How to Configure Static NAT?
Static NAT maps inside and outside addresses one-to-one. It allows external devices to establish a session with internal devices using the statically assigned public address. For example, an internal web server is mapped to a specific inside global address.
The figure below illustrates an inside network containing a web server with a private IPv4 address accessible from the outside network using a global IPv4 address.
Router R1 is configured with static NAT, allowing devices on the outside network to access the webserver. Static NAT translates the public IPv4 address to the private IPv4 address So the devices outside access the web server. The steps for configuring a static route are the following:
- Create a mapping between the inside local address and the inside global addresses
- After mapping, the interfaces participating in the translation are configured as interfaces inside or outside relative to NAT.
When NAT is applied, the packets arriving at the router’s inside interface are translated and forwarded to the outside interface. Packets arriving on the outside interface are addressed to the configured inside global IPv4 address, translated to the inside local address, and forwarded to the inside network.
Example configuration of Static NAT
There are four basic terms for configuring NAT: inside local, inside global, outside local, and outside global. We discussed these terms in the previous lesson. In this lesson, I am going to explain static NAT briefly. The following topology is used to configure static NAT.
The above figure shows the topology for static NAT configuration. The topology contains both the inside and outside networks. R2 is the NAT router, which translates packets from web servers with 192.168.10.101 and 192.168.11.100 to public IPv4 addresses 202.128.54.3 and 202.128.54.4.
The Internet client directs web requests to the public IPv4 addresses 202.128.54.3 and 202.128.54.4. R2 forwards that traffic to the web server on IP addresses 192.168.10.101 and 192.168.11.100. Now, let’s configure R2 for static NAT. All other necessary configurations have been done previously.
Configuration of Static NAT for Server-1 (192.168.11.100)
- R2>enable
- R2#config terminal
- R2(config)#interface g0/0
- R2(config-if)#ip nat inside
- R2(config-if)#exit
- R2(config)#interface s0/0/0.100
- R2(config-if)#ip nat outside
- R2(config-if)#exit
- R2(config)#ip nat inside source static 192.168.11.101 202.128.54.3
- R2(config)#
Configuration of Static NAT for Server-2 (192.168.11.100)
For Server-2 the inside global is also s0/0/0.100 sub-interface, which is already marked with ip nat outside, therefore we do not need to configure the ip nat outside again.
- R2(config)#interface g0/1
- R2(config-if)#ip nat inside
- R2(config-if)#exit
- R2(config)#ip nat inside source static 192.168.10.100 202.128.54.4
- R2(config)#exit
- R2#wr
Analyzing Static NAT
The configuration illustrates the static NAT translation process between the client and the web server. Generally, static translations are configured when clients on the internet need to reach devices on the private network. Now look at the above topology and analyze the network after the NAT configuration:
- PC-1 is on the Internet, and both servers are in the private network. PC-1 wants to open a connection to web server-1. The client sends a packet to server-1 using the public IPv4 destination address 202.128.54.4, which is the inside global address of the web server.
- Upon receiving the first packet from the outside interface, R2 checks its NAT table. The packet’s destination IPv4 address is in the NAT table and translated.
- R2 translates the inside global address 202.128.54.4 into the inside local address 192.168.11.100 and then forwards the packet to the web server.
- The web server receives the packet from R2 and relies on PC-1, which uses the inside local address 192.168.11.100.
- R2 receives the packet from the web server using interface g0/1, the inside interface with a source address of the web server’s inside local address, 192.168.11.100.
- R2 again checks the NAT table for translation, and the address is found in the NAT table. It translates the source address (inside local address) to the inside global address 202.128.54.4 and forwards the packet from its serial 0/0/0.100 interface to the client.
- The client received the packet and continued the conversation. The NAT router performs Steps 2 to 7 for each packet.
Verifying Static NAT
The “show ip nat translations” command is important for verifying the workings of NAT. Its output displays active NAT translations, while static translations are always in the NAT table.
If the command is executed during an active session, the output also indicates the address of the outside device, as shown in the figure below; otherwise, it only translates the inside address.
We can also use the “show ip nat statistics” command. This command displays the total number of active translations, including NAT configuration parameters, the number of addresses in the pool, and the number of addresses allocated. The figure below illustrates the output of this command.
To verify that the NAT translation works, clear the previous statistics using the clear ip nat statistics command before testing. Before sending any packet to the web servers, execute the “show ip nat statistics” command; it will display no current hits. After establishing the session with the server, the “show ip nat statistics” command will display the increment to hits.