubleshooting NAT: