How to configure Dynamic NAT on Cisco IOS Router

Hi Roland,

Good question. You are right, when I’m talking about “Inside global is the IP address on the outside interface of your router performing NAT” then I’m referring to static NAT or PAT where we translate to this IP address.

When you use dynamic pool, it would be “inside global is the IP address from the pool that you translate the inside local address” to :slight_smile:

Rene

Hello Rene, my question is when you created your nat pool, why did you use “prefix-length 24” vice a mask or wild card? Is prefix-lenght 24 the same as a /24? And second, is it correct that your nat pool consist of only 11 IPs?

And thanks for your service.

Hi Flynn,
The following two commands have the same result
ip nat pool POOL 10.0.0.10 10.0.0.20 netmask 255.255.255.0
ip nat pool POOL 10.0.0.10 10.0.0.20 prefix-length 24

The only reason to use one vs another would be is that either you already know the prefix length and you don’t want to bother converting it to a subnet mask, or you want to type a lot faster (with auto-complete, using prefix-length is faster to type in than the full netmask :slight_smile: )

So, yes, for any prefix-length XY, this is the same thing as /XY

You are correct that the nat pool consists of 11 IPs.

Hi Rene,

Can you please explain what is the difference between outside local and outside global IP addresses along with example. Thanks in advance.

Just above configuration file tabs, there’s a paragraph saying "Well this is way outside the scope of the CCNA exam but with NAT ". I wondered where am I. Am I reading CCNP stuff ?

Hello Sumit

This is a very good question because the terms used with NAT can become very confusing. Let’s say you are the Inside Host and you are connecting to a web server which is the Outside Host like so:

You can see that the packet leaving the inside host and travelling towards the NAT router has:

  • Source Address: Inside Local - a private address such as 10.10.10.5
  • Destination address: Outside Local - the public IP address of the outside host such as 205.10.10.47

A packet going from the NAT router to the Inside host has the following addresses:

  • Source address: Outside Local - the public IP address of the outside host such as 205.10.10.47
  • Destination Address: Inside Local - a private address such as 10.10.10.5

Notice that the word “LOCAL” is used for all of the above mentioned addresses.

On the outside network, packets going from the NAT router to the Outside Host have the following addresses:

  • Source Address: Inside Global - the translated public address such as 147.52.3.17
  • Destination address: Outside Global - the public IP address of the outside host such as 205.10.10.47

Packets travelling in the opposite direction have:

  • Source address: Outside Global - the public IP address of the outside host such as 205.10.10.47
  • Destination Address: Inside Global - the translated public address such as 147.52.3.17

Notice here that the word Global is used for ALL of these addresses.

So whenever you see the word Local, you are referring to addresses as they exist BEHIND the NAT router while the word Global refers to addresses as they exist BEYOND the NAT router.

Whenever you see the word Inside, you are referring to the IP address of the Inside host and Outside refers to the address of the outside host.

Finally, you will notice that the Inside Global and the Outside Global addresses are almost always the same as translation does not occur on the address of the outside host.

I hope this has been helpful!

Laz

Hello Maodo

Don’t worry, you are reading up on CCNA material. Rene is referring to the fact that the Outside Local and the Outside Global addresses are the same. These however can be configured so that they are different. That is, the destination IP address can also be translated by NAT. It is this configuration alone that is outside of the CCNA curriculum. Not to worry, the rest is definitely covered within the CCNA curriculum.

I hope this has been helpful!

Laz

Hello Lazaros,

Thanks for the explaination… Can you please explain the use of keywords extendable and reversible in natting with an example.

Thanks for your explanation, Lazaros.

My question was no so technical. A CCNP lesson telling about CCNA scope ; I thought, it’s Copy/Paste error. Now, I understand that one lesson can belong to CCNA and also be re-used, without any change, in CCNP or CCIE courses. I found below the three (CCNA, CCNP, CCIE) links having the same NAT lesson (the lesson that was originally written for CCNA).

…/ccna-routing-switching-icnd1-100-105/how-to-configure-dynamic-nat-on-cisco-ios-router/
…/ccnp-route/how-to-configure-dynamic-nat-on-cisco-ios-router/
…/ccie-routing-switching/how-to-configure-dynamic-nat-on-cisco-ios-router/

1 Like

Hello Sumit

There are two types of translation entries: Simple and Extended. A simple translation entry maps one IP address to another. The keyword extendable which indicates an extended translation entry indicates that the translation entry will map an IP address and port pair to another. The extended translation includes the port. An example of such a configuration is the following:

ip nat inside source static tcp 192.168.1.4 25 199.198.5.1 25 extendable
ip nat inside source static tcp 192.168.1.3 21 199.198.5.1 21 extendable
ip nat inside source static tcp 192.168.1.3 20 199.198.5.1 20 extendable
ip nat inside source static tcp 192.168.1.2 80 199.198.5.1 8080 extendable

Note in the final example that the inside and outside ports do not necessarily have to be the same.

