Static NAT is mapped inside and outside addresses one-to-one. It allows external devices to establish a session to internal devices using the statically assigned public address. For example, an internal web server mapped to a specific inside global address.
The figure below illustrates the inside network containing a web server with a private IPv4 address which is accessible from the outside network using a global IPv4 address. Router R1 is configured with static NAT allowing devices on the outside network to access the webserver. Static NAT translates the public IPv4 address to the private IPv4 address, So the devices outside access the webserver. The steps for configuring a static route are the following:
- Create a mapping between the inside local address and the inside global addresses
- After mapping, the interfaces participating in the translation are configured as interface inside or interface outside relative to NAT.
When NAT has applied the packet arriving at the inside interface of the router are translated and then forwarded towards the outside interface. Packets arriving on the outside interface are addressed to the configured inside global IPv4 address, are translated to the inside local address and then forwarded to the inside network.
Example configuration of Static NAT
To configure NAT there are four basic terms; inside local, inside global, outside local and outside global. We have discussed these terms in the previous lesson. In this lesson, I am going to explain the static NAT briefly. The following topology is used to configure static NAT.
The above figure shows the topology for static NAT configuration. The topology contains inside network and outside network. R2 in the NAT router which translates packets from both web server with address 192.168.10.101 and 192.168.11.100 to public IPv4 addresses 22.214.171.124 and 126.96.36.199. The Internet client directs web requests to the public IPv4 address 188.8.131.52 and 184.108.40.206 R2 forwards that traffic to the webserver on IP addresses at 192.168.10.101 and 192.168.11.100. Now let’s come to configure R2 for static NAT. All other necessary configuration has done previously.
Configuration of Static NAT for Server-1 (192.168.11.100)
- R2#config terminal
- R2(config)#interface g0/0
- R2(config-if)#ip nat inside
- R2(config)#interface s0/0/0.100
- R2(config-if)#ip nat outside
- R2(config)#ip nat inside source static 192.168.11.101 220.127.116.11
Configuration of Static NAT for Server-2 (192.168.11.100)
For Server-2 the inside global is also s0/0/0.100 sub-interface, which is already marked with ip nat outside, therefore we do not need to configure the ip nat outside again.
- R2(config)#interface g0/1
- R2(config-if)#ip nat inside
- R2(config)#ip nat inside source static 192.168.10.100 18.104.22.168
Analyzing Static NAT
The configuration illustrates the static NAT translation process between the client and the webserver. Generally, static translations are configured when clients on the internet need to reach devices on the private network. Now look at the above topology and analyze the network after the NAT configuration:
- The PC-1 is located on the internet and both servers are located in the private network. PC-1 wants to open a connection to the web servers-1. The client sends a packet to the server-1 using the public IPv4 destination address of 22.214.171.124. 126.96.36.199 Is the inside global address of the webserver.
- Upon receiving the first packet from the outside interface, R2 check its NAT table. The destination IPv4 address of the packet is located in the NAT table and is translated.
- R2 translates the inside global address of 188.8.131.52 with the inside local address of 192.168.11.100 and then forwards the packet towards the webserver.
- The web server receives the packet from R2 and relies on the PC-1 using the inside local address, 192.168.11.100.
- R2 receives the packet from the webserver using interface g0/1, the inside interface with a source address of the inside local address of the webserver, 192.168.11.100.
- R2 again checks the NAT table for translation and the address is found in the NAT table. It translates the source address (inside local address) to the inside global address of 184.108.40.206 and forwards the packet out of its serial 0/0/0.100 interface toward the client.
- The client receives the packet and continues the conversation further. The NAT router performs Steps 2 to 7 for each packet.
Verifying Static NAT
The “show ip nat translations” command is an important command to verify the working of NAT. The output of this command displays active NAT translations. Static translations are always in the NAT table. If the command is executed during an active session, the output also indicates the address of the outside device as shown in the figure below otherwise it only translates inside address.
We can also use the “show ip nat statistics” command. This command displays information about the total number of active translations including NAT configuration parameters, the number of addresses in the pool, and the number of addresses that have been allocated. The figure below illustrates the output of this command.
To verify that the NAT translation is currently working, clear the previous statistics using the clear ip nat statistics command before testing. Before to send any packet to the web servers, execute the “show ip nat statistics” command, it will display no current hits. After establishes the session with the server, the “show ip nat statistics” command will display the increment to hits.