Cisco CCNA ICND2 640-816

NAT: Understanding the Three Styles of NAT

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

00:00:01 - Oh, it is a rainy day out here in Phoenix, Arizona. I know that may
00:00:06 - not sound like that big of a deal, but it is for us. We, we get
00:00:10 - rain so rarely. The last I actually heard on the news. The
00:00:14 - last time we got rain was eight months ago, and it was just a drizzle, so
00:00:18 - whenever it rains here, you know, all the children run out and look at the sky
00:00:21 - and they, oh, water from the sky, you know, and where it's
00:00:25 - it's amazing, and I love the rain. Rain is a novelty here and
00:00:29 - but I don't know how I could live in, in a place where there's
00:00:32 - a lot of rain, because every time, I'm looking out the window right
00:00:35 - now, cloudy skies, I just, I, I've got my cup of hot cocoa right here.
00:00:41 - I just wanna,
00:00:42 - I don't know, curl up and talk about NAT. That's, that's what
00:00:46 - we're gonna do. We're gonna look at Network Address Translation,
00:00:50 - because this is a big
00:00:53 - function of just about every network that's in existence today.
00:00:58 - Network Address Translation allows you to translate your corporate
00:01:01 - private addresses into the public addresses that work on
00:01:04 - the internet. At least that's the most common use. So we're gonna look
00:01:06 - look at this introductory video, at the three major forms of
00:01:10 - NAT, Dynamic NAT, NAT Overload and Static NAT. Once we wrap
00:01:15 - up here, and the next video, we'll talk about how to set them
00:01:18 - all up.
00:01:19 - Now NAT was a topic that we discussed in the ICND one series,
00:01:23 - but the primary use that we talked about in there, was just
00:01:27 - overloading and external IP address, so multiple internal
00:01:31 - clients can access the internet, and while that is the most
00:01:34 - common use of NAT, there's many more things you can use it
00:01:38 - for. The first one is Dynamic NAT. Now this is a typical picture
00:01:44 - of using Dynamic NAT to translate inside addresses to outside
00:01:48 - addresses as you access the internet. Now it sounds just like
00:01:51 - what I described, but you'll notice that it is a one to one
00:01:54 - translation. As these clients go out from the internal network,
00:01:59 - they are signed a public address, and it will stay there for
00:02:02 - as long as that session remains. So if it's a TCP session,
00:02:06 - there's a certain time out. Once it ends, that public address goes
00:02:09 - back into the pool. Now, likewise with Dynamic NAT, you can have
00:02:13 - it translate the other way. I can go from outside to inside, and
00:02:16 - it can rotate around. Now you might be thinking, well where would that
00:02:20 - be used. I'll tell you the most common place where you see Dynamic
00:02:24 - NAT used, is to solve problems with addressing.
00:02:29 - The problem that I'm mainly talking about, is overlapping addresses.
00:02:32 - Let's say, you've got, I'll try and squeeze it in over here. Oh, hang on,
00:02:40 - let me do a quick little shindig. Let's say you've got an organization
00:02:45 - over here that has a router, and organization A acquires organization
00:02:51 - B, over here on the right hand side. Now
00:02:55 - they did not plan in, in their acquisition system, that they
00:03:01 - would have overlapping addresses, and maybe the A organization
00:03:04 - decided to use the ten range, all ten addresses over here, and
00:03:08 - the B organization also used ten addresses. Well you can't have that,
00:03:12 - because that's gonna be duplication. What you can do with
00:03:15 - Dynamic NAT, is set up a pool, meaning, when organization, organization
00:03:20 - A accesses organisation B, it will look as though they're
00:03:25 - coming from, we'll say, 172.16. something,
00:03:29 - and when organization B accesses organization A, it
00:03:34 - will look like they're coming from 172.17. something.
00:03:36 - That's one form of Dynamic NAT that's able
00:03:40 - to handle
00:03:42 - dynamic translations for overlapping networks. So, while
00:03:47 - both of these people are using ten networks, as they access
00:03:51 - each other, they'll become different addresses, so the devices
00:03:54 - will think, oh, well there's no problem. Now
00:03:58 - I know this may just seem illogical, because if I were an organization
00:04:02 - B and maybe I pinged an address,,
00:04:06 - that also existed in organization A, well
00:04:10 - how does the router know which
00:04:14 - you're talking about, since we have overlapping addresses.
