Cisco CCNA ICND2 640-816

NAT: Command-line NAT Configuration

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

00:00:00 - Now that we understand the concepts, we turn our attention to
00:00:03 - the NAT command line configuration. In ICND1, we configure
00:00:09 - NAT through the SDM, the gooey, and that was as simple as next
00:00:13 - next finish, and we were essentially done. Now we're gonna
00:00:17 - do it from the command line where we have complete control
00:00:20 - over exactly how NAT is going to operate. Of course, with
00:00:23 - control comes complexity, so we'll start off with the most common
00:00:27 - form of NAT, which is configuring NAT overload. Once we're done with
00:00:31 - that, we should have clients in our network that's able to access
00:00:34 - the Internet. From there we'll be able to configure static NAT,
00:00:38 - which will be used to host some internal servers on our
00:00:41 - network from the outside world. Last but not least, we have
00:00:46 - configuring dynamic NAT with overload. This is something you would
00:00:50 - do in a larger network to allow multiple internal clients to
00:00:54 - translate out to the Internet to a pool of addresses that can
00:00:58 - be overloaded themselves. Meaning, once you tap all the port numbers
00:01:02 - that are available on one IP address, it can move over to a
00:01:05 - second one.
00:01:07 - As we do our configuration, most of our focus will be on router
00:01:11 - one, because that's where all the action's happening, and this is
00:01:14 - the router that's doing NAT. Now I want to go in and just test a
00:01:17 - few things and do some proofs to make sure that our Internet
00:01:21 - routing is working okay, and our, our normal routing is working
00:01:24 - okay. I'm gonna to router one, and what I'm going to do, is on router
00:01:28 - one I'm gonna ping the ISP, to make sure I'm getting there and make
00:01:31 - sure I'm getting out to the Internet. So on router one I'll just
00:01:34 - do a show IP interface brief. There's my public IP address. I'm gonna
00:01:37 - ping 171.97, which is my ISP, and sure
00:01:46 - enough, it's working. Now I'm getting some pretty slow response times
00:01:49 - because I have a massive file upload going on in the background.
00:01:52 - So we're not really concerned about performance right now, I just want
00:01:54 - to make sure I'm connected. Now let me ping my, my favorite IP address
00:01:58 - in all the world., that is a public
00:02:01 - DNS server out on the Internet, and I can verify my routing table,
00:02:05 - I have a default route, it is going to my ISP. Obviously that
00:02:10 - default route is working right now, because I'm able to get to that
00:02:13 - DNS server. By the way, here's a tip of the day for you. If you ever want your
00:02:17 - router to use a, a name server, you can type in IP name-server
00:02:20 -, and then I'll type in ip
00:02:24 - domain-lookup, which turns on name look up, and then you can
00:02:28 - actually ping things like See that?
00:02:32 - Says translating, it went to the DNS server and there's
00:02:35 - Google's IP address. If you don't give it a DNS server, it won't be
00:02:38 - able to resolve those names to IP addresses. So, you'll always
00:02:42 - have to ping by IP address. So that's pretty cool. All right, so we've got,
00:02:46 - we know we're connected to the Internet, we know that our router
00:02:49 - one can even get to Google, for crying out loud. So let's now
00:02:53 - do some other tests. I to make sure that router one can get
00:02:56 - to router two, and, and specifically, I'm going to be working on this host
00:03:00 - down here. I have a connection to him in the CISCO lab, so he
00:03:05 - is going to be our Internet host. So let's, let's make sure
00:03:08 - that we can ping that host. I'm gonna go to,
00:03:11 - and what that's gonna do is come
00:03:14 - into router one on fast ethernet zero, flip back around on a router
00:03:18 - on a stick out fast ethernet 0.10 into the switch
00:03:22 - and hit this host. So let's even go one step further, I'll do traceroute
00:03:27 - one and seven, or,
00:03:30 - that was the IP address, right? All right. Good, and it, sure
00:03:36 - enough, there we go. It went through router two and then hit
00:03:40 - that host 10.50. So I'm at, I am able to ping that host. Now I happen
00:03:44 - to have a remote desktop connection to that host right here.
00:03:48 - Let me bring it in the picture.
00:03:51 - Actually, I'm may just kinda shrink things down. Get my QuickTime player
00:03:55 - out of there, and I'm going to do an ipconfig,
00:03:57 - and there, yup, this is the host 10.50. I'm gonna make sure
00:04:00 - that I can ping It's
00:04:04 - good, and let's, let's even do a traceroute to,
00:04:08 - which is my Internet router, router one,
00:04:14 - and just verify ah, gotta love it.
00:04:16 - I'm gonna do traceroute -d. Windows always tries to look
00:04:21 - up names, which makes it hang there forever. So, in what I
00:04:25 - mean by names, it's trying to figure out what domain name 1.1
00:04:28 - really has, which it has none, so it hangs there for a long time. So
00:04:31 - -d ignores that, and you can see it went through router
00:04:35 - two, 10.1,
00:04:37 - and then reached router one. So I am getting to router one, so
00:04:42 - let's go ahead and do a trace. Let's, let's see if this host can
00:04:46 - get to our same DNS server, hang on,
00:04:51 - -d. All right. It went through 10.1, went to 1.1 and I'm
00:04:58 - dying. Asterisk, asterisk, asterisk, it's just gonna keep on asterisking,
00:05:04 - meaning, as soon as it got to 1.1, it died. Now if I
00:05:09 - were to actually pull out a packet sniffer right now, I would
00:05:12 - see these packets coming from this host, they'd, they'd be coming up through
00:05:17 - router two, going out, back up through router one, and they'd be actually
00:05:22 - getting sent out to the ISP, but remember, it's going
00:05:26 - out without NAT right now. The ISP is getting a private address, and it's
00:05:30 - saying you are denied; you are not allowed to come into the
00:05:34 - Internet, because all ISP's block private addresses. So what
00:05:38 - I have to do is I have to NAT my private address to a public
00:05:42 - address, so that it is able to go through and look as though
00:05:46 - it's coming from 171.98. Now that goes
00:05:50 - back to all the NAT concepts we talked about in the previous video.
00:05:54 - So we can see our, our request is getting nowhere, so I'm just gonna cancel
00:05:58 - that guy and shoot back up over here. Let's go to router
00:06:01 - one and implement NAT. You can see my steps to configure NAT
00:06:06 - overload. That will be the first one that we implement.
00:06:10 - A flyby review. NAT overload is the one that allows many
00:06:14 - internal hosts to share the same public IP addresses by using
00:06:18 - port numbers to distinguish between all of them, and we'll
00:06:20 - see that happen before our very eyes, with, with our client
00:06:24 - in VLAN 10 down here. So here's our steps. Number one,
00:06:28 - label the interfaces. We need to identify which interfaces represent
00:06:32 - the inside network and which one represents the outside. Second,
00:06:36 - we need to tell router one what is the valid internal
00:06:40 - IP addresses to be translated. We do that by using a access
00:06:45 - list, and this is why this video is after we talked about access
00:06:48 - lists, I'll show you that in a moment. Finally we turn on NAT overload.
00:06:52 - So here's what I'm gonna do. I'm gonna go step by step. Number one, label
00:06:56 - the interfaces. On router one, this is actually the easiest step. I'm gonna look at
00:07:00 - my interfaces. I see Ethernet 0/0 and 0/1. 0/0
00:07:05 - connects to the inside of my network, so I need to go under
00:07:08 - that interface, and type in the command, ip nat inside. That
00:07:13 - tells the router, that is my inside interface. I'll go under
00:07:16 - interface ethernet 0/1, which connects the outside of the
00:07:19 - network, and you probably are thinking what I'm thinking, ip nat
00:07:23 - outside.
00:07:25 - That connects to the outside of the network. That's it. That's
00:07:29 - step one, we've labeled the interfaces. Second step, identify internal
00:07:34 - IP addresses to be translated. Meaning, I need to tell my router
00:07:38 - one which IP addresses should be translated, and even what IP address shouldn't
00:07:43 - be translated. Maybe I don't want Internet access for these
00:07:46 - guys. Well, I could prevent them with an access list from getting
00:07:49 - out there, or I could just deny them from getting NATed out
00:07:53 - to the Internet. I do this by using a access list,
00:07:58 - and I'm going to use a named access list. It is much easier
00:08:04 - for me to identify. I'm gonna type in ip access-list,
00:08:09 - and it says, what kind of access list? Well, I would like a standard
00:08:12 - remember, a standard access list only allows you to permit or
00:08:16 - deny based on source addresses. Now, we've been thinking about
00:08:20 - access lists up till now as permitting or denying access, like
00:08:25 - you are denied from going through this router completely, but
00:08:28 - in this case, we're gonna to set up this access list to permit
00:08:31 - or deny people to be NATed. So, here's what we'll do. We'll
00:08:36 - go ahead and say, access-list standard, and we'll name it, you can
00:08:39 - see word, what name would you like? The word will be
00:08:44 - NAT_ADDRESSES.
