This topic configure static NAT using the CLI. Start learning CCNA 200-301 for free right now!!
Static NAT Scenario
In this topic, you will learn how to configure and verify static NAT. It includes a Packet Tracer activity to test your skills and knowledge. Static NAT is a one-to-one mapping between an inside address and an outside address. Static NAT allows external devices to initiate connections to internal devices using the statically assigned public address. For instance, an internal web server may be mapped to a specific inside global address so that it is accessible from outside networks.
The figure shows an inside network containing a web server with a private IPv4 address. Router R2 is configured with static NAT to allow devices on the outside network (internet) to access the web server. The client on the outside network accesses the web server using a public IPv4 address. Static NAT translates the public IPv4 address to the private IPv4 address.
Configure Static NAT
There are two basic tasks when configuring static NAT translations:
Step 1. The first task is to create a mapping between the inside local address and the inside global addresses. For example, the 192.168.10.254 inside local address and the 184.108.40.206 inside global address in the figure are configured as a static NAT translation.
R2(config)# ip nat inside source static 192.168.10.254 220.127.116.11
Step 2. After the mapping is configured, the interfaces participating in the translation are configured as inside or outside relative to NAT. In the example, the R2 Serial 0/1/0 interface is an inside interface and Serial 0/1/1 is an outside interface.
R2(config)# interface serial 0/1/0 R2(config-if)# ip address 192.168.1.2 255.255.255.252 R2(config-if)# ip nat inside R2(config-if)# exit R2(config)# interface serial 0/1/1 R2(config-if)# ip address 18.104.22.168 255.255.255.252 R2(config-if)# ip nat outside
With this configuration in place, packets arriving on the inside interface of R2 (Serial 0/1/0) from the configured inside local IPv4 address (192.168.10.254) are translated and then forwarded towards the outside network. Packets arriving on the outside interface of R2 (Serial 0/1/1), that are addressed to the configured inside global IPv4 address (22.214.171.124), are translated to the inside local address (192.168.10.254) and then forwarded to the inside network.
Analyze Static NAT
Using the previous configuration, the figure illustrates the static NAT translation process between the client and the web server. Usually static translations are used when clients on the outside network (internet) need to reach servers on the inside (internal) network.
- The client wants to open a connection to the web server. The client sends a packet to the web server using the public IPv4 destination address of 126.96.36.199. This is the inside global address of the web server.
- The first packet that R2 receives from the client on its NAT outside interface causes R2 to check its NAT table. The destination IPv4 address of 188.8.131.52 is located in the NAT table and is translated to 192.168.10.254.
- R2 replaces the inside global address of 184.108.40.206 with the inside local address of 192.168.10.254. R2 then forwards the packet towards the web server.
- The web server receives the packet and responds to the client using the inside local address, 192.168.10.254 as the source address of the response packet.
- (a) R2 receives the packet from the web server on its NAT inside interface with source address of the inside local address of the web server, 192.168.10.254.
(b) R2 checks the NAT table for a translation for the inside local address. The address is found in the NAT table. R2 translates the source address 192.168.10.254 to the inside global address of 220.127.116.11 and forwards the packet toward the client.
- (Not shown) The client receives the packet and continues the conversation. The NAT router performs Steps 2 to 5b for each packet
Verify Static NAT
To verify NAT operation, issue the show ip nat translations command. This command shows active NAT translations. Because the example is a static NAT configuration, the translation is always present in the NAT table regardless of any active communications.
R2# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 18.104.22.168 192.168.10.254 --- --- Total number of translations: 1
If the command is issued during an active session, the output also indicates the address of the outside device as shown in the following example.
R2# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 22.214.171.124 192.168.10.254 126.96.36.199 188.8.131.52 --- 184.108.40.206 192.168.10.254 --- --- Total number of translations: 2
Another useful command is show ip nat statistics, which displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and the number of addresses that have been allocated.
To verify that the NAT translation is working, it is best to clear statistics from any past translations using the clear ip nat statistics command before testing.
R2# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Serial0/1/1 Inside interfaces: Serial0/1/0 Hits: 0 Misses: 0 (output omitted)
After the client establishes a session with the web server, the show ip nat statistics displays an increase to four hits on the inside (Serial0/1/0) interface. This verifies that the static NAT translation is taking place on R2.
R2# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Serial0/1/1 Inside interfaces: Serial0/1/0 Hits: 4 Misses: 1 (output omitted)
Packet Tracer – Configure Static NAT
In IPv4 configured networks, clients and servers use private addressing. Before packets with private addressing can cross the internet, they need to be translated to public addressing. Servers that are accessed from outside the organization are usually assigned both a public and a private static IPv4 address. In this activity, you will configure static NAT so that outside devices can access an inside server at its public address.
In this Packet Tracer activity, you will:
- Test Access without NAT
- Configure Static NAT
- Test Access with NAT
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.