How to Configure Dynamic NAT

Dynamic NAT maps inside local addresses to inside global addresses automatically. The inside global addresses are usually public IPv4 addresses. Dynamic NAT uses a pool of public IPv4 address or a group public IPv4 addresses for translation.

Dynamic NAT also requires the configuration of the inside and outside interfaces participating in NAT like Static NAT. The difference between static and dynamic NAT is that the static NAT creates a permanent mapping to a single address but dynamic NAT uses a pool of addresses.

Dynamic NAT

The example topology shown in the figure above has an inside network containing two LANs, and The R1 is working as a border router. It is configured for dynamic NAT using a pool of public IPv4 addresses

Any device from the inside devices can access the internet using the pool of inside global IPv4 address pool. The inside network can use this pool on a first-come first-get basis. The dynamic NAT, translate a single inside address into a single outside address.

Like a static NAT, dynamic NAT also required enough addresses in the pool to accommodate all the inside devices want to access the outside network at the same time. If all of the addresses in the pool translated to with inside addresses, other devices will wait for an available address before it can access the outside network.

Configuring Dynamic NAT

First of all, define the inside global IP pool using the“ip nat pool” This pool is usually a group of public IPv4 addresses assigned by the server providers. The pool is defined by indicating the start and end IP addresses including the netmask or prefix-length. 

After configuring the pool, dynamic NAT required a standard ACL. The ACL identify and permit the addresses required to be translated. Don’t forget to configure the implicit deny all statement at the end of each ACL.

Now bind the configured ACL to the address pool. We can bind the ACL with IP pool using theip nat inside source list <access-list-number> pool <pool name>” 

Identify the inside and outside interfaces concerning NAT that connects to the inside or outside network and configure them accordingly.

Now I am going to configure the router R1for dynamic routing according to the above steps.

  • R2(config)#ip nat pool Global_pool netmask
  • R2(config)#access-list 1 permit
  • R2(config)#ip nat inside source list 1 pool Global_pool
  • R2(config)#interface gigabitEthernet 0/0
  • R2(config-if)#ip nat inside
  • R2(config-if)#exit
  • R2(config)#interface serial 0/0/0.101
  • R2(config-subif)#ip nat outside

After the above configuration, the network can access the internet but network is still can’t access the internet. The network is still required configuration:

  • R2(config)#access-list 1 permit
  • R2(config)#interface gigabitEthernet 0/0
  • R2(config-if)#ip nat inside

Now the network can access the internet. The outside NAT interface is already configured for network, it will use the same interface for outside. We have just configured the “ACL permission” and “ip nat inside” interface.

Analyzing Dynamic NAT

Using the previous configuration of the figures illustrate the dynamic NAT translation process between the clients and the webserver. The traffic flow from inside to outside is shown in the below figures step by step:

The hosts send an ICMP message to the webserver at the public IPv4 address in the figure below, we can read the outbound PDU information. The source IP address is and the destination IP address is, the IP address of the webserver

How to Configure Dynamic NAT 1

When R2 receives the packet from host on an interface configured with inside NAT interface, because of inside NAT, R2 checks the NAT configuration to determine if this packet should be translated. If the ACL permits the packet, so R2 will translate the packet. R2 checks its NAT configuration table.

If translation entry found the R2 forward the packet, if no translation entry found the, R2 determines that the source address must be translated dynamically. R2 selects the first available global address from the dynamic address pool and creates a translation entry, in this example, as shown in the figure below 128.54.3.

The above address belongs to the inside global address pool. You can see highlighted entries in the inbound interfaces and also in the outbound interfaces. At the outbound interfaces, the source address is now changed to

How to Configure Dynamic NAT 2

R2 replaces the inside local source address of PC1,, with the inside global addresses of and forwards the packet.  Here I am going to escape the packet on internet cloud and R1. The server receives the packet from PC1 and responds using the IPv4 destination address of as shown in the figure below.

How to Configure Dynamic NAT 3

When R2 receives the packet with the destination IPv4 address of; it performs a NAT table lookup. Using the mapping from the table, R2 translates back to the, the inside local address forwards the packet toward PC1. The same process will be done for host

How to Configure Dynamic NAT 4

Verifying Dynamic NAT

The command show ip nat translations are used to verify the dynamic NAT configuration. We have already discussed this command in the Static NAT configuration.

The command displays all static translations including any dynamic translations that have been created by traffic. The figure below illustrates the output of this command for dynamic NAT configuration.

How to Configure Dynamic NAT 5

The translation entries remain in the translation table for 24 24 hours by default, but we can reconfigure the timer with the ip nat translation timeout <timeout-seconds> command in global configuration mode.

We can also clear the dynamic entries translation using “the clear ip nat translation” command in privileged EXEC mode. To clear dynamic NAT entries use the command “clear ip nat translation * in privileged EXEC mode.  Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.

We can also use the show ip nat statistics command. The command displays information about the total number of active translations including  NAT configuration parameters, the total addresses in the pool, and currently allocated an address. We can also use the show running-config command and look for dynamic NAT configuration.