The reversible keyword according to Cisco “enables outside-to-inside initiated sessions to use route maps for destination-based NAT.” This essentially means that a NAT translation entry will be created as soon as the router detects traffic flow from outside to inside using the specific NAT translation. Without this keyword, a NAT entry would only be created when the traffic is sourced from the inside network.

An example would be the following command:
Router(config)# ip nat inside source route-map MAP-A pool POOL-A reversible

This enables outside-to-inside initiated sessions to use route maps for destination-based NAT. Note the reversible keyword is used in conjunction with route maps only.

I hope this has been helpful!

Laz

Hi laz,

Thanks for the explaination. This means we can use extendable keyword only when we are mapping port to an IP address…?? Reversible means we can use inside to outside route map for outside to inside case…?? Can you please explain this with an example with full configuration.

Also can you please let me know the use of both keywords in the same line of natting statement.

Thanks in advance.

Regards
Sumit

Hello Sumit[quote=“sshar057, post:20, topic:893”]
This means we can use extendable keyword only when we are mapping port to an IP address…??
[/quote]

If you are mapping only the IP address (without specifying ports), you would use a command such as this:

ip nat inside source static tcp 192.168.1.4 199.198.5.1

However, if you want to map multiple ports of the same IP address pair, you would have to specify the transport layer protocol (tcp/udp) and the ports being mapped. In the example I gave above, you can see that multiple instances of the same IP address are used, however it is the ports that are changing. (Also, if you don’t put in the extendable keyword, IOS will put it in for you in the config).

Reversible means that you can apply a route map on outside to inside translation, yes, without the need for the creation of an initial inside to outside translation first.

Because the extendable keyword is used only when referring to specific IP addresses and ports and the reversible keyword is only used with route maps, you wouldn’t be able to employ both in the same statement and have it function correctly. Each is used in a different sort of NAT application.

Do you have any examples where you’ve seen both used in the same statement? If so, please share it and we can further discuss it.

I hope this has been helpful!

Laz

What difference does the prefix length really make? I mean you’ve selected 11 possible host addresses, so I struggle to see the relevance of it.

Hello Chris

This is a very valid question. Essentially, in a command such as the following, the prefix-length parameter is essentially a sanity check.

NAT(config)#ip nat pool MYPOOL 192.168.23.10 192.168.23.20 prefix-length 24

You could have easily used the prefix length of 23 or 25 and it would work correctly with the above IP addresses. However, it is always best practice to confirm that you use the real prefix length of the actual subnet in question.

I hope this has been helpful!

Laz

1 Like

Hi Lazaros

Can you please tell me how can we use prefix-length of 23 or 25 instead of 24…

Regards
Sumant

Hello Sumant

When you implement a NAT translation such as the one in the lesson:

NAT(config)#ip nat pool MYPOOL 192.168.23.10 192.168.23.20 prefix-length 24

it is always best practice to use the prefix length that has been given to you by the ISP (in the case of an enterprise edge configuration) or the actual subnet mask that you want the translated external IP to have. The reason for this is that the prefix will actually apply the corresponding subnet mask to the translated IP address, so the router will know which destination IP addresses are in the subnet and which are not (and should subsequently be sent to the default gateway of the subnet).

So to clarify my point, whether you use 23 or 25, the range of the pool will still be in that prefix range, however, the actual subnet mask of the specific translated IP address will be different. For this reason, it is important to us the appropriate prefix based on the subnet to be used for the specific translated address.

I hope this has been helpful!

Laz

Hi Rene,

As you mentioned it’s possible to create an entry in our NAT router that whenever one of the hosts sends a ping to an IP address (let’s say 5.5.5.5) that it will be forwarded to Web1.
Based on your diagram would you be able to provide an example of how this can be done? Thanks.

Hello Kenneth

The following lesson describes this configuration using the ip nat outside source command.

I hope this has been helpful!

Laz

Hello Laz,

Under what condition ‘outside local’ ip address will not be equal to ‘outside global’ address ?
Can you please explain such scenario ?

Thanks,
Sachin

Hello Sachin

Although it is somewhat rare to have such a configuration where the outside local address is not equal to the outside global address, it is useful in some situations. For example, take a look at the following diagram.
image
The internal device with an IP address of 10.10.10.1 can reach the external device with an IP address of 171.16.68.1 by using a destination address of 10.10.10.5. This can be done by creating the appropriate NAT translation in the NAT router. This allows the inside host to reach the outside host using an IP address on its own subnet. As far as it is concerned, the destination host is on the same LAN and subnet.

In this situation, for a communication from the inside host to the outside host, the inside global address is 10.10.10.5 while the outside global address is 171.16.68.1.

I hope this has been helpful!

Laz