Dynamic NAT Configuration

Dynamic NAT maps inside local addresses to inside global addresses automatically. The inside global addresses are usually public IPv4 addresses. Dynamic NAT uses a pool of public IPv4 address or a group public IPv4 addresses for translation. It also requires the configuration of the inside and outside interfaces participating in NAT like Static NAT. The difference between static and dynamic NAT is that the static NAT creates a permanent mapping to a single address but dynamic NAT uses a pool of addresses.

Dynamic NAT Configuration 7

The example topology shown in the figure above has an inside network containing two LANs, 192.168.10.0/24 and 192.168.11.0/24. The R1 is working as a border router. It is configured for dynamic NAT using a pool of public IPv4 addresses 202.128.54.0/28.

Any device from the inside devices can access the internet using the pool of inside global IPv4 address pool. The inside network can use this pool on a first-come first-get basis. The dynamic NAT, translate a single inside address into a single outside address. Like a static NAT, dynamic NAT also required enough addresses in the pool to accommodate all the inside devices want to access the outside network at the same time. If all of the addresses in the pool translated to with inside addresses, other devices will wait for an available address before it can access the outside network.

Configuring Dynamic NAT

First of all, define the inside global IP pool using the“ip nat pool” This pool is usually a group of public IPv4 addresses assigned by the server providers. The pool is defined by indicating the start and end IP addresses including the netmask or prefix-length. 

After configuring the pool, dynamic NAT required a standard ACL. The ACL identify and permit the addresses required to be translated. Don’t forget to configure the implicit deny all statement at the end of each ACL.

Now bind the configured ACL to the address pool. We can bind the ACL with IP pool using theip nat inside source list <access-list-number> pool <pool name>” 

Identify the inside and outside interfaces concerning NAT that connects to the inside or outside network and configure them accordingly.

Now I am going to configure the router R1for dynamic routing according to the above steps.

  • R2(config)#ip nat pool Global_pool 202.128.54.3 202.128.54.14 netmask 255.255.255.240
  • R2(config)#access-list 1 permit 192.168.10.0 0.0.0.255
  • R2(config)#ip nat inside source list 1 pool Global_pool
  • R2(config)#interface gigabitEthernet 0/0
  • R2(config-if)#ip nat inside
  • R2(config-if)#exit
  • R2(config)#interface serial 0/0/0.101
  • R2(config-subif)#ip nat outside

After the above configuration, the network 192.168.10.0/24 can access the internet but network 192.168.11.0/24 is still can’t access the internet. The network 192.168.11.0 is still required configuration:

  • R2(config)#access-list 1 permit 192.168.11.0 0.0.0.255
  • R2(config)#interface gigabitEthernet 0/0
  • R2(config-if)#ip nat inside

Now the network 192.168.11.0 can access the internet. The outside NAT interface is already configured for network 192.168.10.0/24, it will use the same interface for outside. We have just configured the “ACL permission” and “ip nat inside” interface.

Analyzing Dynamic NAT

Using the previous configuration of the figures illustrate the dynamic NAT translation process between the clients and the webserver. The traffic flow from inside to outside is shown in the below figures step by step:

The hosts 192.168.11.100 send an ICMP message to the webserver at the public IPv4 address 201.128.35.2. in the figure below, we can read the outbound PDU information. The source IP address is 192.168.11.100 and the destination IP address is 201.128.35.2, the IP address of the webserver netwrokustad.com.

Dynamic NAT Configuration 8

When R2 receives the packet from host 192.168.11.100 on an interface configured with inside NAT interface, because of inside NAT, R2 checks the NAT configuration to determine if this packet should be translated. If the ACL permits the packet, so R2 will translate the packet. R2 checks its NAT configuration table.

If translation entry found the R2 forward the packet, if no translation entry found the, R2 determines that the source address 192.168.1.100 must be translated dynamically. R2 selects the first available global address from the dynamic address pool and creates a translation entry, in this example, as shown in the figure below 128.54.3. This address belongs to the inside global address pool. You can see highlighted entries in the inbound interfaces and also in the outbound interfaces. At the outbound interfaces, the source address is now changed to 202.128.54.3.

Dynamic NAT Configuration 9

R2 replaces the inside local source address of PC1, 192.168.11.100, with the inside global addresses of 202.128.54.3 and forwards the packet.  Here I am going to escape the packet on internet cloud and R1. The server receives the packet from PC1 and responds using the IPv4 destination address of 202.128.54.3 as shown in the figure below.

Dynamic NAT Configuration 10

When R2 receives the packet with the destination IPv4 address of 202.128.54.3; it performs a NAT table lookup. Using the mapping from the table, R2 translates 202.128.54.3 back to the 192.168.11.100, the inside local address forwards the packet toward PC1. The same process will be done for host 192.168.10.101.

Dynamic NAT Configuration 11

Verifying Dynamic NAT

The command show ip nat translations are used to verify the dynamic NAT configuration. We have already discussed this command in the Static NAT configuration. The command displays all static translations including any dynamic translations that have been created by traffic. The figure below illustrates the output of this command for dynamic NAT configuration.

Dynamic NAT Configuration 12

The translation entries remain in the translation table for 24 24 hours by default, but we can reconfigure the timer with the ip nat translation timeout <timeout-seconds> command in global configuration mode.

We can also clear the dynamic entries translation using “the clear ip nat translation” command in privileged EXEC mode. To clear dynamic NAT entries use the command “clear ip nat translation * in privileged EXEC mode.  Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.

We can also use the show ip nat statistics command. The command displays information about the total number of active translations including  NAT configuration parameters, the total addresses in the pool, and currently allocated an address. We can also use the show running-config command and look for dynamic NAT configuration.