00:08:48 - I always type my names in all capitals so I can identify them when running config
00:08:51 - pretty easily. Now underneath here I'm gonna do my permit and deny
00:08:55 - statements. I'm gonna say, permit, you know what, just, just for this example,
00:08:59 - I'm gonna permit everybody to be NATed.
00:09:03 - Know what? Except, just for fun of it, I'm, just like I had my arrow
00:09:09 - pointed over here, I'm going to deny these people from being NATed.
00:09:14 - So, I'm gonna put my deny first. I'm gonna say, instead of permit, deny
00:09:21 -,
00:09:26 - that's my wild card mask, so the first thing I'm doing
00:09:30 - I'm denying these guys from being included in the NAT addresses,
00:09:33 - or addresses to be NATed. Now, I'm gonna go in and do a permit after
00:09:38 - that,
00:09:43 - is my wild card mask, which says,
00:09:46 - match everything that starts with 192.168, and
00:09:50 - I don't care what comes after that. Now because this is an
00:09:53 - ordered access list, I'll do a show access-list. It's going
00:09:57 - to deny these people first, if they come in, but if you are not
00:10:01 - this essentially says, if you are not,
00:10:04 - but you are anything that starts with
00:10:07 - 192.168, then you are permitted.
00:10:11 - That's my second step. I have now created an access list, which
00:10:15 - identifies internal IP addresses to be translated. Now the
00:10:19 - last step, enabling NAT overload. I can enable NAT overload
00:10:26 - by using the NAT command, and this is the biggest command that
00:10:30 - we have with NAT, and trust me, it, it will look confusing at first
00:10:34 - but I'll explain it in English. I'm gonna say, in global config
00:10:38 - ip nat, essentially I want a NAT. The router's gonna ask me, well, how do you want
00:10:42 - a NAT? I wanna NAT from the inside of my network
00:10:46 - outside, and I'm gonna say, based on the source address translation,
00:10:51 - the source addresses that I'm going translate are gonna
00:10:54 - be in access list, you can see access list, describing local
00:10:58 - addresses right here, in access list, and it says, well, what's the name
00:11:02 - of the access list? That name is NAT_ADDRESSES. Oops. Gonna paste the whole thing, there we go
00:11:09 - NAT_ADDRESSES. That's the list that identifies, and it says, well
00:11:13 - okay, do you wanna send that to a pool of global or public IP addresses,
00:11:18 - or do you just want to specify what interface those are going to be
00:11:21 - going out, and use the interface IP address. Well, in this example,
00:11:25 - for simplicity, I'm gonna use the interface. I'm gonna say, go ahead and send
00:11:28 - them out interface, and let's look back at our diagram, ethernet 0/1
00:11:32 - is our public interface. So I'll say, interface ethernet 0/1,
00:11:36 - and I'm going to follow that up by saying, please
00:11:41 - overload. Meaning, please allow multiple internal hosts to share
00:11:46 - this one IP address. So let me hit the upper arrow on that command, go back
00:11:50 - to the beginning. I'm gonna read it to you in plain English.
00:11:54 - ip nat says, I would like to NAT, and the router says, well
00:11:57 - how would you like to NAT? I would like to NAT from the inside
00:12:00 - of my network to the outside, the source addresses that I would
00:12:03 - like to NAT are identified in the access list's NAT addresses.
00:12:08 - Anything that's permitted by that access list, is going to
00:12:11 - be permitted to be NATed, and I would like to NAT them out
00:12:15 - interface ethernet 0/1, and please overload that address, if you, you
00:12:19 - can see, it's cut off here at the end, please overload that address, because if I
00:12:23 - don't include overload, only one host will be able to get out,
00:12:26 - and then it will say, okay, you've used up the address on interface
00:12:30 - ethernet 0/1, nobody else can use it, so use overload.
00:12:34 - Now I know, it's a very long line of syntax, but unfortunately
00:12:38 - that's the command you have to type in, and we'll, we'll keep seeing that
00:12:41 - as we look at the different forms of NAT. So at this point, our
00:12:45 - host should be able to get out.
00:12:50 - Ready to test it? I'm gonna hit that up arrow, let's do a traceroute, goes the router, goes the
00:12:56 - public IP address. Oh, ho, ho, ho. Look at that! Look at that!