00:04:18 - Well, Dynamic NAT, when you're using it in this system, does not
00:04:22 - work with
00:04:25 - IP addresses. Let me explain. If you have to have overlapping
00:04:30 - addresses, which some organizations do for a time, it requires
00:04:34 - the use of DNS server, and let's say organization B, you know, we're
00:04:39 - IT people, we usually think in terms of addresses, but
00:04:42 - normal people think in terms of names, DNS names, and let's
00:04:46 - say organization B accesses a server in organization A, that
00:04:50 - is, we'll, we'll call it, CORPSRV,
00:04:56 - and CORPSRV is the one that is mapped to that
00:04:58 - Well, as soon as the request goes out
00:05:02 - for CORPSRV, that will be passed to a DNS server
00:05:06 - through the router. Now as the DNS server replies, the router
00:05:10 - realizes, whoa, that's an address over here on the other side,
00:05:14 - meaning, that's something from organization A they're trying
00:05:17 - to access. So as the DNS reply comes back, the router will
00:05:22 - rewrite the address to be 172.17. something,
00:05:25 - and dynamically map. How, how are you even understanding
00:05:29 - any of this scribble I have on here? It will dynamically map it to something
00:05:33 - over there in organization A. So the point, let me draw it simpler down
00:05:37 - here, is you can have DNS here returning responses to names
00:05:42 - as it comes through the router. The router will hide what
00:05:45 - real address it is in organization A, and make it 172.17 or
00:05:49 - 16. something, or whatever organization A
00:05:52 - was using, so that when this pc gets it, it goes, oh, well I'll send it
00:05:56 - that to my default gateway. It's the gateway NAT, Dynamic
00:06:00 - NAT translates it over to the real address
00:06:04 - of the corporate server in organization A.
00:06:08 - So you can see Dynamic NAT. What it does, is just do one
00:06:11 - to one address translations. In its simplest form, I can define
00:06:15 - a pool of addresses on one side, and a pool on the other side,
00:06:18 - and that pool goes to that pool and vice versa, but you can also
00:06:22 - use it for some pretty complex stuff like,
00:06:25 - overlapping addresses, and that is the most common use of dynamic
00:06:30 - NAT. Now with that being said, Dynamic NAT is the least common
00:06:35 - form used.
00:06:37 - The most common form of NAT that's used, is called NAT Overload.
00:06:40 - and this is where multiple devices share a single address. Now
00:06:45 - this is the form of NAT that allowed us to overcome the IP
00:06:48 - address shortage on the internet, by using that sharing system
00:06:52 - Here's the way it works. We will have a router that's connected
00:06:55 - to the internet, and we'll say our corporate network behind here
00:06:58 - is using 192.168.1 addresses,
00:07:01 - so we'll say,
00:07:06 - exists on this network. Now as these clients
00:07:10 - will say, we've got 50 and 51. As these clients go
00:07:14 - out and access the internet, they will share the same public
00:07:18 - address, and the response will come back to that public address
00:07:21 - and forward it to these internal clients. Now this is possible, because
00:07:26 - NAT Overload uses port numbers. That's why you see my
00:07:31 - little note on the bottom. This form of NAT is commonly called
00:07:34 - PAT or Port Address Translation. Now, the rumor goes, that
00:07:39 - Microsoft actually came up with that term, but NAT Overload
00:07:43 - is the technically accurate term to describe this. So the way
00:07:47 - it works is, when you open a web browser or any, I'll say any
00:07:52 - network application on your pc, we'll just say a web browser,
00:07:55 - and go to,
00:08:01 - the operating system dynamically generates a source port
00:08:05 - number. We'll say 1536, in this case. Now that source port
00:08:10 - number is, when traffic comes back to that client, it will
00:08:14 - be sent to that port number, so it knows to put it in the right
00:08:17 - Internet Explorer window. I mean, think about this, look at
00:08:19 - your computer right now. You probably have this video open, along
00:08:23 - with many other applications. For example, if you're using a Windows
00:08:27 - Vista, in my opinion the ultimate waste of time operating system,
00:08:32 - and, and I say that not as a slam against Vista, but there's so many
00:08:35 - gadgets in there that just waste time, and you, you look at your
00:08:39 - little gadget bar on the right hand side, and it's got news
00:08:42 - headlines that are constantly being streamed in, stock quotes
00:08:46 - You've got pictures from the internet, all kinds of stuff that's
00:08:49 - just constantly coming in. Well, Vista, or whatever operating system
00:08:53 - you're using, has to have a way to separate all that, so it knows
00:08:57 - oh, this data coming in on my network card goes to the stock
00:09:01 - quote portion. This one goes to the web browser window. This
00:09:03 - one is streaming radio that you're, you're listening to on the internet.
00:09:07 - hopefully not while I'm talking, but, well, take, take an example. If you're
00:09:11 - using a streaming subscription to CBT nuggets, right now, my voice,
00:09:15 - the words that are coming out of my mouth, are streaming to
00:09:18 - you into a specific port number on your pc, and that's how it
00:09:23 - knows what application to send it to, which is playing it out the
00:09:26 - speakers. Wow. That's deep. So anyway, you open a web browser and
00:09:32 - that operating system generates just port number 1536.
00:09:35 - It could be any port number
00:09:38 - that's out of the, well, what's considered the well known port
00:09:41 - number range. It's gonna go to the destination of,
00:09:46 - on port destination port 80, and that's
00:09:50 - how this CISCO web server knows you're needing to be sent to
00:09:54 - the web server application. You're not sending email or anything
00:09:57 - like that. You're looking for a web page. Well, as it goes through
00:10:01 - the router, as this arrow in the middle happens, the NAT Overload process
00:10:06 - sees that request and says, okay, you came in on
00:10:10 - so, I will
00:10:13 - send you out on
00:10:17 - as the source port number, and that's when CISCO
00:10:21 - replies back. It will be replying to the destination port 1536
00:10:24 - and that public IP address, and when your router get's it,
00:10:28 - looks at this table. This is known as a NAT translation
00:10:31 - table. We'll see it when we look at the configuration, and it looks
00:10:35 - at this table and goes, oh, 1536, right, that's mapped
00:10:38 - over here to,
00:10:41 - and poof, you get the web page back. Now that could be happening
00:10:46 - at exactly the same time as this pc. Let's just say, for sake
00:10:52 - of argument, that this pc, at exactly the same time, the
00:10:56 - exact, we'll say, second, open a web browser window, and its operating
00:11:01 - system generated 6751, and that, at, at the same
00:11:06 - time, you know, CISCO's a popular place to go. They went
00:11:09 - to as well, at exactly the same time. Well that's
00:11:11 - okay, because they both have different source port numbers, so
00:11:15 - even though two identical requests, saying CISCO, send me your home
00:11:20 - page, is coming into the CISCO web server at the same time, it
00:11:23 - sees them as different, because they're coming from different
00:11:27 - source port numbers, and when it sends information back, the
00:11:31 - router has no problem handling that, because it says, oh, well you're
00:11:34 - coming to one port number and you're going to another. So I,
00:11:37 - I have in my table what host to send you to.
00:11:41 - Now let's talk about an exception. You might know, that there are
00:11:46 - 0-65,535
00:11:51 - different port numbers that are available for TCP and UDP.
00:11:55 - Now, as applications are running on a busy network, I mean, you might
00:11:58 - have a computer that has 50 different network applications
00:12:01 - open at a time, using up 50 different port numbers. Now you
00:12:05 - might think, as you start pondering, things that could happen.
00:12:08 - What if two devices happen to generate the same source port number
00:12:15 - at the same time? What then? I mean, what, how would it handle that?
00:12:20 - and when both of those requests came to the router, and
00:12:24 - they were both using, we'll say source port 6751,
00:12:28 - The router's prepared for that, because that's actually a
00:12:32 - very common
00:12:34 - circumstance, because with a busy network and lots of applications,
00:12:38 - you can get into thousands of port numbers in a new set of
00:12:40 - time, so the chance is multiple computers will use the same one. The router
00:12:44 - has no problem handling that. Whichever one gets there first,
00:12:48 - and there will be a first, you know, because the router can only
00:12:50 - receive one packet at a time, so one will be one millisecond
00:12:53 - behind the other. Whichever one gets there first, will get the
00:12:57 - 6751 and go out as that. Now once the other
00:13:01 - one, we'll say
00:13:04 - comes in with the source of 6751. As that
00:13:08 - comes in, the router looks and goes, oh, sorry man, 6751 is
00:13:13 - in use. I'll just give you the next free port, so what we'll map
00:13:18 -
00:13:22 - to, we'll say 6751
00:13:26 - 6752.
00:13:28 - It seems too simple, right. That, but that's all it does, it
00:13:31 - just takes the next available port number, and now, when the, the
00:13:34 - communication comes back to 6752, it looks and
00:13:38 - says, oh, well I'll translate that port. Now you
00:13:42 - see why we call it PAT, port address translation. I'll translate
00:13:46 - that port back to the original that was sent from the client
00:13:49 - six seven five one
00:13:51 - Finally, the last form of NAT is known as Static NAT. This
00:13:57 - form is typically used for hosting servers inside of your network.
00:14:01 - For example, we have private addresses here, 192.168.50 and 51,
00:14:05 - and so on. Those private addresses,
00:14:08 - since they are private, are not accessible from the internet.
00:14:12 - That's the whole definition of private, is that it is unroutable
00:14:15 - by internet routers, so we have to use Static NAT to map public
00:14:21 - IP addresses here to private ones, so when somebody wants to
00:14:24 - access, maybe we have a internal web server. Maybe that's this
00:14:27 - guy running out our company. We can forward that request
00:14:31 - into the internal web server, and allow people to access it.
00:14:34 - That's known as a Static NAT mapping. So here's the idea.
00:14:39 - Static NAT is usually combined with NAT Overload, NAT Overload
00:14:44 - to provide outbound access so normal people can just surf the
00:14:47 - net and whatever else they need internet access for, and Static
00:14:51 - NAT for the internal. So what I did was show you the NAT
00:14:54 - table right here, and you can see this top IP address is still doing
00:14:58 - some form of NAT Overload. You can see source port number is
00:15:01 - going through and being translated, and the bottom one has a
00:15:04 - little Static entry here saying, I have statically mapped
00:15:08 - to
00:15:12 -
00:15:14 - Now, the Static NAT translations are usually done two ways. I should
00:15:19 - say, always done two ways, meaning, if I statically NAT
00:15:23 - to this public address, every
00:15:26 - time that server goes out and accesses the internet, the internet
00:15:30 - will see it as this public address. It doesn't get thrown in
00:15:34 - the NAT overload pool like the rest of these devices out here,
00:15:38 - and any time someone on the internet accesses that public
00:15:40 - address,, it will be forwarded down here
00:15:44 - to this pc. It's two ways, inbound and outbound.
00:15:49 - Now keep in mind, whenever we do Static NATS, or I should say
00:15:53 - any form of NAT, we do not have to have those IP addresses
00:15:58 - assigned to this interface of the router. It seems kind of strange,
00:16:03 - but this, this interface, you know, we'll, we'll call it, this is
00:16:06 - just say it's fastEthernet zero,
00:16:09 - it might be assigned the address Now
00:16:12 - I can say I might want to use that address for NAT Overload,
00:16:15 - and so everybody pretends they are the router as they go out,
00:16:18 - but
00:16:22 - is not assigned anywhere. It's not the address on this, this
00:16:25 - interface right here, yet we haven't assigned it to a loop pack interface
00:16:29 - or some mystery interface. It's just part of the NAT process.
00:16:34 - So when somebody accesses, our ISP knows
00:16:39 - to route that packet to our router, who, whenever they see that,
00:16:43 - looks at it and says, oh, I have a NAT mapping for you. You may not
00:16:46 - be assigned to my interface, but I have a NAT mapping saying
00:16:49 - that you should become 1.51. Now,
00:16:52 - Static NAT, as I'll show you as we get into the configuration,
00:16:56 - can get far more granular than doing a full one to one IP
00:17:01 - address translation, meaning, right here, I said that I had a
00:17:04 - web server at, and I
00:17:08 - mapped this full address to that pc,
00:17:12 - but maybe, let's expand our diagram here, maybe in my
00:17:16 - company, I also happen to have an email server which is
00:17:20 - that, that I would
00:17:24 - like to allow access to as well, so I can receive emails from
00:17:28 - the outside world. Well, unfortunately, you know, the, the company
00:17:33 - that I'm with, my ISP, only gave me two public addresses. Now
00:17:37 - what do I do?
00:17:38 - Well, Static NAT can be combined with port numbers. So what
00:17:43 - I can do, is I can say on
00:17:47 - TCP port 80.
00:17:50 - We'll forward packets into the web server on port 80, but
00:17:56 - if I receive a request on
00:17:59 - port 25,
00:18:04 - I will forward that to
00:18:08 - on TCP port 25. So we can actually split
00:18:13 - a public address among multiple internal servers, and you can
00:18:16 - actually chop this thing up with as, as many servers as you like
00:18:20 - as long as you have port numbers. Now, for example, if I had another
00:18:24 - web server inside of here, maybe I had two web servers. I mean, port
00:18:27 - 80 is already used up, so I can't somehow magically translate
00:18:33 - some second port 80 into that, because we've used that port
00:18:36 - on that public address, but this feature is really cool, because
00:18:40 - it lets you use every public address to the max, meaning, instead
00:18:44 - of assigning a full IP address to a web server when it only
00:18:47 - needs port 80, we can chop it up and do as many servers as we want,
00:18:51 - as long as we have unique port numbers,
00:18:54 - and those are the three forms of NAT that we will be configuring
00:18:58 - in the upcoming video on configuring NAT. That will be also
00:19:02 - one big difference between ICD 1 and ICD 2 see in the two back
00:19:06 - we used the SDM, Security Device Manager,
00:19:10 - the graphic interface to set up NAT. In this, the CCNA and
00:19:15 - ICD 2, we will be using the command line, which is
00:19:19 - far more powerful than what the graphic interface can do. So
00:19:24 - we saw dynamic NAT, and what Dynamic NAT is used for, is
00:19:27 - to convert one pool of addresses to another, so I can say all
00:19:32 - of these private addresses translate over to these public addresses,
00:19:36 - or I can use that for overlapping addresses, so I can overcome
00:19:41 - that issue in an organization. We saw NAT Overload, which
00:19:46 - is allowing you to overload one public address for many internal
00:19:50 - private addresses, and finally we saw Static NAT, which is used
00:19:54 - to allow you to host internal servers. I hope this has been informative
00:19:58 - for you, and I'd like to thank you for viewing.

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS