Network Address Translation or NAT is a mechanism of mapping local address on the inside interface of a router with global address on the outside interface. For outgoing packets, router will translate the source local address to a global address. Reversely, router will forward incoming packets for a global address to its local address. This is usually the scenario to enable hosts on LAN to communicate with the internet. In Cisco device, there are several methods to configure NAT. One of the methods will be explained in this article is to configure static NAT in Cisco IOS router.
How to Configure Static NAT in Cisco IOS Router
Static NAT is a manual mapping of local and global address as defined by the network administrator. The way to configure static NAT in Cisco IOS router consists of two steps that will be explained using example scenario with given topology as below:
1. Define the inside and outside interface
Defining the inside and outside interface correctly is the key to make NAT mapping works. Simply go to the interface configuration mode and then use command ip nat inside to make the interface as an inside interface. In a similar way, use command ip nat outside to make the interface as an outside interface.
For the above scenario, the way to make f0/0 on R1 as the inside interface and f0/1 as the outside interface is shown below (assuming the IP address for each interface and default route to internet has been configured before)
R1(config)#interface f0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface f0/1 R1(config-if)#ip nat outside R1(config-if)#exit
2. Configure the static NAT mapping
The command to configure static NAT mapping is ip nat inside source static [local address] [global address]. The command can be repeated many times as required but note that in Cisco IOS router one local address can only be mapped to one global address and vice-versa. Additionally, note that the global address must be in range of the subnet on the outside interface. In real practice, the global address usually provided by the internet service provider.
For the above scenario, the command to map Server1 IP address to one of the available global IP address:
R1(config)#ip nat inside source static 10.2.2.3 172.26.10.91
Verifying the NAT sessions
To see if static NAT works as expected, try to do a ping from Server1 to address 188.8.131.52 on the internet. Before static NAT is applied, ping from Server1 to 184.108.40.206 will not work because R1 will forward the packet with source address of 10.2.2.3 and it is not known on the internet in this case.
Server> ping 220.127.116.11 18.104.22.168 icmp_seq=1 timeout
After NAT is applied, the source address of 10.2.2.3 is masked by 172.26.10.91 and it is an address that is known on the internet in this case. Therefore, ping from Server1 is success.
Server> ping 22.214.171.124 84 bytes from 126.96.36.199 icmp_seq=1 ttl=252 time=28.002 ms
Use command show ip nat translations on the router to see the NAT session. See this example output for the above scenario:
R1#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 172.26.10.91:38398 10.2.2.3:38398 188.8.131.52:38398 184.108.40.206:38398 --- 172.26.10.91 10.2.2.3 --- ---
The output above shows the active sessions between local address and global address on the inside and outside interface complete with the protocol and port information. The inside global and outside global shows the IP address and ports as result of translation while the inside local and outside local shows the address and ports before the translation. From the output above we can see that static NAT mapping between local address of 10.2.2.3 and global address 172.26.10.91 on the inside interface has working successfully.
One cool thing about static NAT is that it also works for incoming packets. To confirm this, do ping from the internet to Server1 global address.
Internet>ping 172.26.10.91 84 bytes from 172.26.10.91 icmp_seq=1 ttl=252 time=28.004 ms
On R1, run command show ip nat translations again to see the session:
R1#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 172.26.10.91:38910 10.2.2.3:38910 220.127.116.11:38910 18.104.22.168:38910 --- 172.26.10.91 10.2.2.3 --- ---
And that’s how you configure static NAT in Cisco IOS Router.