00:12:58 - It's getting out. We have a, we have it going to router
00:13:03 - two, it goes to router one, it then goes to the next hop IP
00:13:08 - address, 68.110.171, I, I think I killed
00:13:12 - it. There we go, it's, it's still going. It's, it's trying to get to
00:13:15 - It's ho, it's going around the whole Internet right now, trying to
00:13:19 - get to our DNS server, and finally it gets there. The ultimate
00:13:23 - test, of course, is to open up a web browser,
00:13:29 - on our client, oh, look at that! Beauty! Shrink it down right here, and verify
00:13:34 - that our little client right here can go to the best site in all
00:13:39 - the Internet. It's the CISCO blog. No,
00:13:43 - and I know my Internet connection is bogged down right
00:13:49 - now, but there, in the flesh, is CBT Nuggets.
00:13:54 - Now check this out. I'm going to take this another step and
00:13:58 - start verifying. Now on router one, we now have NAT translations
00:14:01 - going through, watch this. I do show ip nat
00:14:07 - translations. Oh my word, look at that. Look at this, look, okay,
00:14:13 - okay, okay, look at this. You have inside local, right? Inside local identifies
00:14:18 - the address inside of your network, and if you were to diagram
00:14:21 - this, the inside local addresses represents these guys. I'll put
00:14:25 - IL, IL. Anything that is inside, and a local, it's a
00:14:30 - private IP address inside my, my network. Inside global,
00:14:34 - and I always say, inside means whose control is it under? It's under
00:14:37 - my control, global versus local, that's
00:14:41 - public or, global is public, versus private. Look at what's happening
00:14:45 - here. My client, you see 10.50 is being translated
00:14:51 - to a That
00:14:54 - is, the public IP address on router one. It's being translated
00:14:59 - to that, and notice, it's using that source port number to
00:15:03 - translate it through. Now notice it's, it's going, this, it's, it's going
00:15:07 - from the inside private to the, the inside global, that's
00:15:10 - the public address, then outside local and outside global, these
00:15:13 - will always be the same if we're, if we're doing this kind of NAT
00:15:16 - translation. You can see that it's going to this IP address,
00:15:19 - that IP address, this IP address, all these different IP
00:15:22 - addresses on port 80. That's the destination for it, that's
00:15:25 - our web surfing port.
00:15:27 - Initially, when I opened my web browser, it went to ah, to Firefox
00:15:31 - the, the little Firefox homepage, and, where did we go? We're right
00:15:35 - here, and it went to this page right here. Now this page is comprised
00:15:39 - of a, a graphic, a little Firefox guy here, a Google search field, we got
00:15:44 - some customization options down here, images, maps, blah, blah, blah, blah, blah.
00:15:48 - So when you're seeing these translations,
00:15:52 - we went to one website but we were probably redirected and got
00:15:55 - information from many different websites. That's why we see all
00:15:58 - these translations, even though we only went to
00:16:03 - and So all these are the different websites,
00:16:08 - and as time pass, as time passes, you'll see that they are timing
00:16:11 - out, they're slowly fading because the connections are being severed.
00:16:14 - You also notice I have an ICMP message, that's my ping
00:16:18 - that I did it, to When I, when
00:16:22 - I tested that, when I did my traceroute, to get to that server
00:16:26 - it was using ICMP, the ICMP protocol to do that. Isn't that amazing?
00:16:30 - I, I don't know, NAT always blows my mind, this NAT overload concept. I could,
00:16:34 - I could go in there and, it, I'm trying to think what else
00:16:38 - can I do?
00:16:40 - That's it. I, I can, that's NAT. It's, it's working, so all of these different
00:16:45 - clients on my network are able to get through except this one.
00:16:48 - This is what I wanted to emphasize. 192.168.3.whatever
00:16:51 - will not be allowed to get through, and
00:16:55 - the reason why is because the access list denies them. To, to
00:16:59 - simulate that, I'm gonna go over to router three, let's do a show ip interface brief,
00:17:03 - my little alias here, and I'm gonna type in, on router three, well, first off I'll do ping
00:17:08 -
00:17:10 - Sure enough, router three can get there, and you might be thinking, well I
00:17:14 - thought router three was denied. Well, it is, if it's coming from
00:17:18 - an IP address on this LAN, but router three came from
00:17:22 - Matter of fact, let's check it. Jump back to router one, show IP
00:17:28 - nat translations,
00:17:31 - and, right there, notice was using ICMP
00:17:36 - to ping that DNS server. So that was allowed to get
00:17:40 - through. Let's try this. I'm gonna go back to router three and do a ping
00:17:45 -, but I'm gonna follow that up with a source
00:17:49 - interface of, oh what
00:17:51 - interface was that? Ethernet 0/0. That's the one that connects to
00:17:55 - the LAN, ethernet 0/0.
