Configuring Static and Dynamic NAT Simultaneously

Document ID: 13778
Introduction Prerequisites Requirements Components Used Conventions Configuring NAT Related Information

Introduction
In some situations, you may find it necessary to configure both static and dynamic Network Address Translation (NAT) commands on a Cisco router. This document explains how you can do this, and gives a sample scenario.

Prerequisites
Requirements
Knowledge of basic NAT concepts and operations is helpful. • How NAT Works • NAT Order of Operation For additional information, please see the Related Information section of this document.

Components Used
The information in this document is based on these software and hardware versions: • Cisco 3600 Series routers • Cisco IOS® Software Release 12.3(3) The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configuring NAT
With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.

1 .16.255.2 172. ip nat inside source static 10.10.255.1 172. .3 ip nat pool test 172. translations exist in the NAT translation table as soon as you configure static NAT command(s).0 !−−− Refer to ip nat pool for more details on the command.16.131.16. and they remain in the translation table until you delete the static NAT command(s).131.10 netmask 255. The following network diagram is an example: These commands are configured on the NAT router shown above: NAT Router version 12.10.With static NAT.131. ip nat inside source list 7 pool test !−−− Refer to ip nat inside source for more details on the command.

interface e 0 ip address 10.1 255.255.0 serial restart−delay 0 clockrate 64000 ! interface FastEthernet2/0 ip address 192.0.16. you can see the contents of the translation table: .10.1 255.0 half−duplex ! ip route 0.255.1 access−list 7 permit 10.3 ! interface Ethernet1/0 ip address 10.130.255.255.0 172.1.2 255.10.255.0.16.1.2 The configuration on the InsideA device is: InsideA Router version 12.255.16.0.10.16.254 255.131.0 10.0 0.10.10.255.255.16.255.0 ip nat outside ip route 192.255.255 The configuration on the OutsideA device is: OutsideA Router version 12.130.255.0 255.0 255.0.168.0.254 ! ! Using the show ip nat translations command.10.10.0.0 0.130.168.255.255.1 255.255.0 ip nat inside interface s 0 ip address 172.3 hostname outsideA ! ! ! interface Serial1/0 ip address 172.0 172.0 speed auto half−duplex ip route 172.130.10.

10. d=172.1. But what if an email server is added on the inside network that needs to receive packets originated by the outside? Now you have to configure a static NAT entry so that email servers on the outside can originate communication with the email server on the inside. However.10. not even if they send packets to a global address (172.130.1.1 [1009] NAT*: s=10.16.131.10.10.10.1−>10.16.1.16.131.1 [1006] NAT*: s=10.10.1 and reach the device on the inside cloud.16.10.10.10.130.2 25 !−−− Refer to .10.10.130.10.1−>172.1 25 172.10.1 10. In the above topology. The same is shown below: outsideA#ping 172.131. which means that devices on the outside cloud can send packets to the global address 172. d=172.10.1 [1005] NAT: s=10.10.16. 100−byte ICMP Echos to 172.16.1 [1008] NAT*: s=10.10. d=172. in cases where you do not have many global addresses to spare and you need to statically configure a single device for NAT.1.10.130.1. d=172.131. round−trip min/avg/max = 32/32/32 ms NATrouter#debug ip nat 18:12:06: 18:12:06: 18:12:06: 18:12:06: 18:12:06: 18:12:06: 18:12:06: 18:12:06: 18:12:06: 18:12:06: NAT*: s=172.1.1 [1005] NAT*: s=172. dynamic translation works fine.1−>10.16.1).16. since there are not any dynamic translations entered yet.10.1−>172. you can use a configuration such as the one below: NAT Router ip nat inside source list 7 interface serial 0 overload ip nat inside source static tcp 10. it tries to route the packet.130.1. d=172.130.131.1−>172.130.16. However.10. Sending 5.16.131.1−>10. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1 Type escape sequence to abort.10.10.16.16.NATrouter#show ip nat translations Pro Inside global Inside local −−− 172. d=172.1 [1007] NAT*: s=172.131.16.16.130. When the router receives a packet destined for one of these global addresses.131.131. it checks the translation table for an existing translation. which has the local address 10.1 [1007] NAT*: s=10.16. This NAT behavior is discussed further in Sample Configuration Using the ip nat outside source list Command and Sample Configuration Using the ip nat outside source static Command.10. This entry translates the inside global address back to the inside local address.1 [1008] NAT*: s=172. you already have a static translation.1. If there is none.1−>10.16.16.131. d=172.1.16.1.10.130.16.1−>172.16.10.2 through 172.16.1 [1009] No other translations are generated or entered into the translation table until the router receives a packet on its inside interface with a source address permitted by access control list (ACL) 7.1.16.131.131.16.1−>10.1−>172. d=172.10. d=172. If in the example above the email server is the device with the local address of 10. d=172. if communication between inside and outside network devices is only originated by the inside devices.10).16.10.16.1.131.1 [1006] NAT*: s=172.10.1.10.130.10.1 Outside local −−− Outside global −−− Notice that only the static translation is listed in the translation table.10.131.130. outside devices cannot reach any of the inside devices (other than 10.131.16.16.131.

