How to configure Dynamic NAT on Cisco IOS Router

Hello Sumit[quote=“sshar057, post:20, topic:893”]
This means we can use extendable keyword only when we are mapping port to an IP address…??

If you are mapping only the IP address (without specifying ports), you would use a command such as this:

ip nat inside source static tcp

However, if you want to map multiple ports of the same IP address pair, you would have to specify the transport layer protocol (tcp/udp) and the ports being mapped. In the example I gave above, you can see that multiple instances of the same IP address are used, however it is the ports that are changing. (Also, if you don’t put in the extendable keyword, IOS will put it in for you in the config).

Reversible means that you can apply a route map on outside to inside translation, yes, without the need for the creation of an initial inside to outside translation first.

Because the extendable keyword is used only when referring to specific IP addresses and ports and the reversible keyword is only used with route maps, you wouldn’t be able to employ both in the same statement and have it function correctly. Each is used in a different sort of NAT application.

Do you have any examples where you’ve seen both used in the same statement? If so, please share it and we can further discuss it.

I hope this has been helpful!


What difference does the prefix length really make? I mean you’ve selected 11 possible host addresses, so I struggle to see the relevance of it.

Hello Chris

This is a very valid question. Essentially, in a command such as the following, the prefix-length parameter is essentially a sanity check.

NAT(config)#ip nat pool MYPOOL prefix-length 24

You could have easily used the prefix length of 23 or 25 and it would work correctly with the above IP addresses. However, it is always best practice to confirm that you use the real prefix length of the actual subnet in question.

I hope this has been helpful!


1 Like

Hi Lazaros

Can you please tell me how can we use prefix-length of 23 or 25 instead of 24…


Hello Sumant

When you implement a NAT translation such as the one in the lesson:

NAT(config)#ip nat pool MYPOOL prefix-length 24

it is always best practice to use the prefix length that has been given to you by the ISP (in the case of an enterprise edge configuration) or the actual subnet mask that you want the translated external IP to have. The reason for this is that the prefix will actually apply the corresponding subnet mask to the translated IP address, so the router will know which destination IP addresses are in the subnet and which are not (and should subsequently be sent to the default gateway of the subnet).

So to clarify my point, whether you use 23 or 25, the range of the pool will still be in that prefix range, however, the actual subnet mask of the specific translated IP address will be different. For this reason, it is important to us the appropriate prefix based on the subnet to be used for the specific translated address.

I hope this has been helpful!


Hi Rene,

As you mentioned it’s possible to create an entry in our NAT router that whenever one of the hosts sends a ping to an IP address (let’s say that it will be forwarded to Web1.
Based on your diagram would you be able to provide an example of how this can be done? Thanks.

Hello Kenneth

The following lesson describes this configuration using the ip nat outside source command.

I hope this has been helpful!


Hello Laz,

Under what condition ‘outside local’ ip address will not be equal to ‘outside global’ address ?
Can you please explain such scenario ?


Hello Sachin

Although it is somewhat rare to have such a configuration where the outside local address is not equal to the outside global address, it is useful in some situations. For example, take a look at the following diagram.
The internal device with an IP address of can reach the external device with an IP address of by using a destination address of This can be done by creating the appropriate NAT translation in the NAT router. This allows the inside host to reach the outside host using an IP address on its own subnet. As far as it is concerned, the destination host is on the same LAN and subnet.

In this situation, for a communication from the inside host to the outside host, the inside global address is while the outside global address is

I hope this has been helpful!