Home CCNA Master how to configure Static NAT on Cisco Routers? (Updated 2025)
Master how to configure Static NAT on Cisco Routers? (Updated 2025)
CCNA

Master how to configure Static NAT on Cisco Routers? (Updated 2025)

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

6 min read

Static NAT maps inside and outside addresses one-to-one. It allows external devices to establish a session with internal devices using the statically assigned public address. For example, an internal web server is mapped to a specific inside global address.

Table of Contents

The figure below illustrates an inside network containing a web server with a private IPv4 address accessible from the outside network using a global IPv4 address.

Router R1 is configured with static NAT, allowing devices on the outside network to access the web server. Static NAT translates the public IPv4 address to the private IPv4 address So the devices outside access the web server. The steps for configuring a static route are the following:

  • Create a mapping between the inside local address and the inside global addresses
  • After mapping, the interfaces participating in the translation are configured as interfaces inside or outside relative to NAT.

When NAT is applied, the packets arriving at the router’s inside interface are translated and forwarded to the outside interface. Packets arriving on the outside interface are addressed to the configured inside global IPv4 address, translated to the inside local address, and forwarded to the inside network.

Why Static NAT Still Matters in 2025

Despite widespread IPv6 adoption, static NAT remains a critical skill for Cisco network engineers and certification candidates. It is a core topic in:

  • CCNA 200-301 (IP Services) – Essential for understanding address translation and internet access.
  • CCNP ENARSI 300-410 – Advanced use cases including HSRP integration, NAT64, and SD-Access.
  • Real-World Applications – Exposing internal servers (web, email, RDP), preserving IPv4 in hybrid environments, and supporting legacy systems.

Exam Tip: You will likely face 2–3 static NAT questions in CCNA. Know the exact syntax of ip nat inside source static and how to verify translations.

Example configuration of Static NAT

There are four basic terms for configuring NAT: inside local, inside global, outside local, and outside global. We discussed these terms in the previous lesson. In this lesson, I am going to explain static NAT briefly. The following topology is used to configure static NAT.

Configure Static NAT

Static NAT Address Terminology

TermMeaningExample in Lab
Inside LocalPrivate IP address on the internal device192.168.11.101
Inside GlobalPublic IP address seen by the Internet202.128.54.3
Outside LocalIP as seen from the inside (rarely used)Usually same as global
Outside GlobalActual IP of the external client201.128.35.2 (PC-1)

Lab Topology Overview

This lab simulates a typical enterprise scenario:

  • R2 – Cisco IOS-XE router acting as the NAT gateway.
  • Server1 – Web server at 192.168.11.101 (connected to G0/0).
  • Server2 – Web server at 192.168.10.100 (connected to G0/1).
  • Public IPs – 202.128.54.3 and 202.128.54.4 assigned to servers.
  • PC-1 – Internet client at 201.128.35.2 accessing servers via public IPs.

Interfaces on R2:

  • G0/0 → Inside (LAN for Server1)
  • G0/1 → Inside (LAN for Server2)
  • S0/0/0.100 → Outside (connected to ISP/cloud)

Configuration of Static NAT for Server-1 (192.168.11.100)

R2> enable
R2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# interface GigabitEthernet0/0
R2(config-if)# description LAN-to-Server1
R2(config-if)# ip address 192.168.11.1 255.255.255.0
R2(config-if)# ip nat inside
R2(config-if)# no shutdown
R2(config-if)# exit

Configuration of Static NAT for Server-2 (192.168.11.100)

For Server-2 the inside global is also s0/0/0.100 sub-interface, which is already marked with ip nat outside, therefore we do not need to configure the ip nat outside again.

R2(config)# interface GigabitEthernet0/1
R2(config-if)# description LAN-to-Server2
R2(config-if)# ip address 192.168.10.1 255.255.255.0
R2(config-if)# ip nat inside
R2(config-if)# no shutdown
R2(config-if)# exit

Configure outside interfaces for both servers.