00:17:59 - Now you can see, we're dying because it's pinging from a
00:18:02 - source address, it's coming from a source of 3.1,
00:18:05 - and if I were to jump over to my router one, and do a show, let's do
00:18:11 - a show access-list.
00:18:13 - You can see my NAT, my NAT addresses, 10, sequence
00:18:17 - 10, denied, and I've
00:18:21 - had five matches. Hmm. Five pings that came from router
00:18:25 - three. The permit, everything else that started with 0, 0,
00:18:28 - had twenty three matches. Those are being permitted to
00:18:31 - be NATed. Now I want to make sure we catch something here before
00:18:34 - I move on to the other forms of NAT. When I created that access
00:18:38 - list to identify the internal addresses to be translated, that's
00:18:42 - exactly what it's doing, permitting or denying them to be translated.
00:18:46 - Router three is coming out here, it's going tuk-a-tuk-a-tuk-a-tuk-a-tuk-a all the
00:18:48 - the way through the network,
00:18:51 - when I pinged from this source of 3.1, and router
00:18:54 - one's getting it, and it says, you are denied
00:18:58 - from being NATed, not denied from being routed. So router one
00:19:04 - is sending those packets out from router three. When I did this little,
00:19:09 - I did it again, my, my screen jumped. I don't know how I do that. Anyhow, let me see if I can fix this here.
00:19:15 - When I went into router three,
00:19:20 - and I did this ping right here from a source of 3.1,
00:19:25 - 3.1 was allowed through,
00:19:29 - it was just denied from NATing. So if I were to go to my ISP,
00:19:33 - if I had some kind of packet sniffer at my ISP, I would see packets
00:19:37 - coming in from It was not denied
00:19:40 - from routing, it was denied from being NATed, so I wanted
00:19:42 - to make sure I specify and emphasize that that's what that
00:19:45 - access list really does. All right, so that is NAT overload. Now
00:19:50 - let's talk about static NAT.
00:19:53 - Static NAT is what allows me to create mappings to
00:19:57 - let internal hosts be accessible from the outside.
00:20:02 - What I mean by that is, right now we have a NAT barrier, which
00:20:06 - is a form of security on my network. Meaning, nobody can get
00:20:10 - into my network without first being invited from an internal
00:20:13 - host. Meaning if this, this smiley guy down here didn't go out
00:20:17 - to the Internet and say, CNN, I would like your web page,
00:20:20 - CNN would never be able to come back in and say, here's a, here's
00:20:23 - a web page. So NAT, in essence, is an impenetrable form of security,
00:20:29 - because the outside cannot access the inside. Now I wanna make
00:20:34 - sure I emphasize that NAT security is not the only kind of
00:20:38 - security that you can have. The, it needs to be combined
00:20:41 - with many things, it's not perfect security is what I'm trying to say.
00:20:44 - So, what I can do is, let's say that this smiley host down here
00:20:48 - is a web server, and I want to allow people to access that
00:20:52 - web server from the Internet.
00:20:55 - Well, I need to create a static NAT mapping that maps this
00:21:00 - host to a public IP address in order for people to be able
00:21:05 - to access him. Now, first things first, you need to make sure
00:21:08 - that you get public IP addresses from your ISP. As of right
00:21:12 - now I have 1,
00:21:15 - assigned to that interface, but if I wanted to be
00:21:18 - able to have servers on the inside of my network, I would typically,
00:21:22 - or normally, I'll show you a way around this, but I would normally want to
00:21:25 - go to my ISP and say, ISP, I would like to get more IP
00:21:28 - addresses, and they will say, we will charge you this much a month,
00:21:31 - and you say, okay, and they will say, okay, you can have a,
00:21:35 - 68.110.171, one seven one,.99,
00:21:40 - and.100. You know these different IP addresses
00:21:43 - that you can use for your internal network. So let's say, just
00:21:47 - for ease of this example, and I'll show you some cool ways around
00:21:49 - this, let's say they, they gave us 99, right, and I want
00:21:54 - 99 to map to my internal web server. That's gonna
00:21:57 - to require a static NAT mapping. The way that I do it,
00:22:01 - is I move to global config mode on my NAT router, and
00:22:05 - I say, ip nat. That says, I want a NAT, I want a NAT from the inside
00:22:10 - of my network. Now, I know you might be thinking, I thought that
00:22:13 - would be outside, I thought you were NATing from the outside
00:22:16 - to the inside. Well, you are in a way, and you could do it by typing
00:22:20 - ip nat outside, and then say, this address to this address,
00:22:24 - but really, when you start working with NAT, it's best just to use
00:22:28 - one direction. When I say, ip nat inside, that says I'm gonna NAT
00:22:32 - from the inside of my network out, which is true, but anytime
00:22:36 - you do that, you're actually creating two-way NAT mappings.
