Part 21 – How to Use NAT

How to Use NAT

Table Of Contents
  1. How to Use NAT
  2. Resources

Introduction

Welcome to Part 21 of the Network Fundamentals study notes! If you haven’t already, we recommend watching the video first.

We use private IP addresses inside our networks, but the internet uses public addresses. NAT — Network Address Translation — is the technology that bridges the two. Without it, your private devices couldn’t reach the internet at all.

What NAT Does

Every IP packet has a source address and a destination address in its header. NAT is the technology that intercepts a packet and rewrites one of those IP addresses with a different one. The packet continues on its way with the new address.

The most common use is translating between private and public IP address spaces. When a private device sends traffic to the internet, the router rewrites the private source IP with a public one. Devices on the internet send responses back to that public IP, and the router translates it back to the private address before delivering it. NAT can also rewrite port numbers in TCP/UDP headers — when this happens it’s specifically called PAT (Port Address Translation), though in practice the term NAT is used as an umbrella for both.

Source NAT vs Destination NAT

Source NAT rewrites the source IP address — this is the common type used for internet access. Destination NAT rewrites the destination IP, and is used in more complex scenarios such as when two merged organisations are using overlapping IP ranges. In this video, we focus on source NAT for internet access.

NAT Terminology

Cisco uses specific terms to describe each address in a NAT translation. These can be confusing at first:

  • Inside local – the real IP of a host inside your network (typically a private address)
  • Inside global – what that host’s IP looks like after NAT has been applied (typically a public address)
  • Outside local – the destination IP as seen from inside your network
  • Outside global – the real IP of the destination device on the outside

For a standard internet access scenario, the outside local and outside global are usually the same — destination NAT isn’t involved. The key pair to remember is inside local (private) and inside global (public).

On the router, you also define which interfaces face the inside of your network and which face the outside, using ip nat inside and ip nat outside under each interface.

Static NAT (One-to-One)

A static NAT permanently maps one private IP to one public IP. The mapping never changes. This is used when you have a server that needs to be accessible from the internet — for example, a web server in your DMZ.

ip nat inside source static <inside-local-ip> <inside-global-ip>

Static NAT is bidirectional — traffic can be initiated from either the inside (your server reaching out) or the outside (internet users accessing your server). The downside is that you need one public IP address per static NAT rule, which is expensive when public IPs are scarce.

Dynamic NAT

Dynamic NAT uses a pool of public IP addresses and assigns one to each inside host as needed. When a host no longer needs internet access, its public IP goes back to the pool for another host to use.

Configuration requires three components:

  1. An ACL to identify which traffic should be translated (the “interesting traffic”)
  2. A NAT pool defining the range of public IP addresses available
  3. A NAT rule tying them together
ip nat pool PUBLIC-POOL 203.0.113.100 203.0.113.110 netmask 255.255.255.0

ip access-list extended WORKSTATIONS
 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list WORKSTATIONS pool PUBLIC-POOL

Note that while an ACL is also used in packet filtering, here its purpose is purely to identify traffic — the permit/deny actions don’t block anything, they just flag which packets should have NAT applied.

Port Forwarding (PAT)

Port forwarding lets you expose a specific service port on an inside server, without translating the entire IP address. For example, you might want to allow HTTP traffic to your web server, but nothing else:

ip nat inside source static tcp <server-local-ip> 80 <public-ip> 80

This creates a translation that only works for TCP port 80. Any other port — say, port 443 — would be blocked because there’s no matching NAT rule for it. You can also translate to a different port number (e.g. external port 80 → internal port 8080) if needed.

Port Overloading (Many-to-One NAT)

Port overloading — also called masquerading or many-to-one NAT — is probably the most widely used form of NAT. This is what most home routers do. It allows many private devices to share a single public IP address by using different port numbers to track each connection.

When a device sends a packet, the router rewrites both the source IP (to the public IP) and the source port (to a unique port from its pool). With around 64,000 TCP ports and 64,000 UDP ports available per IP address, a large number of devices can share one public IP simultaneously.

ip nat pool SINGLE-IP 203.0.113.100 203.0.113.100 netmask 255.255.255.0
ip nat inside source list WORKSTATIONS pool SINGLE-IP overload

The key difference from static NAT is that port overloading is unidirectional — connections must be initiated from the inside. The router builds its port-to-IP mapping table dynamically as connections are made. Someone on the internet can’t initiate a connection to a workstation using port overloading, because there’s no pre-existing translation entry for inbound traffic to find.

Verification

  • show ip nat translations – lists all active translation entries, showing inside local and inside global addresses and ports
  • show ip nat statistics – shows which interfaces are inside/outside, pool usage, and hit/miss counters. A hit means the router found an existing translation for a packet. A miss means it had to create a new translation — this is normal and not an error.

Resources

Test your knowledge with the Introduction to Networking quizzes.