R2(config)# interface Serial0/0/0.100 point-to-point
R2(config-if)# description ISP-Link
R2(config-if)# ip address 202.128.54.1 255.255.255.0
R2(config-if)# ip nat outside
R2(config-if)# no shutdown
R2(config-if)# exit

Create Static NAT Mapping 

R2(config)# ip nat inside source static 192.168.11.101 202.128.54.3
R2(config)# ip nat inside source static 192.168.10.100 202.128.54.4

Analyzing Static NAT

The configuration illustrates the static NAT translation process between the client and the web server. Generally, static translations are configured when clients on the internet need to reach devices on the private network. Now look at the above topology and analyze the network after the NAT configuration:

  1. PC-1 is on the Internet, and both servers are in the private network. PC-1 wants to open a connection to web server-1. The client sends a packet to server-1 using the public IPv4 destination address 202.128.54.4, which is the inside global address of the web server.
  2. Upon receiving the first packet from the outside interface, R2 checks its NAT table. The packet’s destination IPv4 address is in the NAT table and translated.
  3. R2 translates the inside global address 202.128.54.4 into the inside local address 192.168.11.100 and then forwards the packet to the web server.
  4. The web server receives the packet from R2 and relies on PC-1, which uses the inside local address 192.168.11.100.
  5. R2 receives the packet from the web server using interface g0/1, the inside interface with a source address of the web server’s inside local address, 192.168.11.100.
  6. R2 again checks the NAT table for translation, and the address is found in the NAT table. It translates the source address (inside local address) to the inside global address 202.128.54.4 and forwards the packet from its serial 0/0/0.100 interface to the client.
  7. The client received the packet and continued the conversation. The NAT router performs Steps 2 to 7 for each packet.

Verifying Static NAT

The “show ip nat translations” command is important for verifying the workings of NAT. Its output displays active NAT translations, while static translations are always in the NAT table.

If the command is executed during an active session, the output also indicates the address of the outside device, as shown in the figure below; otherwise, it only translates the inside address.

R2# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
---  202.128.54.3       192.168.10.101     ---                ---
---  202.128.54.4       192.168.11.100     ---                ---
tcp  202.128.54.3:80    192.168.10.101:80  201.128.35.2:1025  202.128.35.2:1025
tcp  202.128.54.4:80    192.168.11.100:80  201.128.35.2:1026  202.128.35.2:1026

We can also use the “show ip nat statistics” command. This command displays the total number of active translations, including NAT configuration parameters, the number of addresses in the pool, and the number of addresses allocated. The figure below illustrates the output of this command.

R2# show ip nat statistics
Total translations: 20 (2 static, 18 dynamic, 18 extended)
Outside Interfaces: Serial0/0/0.101
Inside Interfaces: GigabitEthernet0/0 , GigabitEthernet0/1
Hits: 32  Misses: 18
Expired translations: 0
Dynamic mappings:
R2#

To verify that the NAT translation works, clear the previous statistics using the clear ip nat statistics command before testing. Before sending any packet to the web servers, execute the “show ip nat statistics” command; it will display no current hits. After establishing the session with the server, the “show ip nat statistics” command will display the increment to hits.

Packet Flow: How Static NAT Works

  1. PC-1 sends packet to 202.128.54.3
  2. R2 receives on outside interface → checks NAT table
  3. Translates destination to 192.168.11.101
  4. Forwards to Server1
  5. Server replies with source 192.168.11.101
  6. R2 translates source to 202.128.54.3
  7. Sends to PC-1

Troubleshooting Static NAT (Exam Scenarios)

SymptomCommandLikely Fix
No translation in tableshow ip nat translationsMissing ip nat inside or outside
Traffic reaches R2 but not servershow ip routeAdd static route or enable interface
Server replies, client dropsshow access-listsAllow return traffic (ACL blocking)
Overlap error`show runsection nat`

CCNP Tip: Use ip nat translation timeout never in labs to prevent entries from expiring.

Static NAT vs Dynamic NAT vs PAT

FeatureStatic NATDynamic NATPAT (Overload)
Mapping1:1 Fixed1:1 from PoolMany:1 with Ports
Public IPs RequiredOne per deviceEqual to pool sizeOnly 1
Best ForWeb/DMZ serversTemporary accessBranch/SOHO
Commandip nat inside source staticip nat pool + ACLoverload keyword
Exam RelevanceCCNA & CCNPCCNACCNA

🏆 Your Progress

Level 1
🔥 0 day streak
📚
0 Articles
0 Points
🔥
0 Current
🏅
0 Best Streak
Level Progress 0 pts to next level
🎖️ Achievements
🥉 Starter
🥈 Reader
🥇 Scholar
💎 Expert

More from CCNA

Articles tailored to your interests in CCNA

Forum