00:22:39 - So it will NAT from the inside to the outside, but it will also
00:22:42 - NAT from the outside to the inside. So you might wonder, well, why I would
00:22:46 - I use NAT outside?
00:22:48 - Good question. I never do. As long as you, you learn one direction
00:22:53 - and get comfortable with that, you never have to use the other.
00:22:56 - You could also start with NAT outside, say, I, you know, I wanna
00:23:00 - use NAT outside, and use NAT outside for anything, and never
00:23:02 - use NAT inside. I just always like using inside, because it
00:23:05 - makes more sense to me. So, I'm saying, I want a NAT from the inside,
00:23:09 - and it says, well, what, what do you want to translate? I wanna translate
00:23:12 - the source address, when somebody comes in, and I'm gonna make this
00:23:15 - a static NAT mapping, notice it says local to global.
00:23:19 - Let me stop right there. If I would have said, ip nat outside,
00:23:25 - all it would do is say, well, you wanna map global to local, so you would just
00:23:29 - type the outside address first, and then the inside address second.
00:23:33 - Typing ip nat inside, will let you type the inside address, or local address
00:23:36 - first, and the outside address second. That's really the only difference
00:23:39 - between the two. It's just what direction are you looking from,
00:23:42 - what, what direction do you prefer, but functionally, they're the same.
00:23:47 - So, this is going to be a static mapping,
00:23:50 - and I'm going to map the inside local IP address
00:23:57 - That's my little guy
00:24:01 - down here, smiling guy.
00:24:03 - He's my web server. I wanna NAT him to the outside IP
00:24:08 - address,
00:24:12 - that's the new IP address that my ISP
00:24:15 - gave me, and or sold me, and allowed me to use on the Internet
00:24:19 - as long as I'm using them. That point, I hit Enter. I've now created
00:24:24 - a static NAT mapping. Now this is where I want to explain
00:24:27 - what I mean by two-way. Any time this inside host decides
00:24:33 - I would like to access the Internet, 10.50. He will
00:24:36 - go out, and go to router one and go out and be seen on the Internet
00:24:39 - as this address,
00:24:45 - Likewise, anytime anyone on the Internet accesses that address
00:24:51 - 71.99, router one will get that and translate it
00:24:55 - back to the inside host. That's what I mean by two-way mapping,
00:24:59 - it goes in, and it comes out. So, let me do a show ip nat translation,
00:25:05 - and you can see, all my translations have timed out. This is a
00:25:09 - static. It says, any time somebody accesses that, it will become
00:25:13 - that, and any time this one accesses the Internet, it will
00:25:16 - become that, and be sent out as that. Now you can see this doesn't have
00:25:20 - any IP addresses, because as of right now, nobody is accessing
00:25:24 - that, nobody is, is
00:25:27 - accessing this IP address right here, and so when somebody
00:25:31 - does, if somebody does access my "website", their IP address
00:25:35 - will show up here, because they will be NATed to my inside address
00:25:38 - right here. That is known as simple static NAT mapping.
00:25:44 - Now I mentioned I was going to show you a way to kind of overcome
00:25:47 - this, like, you know, we only, let's say you're with a company
00:25:50 - and they only have one IP address from an ISP, and either the
00:25:54 - ISP will not give you any more IP addresses, because
00:25:57 - some of them work that way, or the company does not want to
00:26:00 - buy any more IP addresses, because it can get kind of expensive.
00:26:04 - What we can do, is we can use the IP address that we have
00:26:10 - on our public interface right here, the
00:26:13 - and use it as somewhat of a static
00:26:18 - NAT mapping. Let me show you how this works. We're, right now,
00:26:22 - using this for NAT overload, and let me first go in;
00:26:27 - I'm going to remove this static NAT mapping, no, put a no at the beginning. So
00:26:31 - that one's gone. Go back, verify, show ip nat translations,
00:26:35 - we've got nothing. All right, we've removed our static NAT mapping, and
00:26:38 - we only have one IP address, and I would like to use that IP address
00:26:42 - to still allow access to the web server. Well, as of right now that IP
00:26:46 - address is being used for NAT overload, so as hosts surf the net
00:26:49 - they're going to be seen as that IP address. So I can't statically
00:26:54 - map that whole IP address to the web server. This is what
00:26:57 - we know as static port mappings. Watch this. You may have seen
00:27:02 - it when I was doing the command before. I'll type in ip nat inside
00:27:06 - source static. This is same thing as before, same command,
00:27:09 - but I'm gonna hit the question mark. Now when I did the last example, right
00:27:14 - here, I typed in the private IP address.
