How to configure Dynamic NAT on Cisco IOS Router

This topic is to discuss the following lesson:

Hi Rene,

Thanks for the article.
I believe the interface on NAT Router connected to switch should be fa0/0. I see the diagram says fa1/0 wherein the command say fa0/0 —> ip nat inside.

Correct me if i am wrong.

Hi Jeeva Jose,

Thanks you are right, I just fixed it in the diagram.

Rene

Hello All,

can we use interface ip of router in dynamic nat.

Yes you can, no problem at all.

Hello Rene,
Thanks for the article.
I just want to know about F0/0 on Nat router, what we called it?

Thanks in advance.
Wisam

Hi Wisam,

You are welcome. In this example, that would be the NAT “inside” interface.

Rene

Great Article Rene. I may be wrong but this statement seems a little off:

Inside global is the IP address on the outside interface of your router performing NAT.

Seems like from the data output the “inside global” address is how the outside world sees the “inside local” address or the address the “inside local” address is translated to.

Please let me know if I am looking at that wrong.

just a follow up to my above question. it seems like your above statement I referenced(seen below) would be appropriate for the static nat example, but the dynamic nat seems to put a slightly different spin on it.

“Inside global is the IP address on the outside interface of your router performing NAT.”

anyway it seems in general(static or dynamic) from the data output the “inside global” address is how the outside world sees the “inside local” address or stated another way it seems the “inside global” addresses are what the “inside local” addresses are translated to.

Hope I’m not overthinking this. Thank you for your time.

Hi Roland,

Good question. You are right, when I’m talking about “Inside global is the IP address on the outside interface of your router performing NAT” then I’m referring to static NAT or PAT where we translate to this IP address.

When you use dynamic pool, it would be “inside global is the IP address from the pool that you translate the inside local address” to :slight_smile:

Rene

Hello Rene, my question is when you created your nat pool, why did you use “prefix-length 24” vice a mask or wild card? Is prefix-lenght 24 the same as a /24? And second, is it correct that your nat pool consist of only 11 IPs?

And thanks for your service.

1 Like

Hi Flynn,
The following two commands have the same result
ip nat pool POOL 10.0.0.10 10.0.0.20 netmask 255.255.255.0
ip nat pool POOL 10.0.0.10 10.0.0.20 prefix-length 24

The only reason to use one vs another would be is that either you already know the prefix length and you don’t want to bother converting it to a subnet mask, or you want to type a lot faster (with auto-complete, using prefix-length is faster to type in than the full netmask :slight_smile: )

So, yes, for any prefix-length XY, this is the same thing as /XY

You are correct that the nat pool consists of 11 IPs.

2 Likes

Hi Rene,

Can you please explain what is the difference between outside local and outside global IP addresses along with example. Thanks in advance.

Just above configuration file tabs, there’s a paragraph saying "Well this is way outside the scope of the CCNA exam but with NAT ". I wondered where am I. Am I reading CCNP stuff ?

Hello Sumit

This is a very good question because the terms used with NAT can become very confusing. Let’s say you are the Inside Host and you are connecting to a web server which is the Outside Host like so:

You can see that the packet leaving the inside host and travelling towards the NAT router has:

  • Source Address: Inside Local - a private address such as 10.10.10.5
  • Destination address: Outside Local - the public IP address of the outside host such as 205.10.10.47

A packet going from the NAT router to the Inside host has the following addresses:

  • Source address: Outside Local - the public IP address of the outside host such as 205.10.10.47
  • Destination Address: Inside Local - a private address such as 10.10.10.5

Notice that the word “LOCAL” is used for all of the above mentioned addresses.

On the outside network, packets going from the NAT router to the Outside Host have the following addresses:

  • Source Address: Inside Global - the translated public address such as 147.52.3.17
  • Destination address: Outside Global - the public IP address of the outside host such as 205.10.10.47

Packets travelling in the opposite direction have:

  • Source address: Outside Global - the public IP address of the outside host such as 205.10.10.47
  • Destination Address: Inside Global - the translated public address such as 147.52.3.17

Notice here that the word Global is used for ALL of these addresses.

So whenever you see the word Local, you are referring to addresses as they exist BEHIND the NAT router while the word Global refers to addresses as they exist BEYOND the NAT router.

Whenever you see the word Inside, you are referring to the IP address of the Inside host and Outside refers to the address of the outside host.

Finally, you will notice that the Inside Global and the Outside Global addresses are almost always the same as translation does not occur on the address of the outside host.

I hope this has been helpful!

Laz

4 Likes

Hello Maodo

Don’t worry, you are reading up on CCNA material. Rene is referring to the fact that the Outside Local and the Outside Global addresses are the same. These however can be configured so that they are different. That is, the destination IP address can also be translated by NAT. It is this configuration alone that is outside of the CCNA curriculum. Not to worry, the rest is definitely covered within the CCNA curriculum.

I hope this has been helpful!

Laz

1 Like

Hello Lazaros,

Thanks for the explaination… Can you please explain the use of keywords extendable and reversible in natting with an example.

1 Like

Thanks for your explanation, Lazaros.

My question was no so technical. A CCNP lesson telling about CCNA scope ; I thought, it’s Copy/Paste error. Now, I understand that one lesson can belong to CCNA and also be re-used, without any change, in CCNP or CCIE courses. I found below the three (CCNA, CCNP, CCIE) links having the same NAT lesson (the lesson that was originally written for CCNA).

…/ccna-routing-switching-icnd1-100-105/how-to-configure-dynamic-nat-on-cisco-ios-router/
…/ccnp-route/how-to-configure-dynamic-nat-on-cisco-ios-router/
…/ccie-routing-switching/how-to-configure-dynamic-nat-on-cisco-ios-router/

1 Like

Hello Sumit

There are two types of translation entries: Simple and Extended. A simple translation entry maps one IP address to another. The keyword extendable which indicates an extended translation entry indicates that the translation entry will map an IP address and port pair to another. The extended translation includes the port. An example of such a configuration is the following:

ip nat inside source static tcp 192.168.1.4 25 199.198.5.1 25 extendable
ip nat inside source static tcp 192.168.1.3 21 199.198.5.1 21 extendable
ip nat inside source static tcp 192.168.1.3 20 199.198.5.1 20 extendable
ip nat inside source static tcp 192.168.1.2 80 199.198.5.1 8080 extendable

Note in the final example that the inside and outside ports do not necessarily have to be the same.

The reversible keyword according to Cisco “enables outside-to-inside initiated sessions to use route maps for destination-based NAT.” This essentially means that a NAT translation entry will be created as soon as the router detects traffic flow from outside to inside using the specific NAT translation. Without this keyword, a NAT entry would only be created when the traffic is sourced from the inside network.

An example would be the following command:
Router(config)# ip nat inside source route-map MAP-A pool POOL-A reversible

This enables outside-to-inside initiated sessions to use route maps for destination-based NAT. Note the reversible keyword is used in conjunction with route maps only.

I hope this has been helpful!

Laz

2 Likes

Hi laz,

Thanks for the explaination. This means we can use extendable keyword only when we are mapping port to an IP address…?? Reversible means we can use inside to outside route map for outside to inside case…?? Can you please explain this with an example with full configuration.

Also can you please let me know the use of both keywords in the same line of natting statement.

Thanks in advance.

Regards
Sumit

1 Like