3.1:25 Outside local Outside global −−− −−− The debug ip nat output shows the NAT translation when the outsideA device accesses InsideA: 04:21:16: NAT: s=192. This means that more than one inside local address can be dynamically translated to the same global address.130.10.168.10. d=192.10.10.3.0.10.0.10.2:25 Inside local 10.10.168.10.0 0. email servers on the outside can originate SMTP (TCP port 25) packets to the global address of 172.16.168.0.10. Since this is a static NAT entry.ip nat inside source for more details on the command.1.1 [9922] 04:21:16: NAT*: s=192. NAT is configured to overload on Serial 0's IP address.255. d=172.130.3 [0] 04:21:16: NAT*: s=192.3.1−>172.2−>10. d=172.10.130.10.255.130.130.2.1.130.2−>10.10.3.1 with TCP port 25 (SMTP) are translated to Serial 0's IP address TCP port 25.254 255. d=172.1. Note: Although it is possible to use the same global address for both the Dynamic and Static NAT.3 [2] 04:21:16: NAT*: s=10.10.16.16.130.168.2.16.130.10.1−>172.10.1 [9919] 04:21:16: NAT: s=10.130.254.1.1−>172.0.2.3 [1] 04:21:16: NAT*: s=10.0 ip nat outside access−list 7 permit 10.168.255 ip route 0.16.10.2. The NAT translation table has the following entry: NATRouter#show ip nat translations Pro Inside global tcp 172.10.16. d=192. d=192.1.0.16. d=172. NAT is statically configured so that packets sourced from local address 10.10.1.10.2−>10.0 0.1 In the above example.1.168.1 [9927] .0.2 255.168.16. d=192. whenever possible it is better to use different global addresses.10.1.16.0 ip nat inside !−−− For more details the ip nat inside|outside command.1−>172.1 [9923] 04:21:16: NAT*: s=10.16.130.10. interface s 0 ip address 172. the address assigned to Serial 0.2−>10.16.10.255. !−−− please refer to ip nat inside .16.255.10.10. interface e 0 ip address 10.3 [3] 04:21:16: NAT*: s=192.131.0 172. In addition. in this case.130.168.

1 [9931] 04:21:17: NAT*: s=192. If you use the ip nat outside command.2.130.1 [9935] 04:21:17: NAT*: s=10. d=192.16.10.16.10.2−>10.10.130.1.10.1. Static NAT does not require packets to be switched through the router.10.2.10.168. and translations are statically entered into the translation table.10.16. Related Information • Configuring Network Address Translation: Getting Started • How NAT Works • NAT Frequently Asked Questions • How to Change the Dynamic NAT Configuration • NAT Technical Support Page • Technical Support − Cisco Systems Contacts & Feedback | Help | Site Map © 2009 − 2010 Cisco Systems. dynamic NAT requires packets to be switched through the NAT router in order to generate NAT translations in the translation table. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems.168.2. d=172. d=192.168.130. All rights reserved.16. d=172. Inc.04:21:16: NAT*: s=10.1. these packets must originate on the outside.130.10. Inc.2−>10.1.10.10.10.10.2−>10.3.130. 2006 Document ID: 13778 . these packets must originate from the inside. Updated: Jan 24. d=192.1.168.16.1−>172.1.3.3 [4] 04:21:16: NAT: s=10.1−>172. d=172.3 [5] 04:21:16: NAT*: s=192.16.3 [6] In summary. If you use the ip nat inside command.168.168.1 [9934] 04:21:17: NAT: s=192.130.3.1−>172.