NAT in Cisco IOS — The Core Concepts

 

“NAT in Cisco IOS — The Core Concepts”

---

1. WHY NAT EXISTS

NAT (Network Address Translation) mainly solves two problems:

1. IPv4 address exhaustion

   • Private networks can use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

   • Only a few public IPs are needed for thousands of hosts

2. Hides internal addressing

   • Adds a layer of basic security

   • Remote hosts don’t know internal IPs

PAT (Port Address Translation) is the most common form of NAT.

---

2. THE FOUR MOST IMPORTANT TERMS (the CCNA loves these)

These terms describe NAT from the router’s perspective:

Inside Local

Private, internal IP.
Example: 10.1.1.10

Inside Global

The public IP that represents the inside host.
Example: 198.51.100.10

Outside Local

The router’s view of the remote host’s address (often same as outside global).

Outside Global

The true public address of the remote server.
Example: 93.184.216.34

For CCNA:
Inside = your LAN
Outside = the internet

---

3. THE THREE TYPES OF NAT YOU MUST KNOW

A) Static NAT (1:1 Mapping)

Permanent mapping.
Used for servers you want reachable from the internet.

ip nat inside source static 10.1.1.50 198.51.100.50

Maps:
10.1.1.50 ↔ 198.51.100.50

Characteristics:

• Always in NAT table

• Inbound initiated connections allowed

• No port changes

• Not stateful

---

B) Dynamic NAT (Pool-Based, No Port Overload)

ip nat pool CAMPUS 198.51.100.100 198.51.100.150 netmask 255.255.255.0
ip nat inside source list 10 pool CAMPUS

ACL defines who can be translated:

access-list 10 permit 10.1.0.0 0.0.255.255

Characteristics:

• Uses a pool of public IPs

• One inside host consumes one global IP per session

• No port overload

• Runs out fast

• Almost never used today

• Rare but still tested on CCNA

---

⭐ C) PAT — NAT Overload (MOST IMPORTANT)

The home-router NAT everyone knows.

ip nat inside source list 10 interface g0/1 overload

Characteristics:

• Many internal hosts share ONE public IP

• Router rewrites:

  • Source IP

  • Source Port

• Most scalable

• 99% of real networks

• #1 NAT topic on CCNA

---

4. HOW NAT WORKS 

Outbound packet (LAN → Internet):

1. Host creates packet

   src 10.1.1.10:55000
   dst 93.184.216.34:443
   

2. Router checks NAT rules

3. PAT rewrites:

   src 198.51.100.10:40021
   dst 93.184.216.34:443
   

4. Packet sent out WAN

---

Inbound packet (Internet reply → LAN):

Server replies:

src 93.184.216.34:443
dst 198.51.100.10:40021

Router reverses PAT:

dst 10.1.1.10:55000

Packet delivered to host.

Destination port IS ALWAYS the client’s ephemeral port.
Never the server port.

(This exact rule later became the heart of the ACL/NAT direction lessons.)

---

5. NAT TABLES (Original Examples)

Static NAT Entry

Pro Inside local   Inside global
--- -------------- ----------------
--- 10.1.1.50      198.51.100.50

PAT Entry

tcp 10.1.1.10:55000 198.51.100.10:40021
tcp 10.1.1.11:55001 198.51.100.10:40022
udp 10.1.1.20:60000 198.51.100.10:51010

PAT uses:

• Unique port numbers

• Same global IP shared among MANY inside hosts

---

6. INTERFACE ROLES (the original commands)

We configured this the first time:

Inside interfaces

interface g0/0
 ip nat inside

Outside interfaces

interface g0/1
 ip nat outside

This is REQUIRED or NAT will not function.

---

7. Putting It All Together — The Original End-of-Lesson Summary

You memorized this line:

“NAT rewrites addresses. PAT rewrites addresses AND ports.”

And:

“Inbound ACL sees POST-NAT traffic. Outbound ACL sees PRE-NAT traffic.”

These two rules later became the basis of all your Directional ACL + NAT scenarios.