00:27:18 - Now I'm gonna do something a little bit different. I'm gonna type a protocol.
00:27:22 - I'm gonna statically map TCP
00:27:26 - to the inside local, the private IP address,,
00:27:30 - and I'm gonna map port 80
00:27:35 - to the outside global. It says what is the global IP address,
00:27:39 - 68.110.171., or wait a sec,
00:27:45 - I'm not gonna do that. I only have my interface, the IP address on my interface,
00:27:49 - right?, so instead of mapping it to a different
00:27:53 - global IP address, I'm gonna map it to the IP address on the interface,
00:27:57 - and I'll say, interface ethernet, was it 0/0? 0/1.
00:28:05 - 0/1, question mark, port 80. You see what's happening
00:28:10 - here? What I'm doing is, any time my outside interface, 0/1,
00:28:16 - my Internet facing interface, gets a request on
00:28:20 - port 80. Now what's TCP port 80? Web services, right?
00:28:24 - That's http. It will translate that request to the inside IP address,
00:28:29 - on its port 80.
00:28:35 - That's pretty hot, because now, when I go back here, I'll do show
00:28:38 - ip nat translations. I can see that this translation is happening
00:28:42 - oh, it looks like we had some other, our little host went out and accessed
00:28:46 - a time server, but
00:28:50 - we're not gonna talk about that. This is my static NAT mapping, I've got http, nobody's
00:28:55 - using it as of right now, but the host can still, let's, let's ah, let's bring
00:28:59 - my ah, host back to the stage. Our host can still, let's go
00:29:05 - to ah,,
00:29:09 - only the coolest blog on the Internet, and, you know, we're accessing
00:29:14 - the CISCO blog, minimize that guy and, wait a sec, minimize this
00:29:17 - whole thing, come back here and do a show ip nat translations, we're
00:29:20 - still accessing the Internet, we're still overloading, but
00:29:24 - we're now borrowing one port from that public IP address, and giving
00:29:27 - it to that host. Now this gives us a lot of flexibility guys, look at this.
00:29:31 - I just assigned port 80 on that IP address. If anybody
00:29:35 - from the Internet accesses that on port 80, it'll forward
00:29:38 - into my client, but I could totally split that address
00:29:41 - apart to access all kinds of things, like let's say, let's say
00:29:44 - this is an email server, email, and that I have inside of
00:29:48 - my company. That email services used TCP port 25, known
00:29:52 - as SMTP, simple mail transfer protocol. I could assign
00:29:56 - port 25 of that public IP address to a totally different
00:30:01 - internal host. I could split apart an IP address for however
00:30:05 - many services I really wanted to use. It's very powerful, because
00:30:09 - with simple static NAT, you dedicate a full public IP to a
00:30:12 - full private IP, and you may only use one or two ports
00:30:15 - off of that. Well, why not use each public IP address to the
00:30:19 - max? That's what that port static nat mapping is all about.
00:30:23 - So you can, you can split it up in many different ways. So we've
00:30:26 - talked about NAT overload, we talked about static NAT. There
00:30:31 - is one more concept I want to show you, and this is for
00:30:34 - larger companies.
00:30:36 - It is dynamic NAT with overload. Now, as of right now, I'm gonna
00:30:40 - do a, a show run, and I'm gonna include lines that have IP nat in them,
00:30:45 - because I just want to filter it down, and there's, there's my ah, my
00:30:51 - command that I typed in to NAT the private IP addresses
00:30:54 - in that access list, to the interface and overload it. That's
00:30:58 - NAT overload, but I'm gonna remove that, and
00:31:03 - do a copy, global config, put no paste and paste that in there.
00:31:08 - So this dynamic mappings are in use, do you want to kill them all? It means, there's some
00:31:13 - people using that right now, are you sure you want to do that? Yep, sorry, Internet
00:31:16 - has gone down. So we now have a clean slate, and I want to show you
00:31:20 - how you can configure dynamic NAT meaning, poh, multiple
00:31:24 - public IP addresses using NAT overload. What I can do is I
00:31:29 - can approach this a little different. Instead of using the
00:31:33 - public IP address on the interface, I can create an ip nat pool.
00:31:36 - You can see I can type ip nat pool, says what would you like
00:31:41 - to name it? I'll say PUBLIC_ADDRESSES,
00:31:47 - do a space question mark, it says, what start IP address would you
00:31:50 - like to put in that pool, and I'll say, well let's say we purchased
00:31:53 - IP addresses from our ISP, the
00:31:57 - and one hundred, I'll put,
00:32:02 - and the
00:32:04 - end IP address will be
00:32:08 - Those are our public IP addresses that we've
00:32:11 - gotten. To a question mark it says, what, you can either type in
00:32:14 - the net mask, meaning the decimal subnet mask, or the prefix length.
00:32:20 - What it means by prefix length is, what bit notation /24/32,
00:32:24 - that kind of thing. I'll just put, you know it's only looking for
00:32:26 - the number, so 24, which means, let's say, class C subnet
00:32:30 - mask, or this is a preference, you can also use the net
00:32:33 - mask option and type in the decimal subnet mask, Okay.
00:32:37 - So what I've done is I've created a NAT pool
00:32:41 - of two addresses. Now I can use that same command that I
00:32:47 - used before,
00:32:48 - and I'll type it in again, ip nat inside source, to, to turn on NAT overload
00:32:53 - right? I'm gonna do a source list, the access list was
00:32:58 - NAT_ADDRESSES.
00:33:02 - Right, that was the access list we created, I wanna NAT from that access
00:33:05 - list. Now before, we were going specifically out in interface,
00:33:09 - using whatever public IP address we had on that interface.
00:33:12 - The advantage of that is it's very simple, and you only need one
00:33:15 - public IP address. The disadvantage, well there's not a real disadvantage,
00:33:19 - but the problem is, is if you have a very large company, it will
00:33:24 - eventually run out of ports. Meaning, as you get hundreds and thousands
00:33:27 - of hosts on the inside of your network, surfing the Internet,
00:33:30 - this will run out of ports that it can use on that public
00:33:33 - IP address, and it'll start killing NAT sessions and
00:33:36 - people will kind of lose their connection to the Internet from time
00:33:39 - to time. So what we can do is give a pool of two public addresses
00:33:43 - that we created, so I can say, go ahead and use that pool when one
00:33:47 - of them is full, meaning there's enough people using that, switch
00:33:50 - over the next one. So if I wanted to do that, I would just say,
00:33:54 - I wanna, I want to NAT, I'll read this in English, ip nat, I want to
00:33:57 - NAT from the inside of my network, that is identified as the
00:34:02 - source IP addresses in access list NAT_ADDRESSES. Now I wanna NAT
00:34:06 - them to the pool of addresses that I just created, the name
00:34:10 - of the pool
00:34:14 - is PUBLIC_ADDRESSES, ip nat pool PUBLIC_ADDRESSES, and
00:34:18 - then, I would like to overload that pool. If you forget the
00:34:21 - overload keyword, what's gonna happen is it's going to allow
00:34:24 - two people, meaning the two public addresses that you have, to access
00:34:28 - the Internet, and then it'll say, sorry, we're out of public IP addresses.
00:34:31 - That is known as dynamic NAT with overload. You're dynamically
00:34:36 - going from a group of addresses to a group of other addresses,
00:34:39 - a group of private to a group of public, and we're overloading it so
00:34:42 - when one of those public addresses get full, it will fail over
00:34:45 - to the second one. That is NAT in all its flavors.
00:34:50 - Still to this day, I think NAT is one of the most fun
00:34:54 - configurations that you can do on a CISCO router. I, I don't
00:34:57 - know why, I just, I just think it's, it's such a neat concept. So let's
00:35:02 - wrap things up. We saw configuring NAT overload, that was the
00:35:05 - first thing that we did, labelling our inside and outside interfaces,
00:35:08 - creating a private IP address access list, or what addresses
00:35:12 - we would like to translate, and then combining all that in
00:35:15 - the ip nat command to enable overload. We then configured
00:35:19 - static NAT to allow outside access to our internal IP addresses,
00:35:23 - and then finally, we saw a dynamic NAT, which is going from
00:35:26 - private IP addresses to a pool of public IP addresses,
00:35:31 - and we combine that with overload, so that when one of them
00:35:34 - ran out of port numbers, the other one could take over. I hope
00:35:38 - this has been informative for you, and I'd like to thank you for viewing.

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2014 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS