Friday, January 15, 2016

Lab 2-2: Internet connections - Static NAT

Lab pre-requisites:

Lab 2-1 Packet Tracer Topology Download.

Topology Diagram

Connecting a LAN to the Internet requires a little thought as there are few ways of doing it. Here we are going to explore three of them:
  • Static NAT (one-to-one translation)
  • Dynamic NAT (many-to-many translation)
  • Dynamic NAT Overload or PAT (many-to-one translation)

Task 1: Defining static IP addresses and setting a static default route.
Task 2: Configure NAT.
Task 3: Configure PAT.


Let's tackle the first one.

Task 1: Defining static IP addresses and setting a static default route.

In this type of NAT we allow the Internet to connect to our private host in both directions. NAT table will contain a static entry presenting our local host address (inside local) with public IP address (inside global). Typically we register the public IP address in DNS database allowing users on the Internet to communicate with our local host.

In this task let's assume that our extra public IP Address is:

Roll up your sleeves and let's make it work.

First, what is necessary to connect a router to the Internet?
  1. Router must have its interface facing the Internet configured with public IP Address. This can be done manually or a router can obtain public IP address from a DHCP server located at the ISP.
  2. Router must know how to access all unknown addresses on the Internet. This can be accomplished by learning Internet networks via BGP protocol or by using 'default route'. Here we're going to use the latter.
  3. CCNA courses do not use the latest methods of doing NAT which utilizes a NVI interface. The older method is used which requires signifying which interface is private (ip nat inside), and which interface is connected to the Internet (ip nat outside).
  4. Appropriate NAT method must be configured.
STATIC NAT (one-to-one translation)

In our first approach let's allow Branch router to learn public IP Address using DHCP pool configured on HQ. The pool will only have one IP Address ( In order to do that, type the following configuration on HQ:

HQ Configuration:

HQ#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HQ(config)#ip dhcp pool BRANCH
HQ(config)#ip dhcp excluded-address

We're off to a good start now.

Assign public IP Address on Branch Fas0/1 interface using DHCP

Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int fas0/1
Branch(config-if)#ip address dhcp
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address, mask, hostname Branch

Notice that apart from IP Address, the Branch router also received the 'default route' as per HQ DHCP configuration. Now it can send the packets towards all unknown IP Addresses using HQ as its next-hop router (

Now, let's assume that ISP (Internet Service Provider) has given us another public IP Address for our public server purpose (WWW, SMTP, FTP, etc.). 

Server IP Addresses:

Inside Local: (private)
Inside Global: (host will be seen as this public address)

Since our router has already IP Address dynamically assigned and default route has been installed in the routing table, the next step is to signify which interface is private and which one is public.

Branch(config)#int fas0/0
Branch(config-if)#ip nat inside
Branch(config-if)#int fas0/1
Branch(config-if)#ip nat outside

This is where a lot of beginners make mistakes by doing this in the opposite way. Remember the 'ip nat inside' interfaces are the ones facing LAN (private network), the 'ip nat outside' interface is the one connected to ISP.

Finally, static NAT configuration:

Branch(config)#ip nat inside source static


Let's observe what was installed in the NAT table.

It looks good. Whenever Branch router receives IP packet destined to will redirect the packet towards its inside local IP Address as signified by NAT entry.

This entry never ages out. It means that the router can send the packets to your public server whenever it receives IP packet on its OUTSIDE interface (Fas0/1) with IP Address destination

Now we can check if HQ router is able to ping

The first two packets were lost on ARP request. The second ping worked 100%.

After two rounds of ping here's what we find in NAT table on Branch.

Here's the final configuration of Both HQ and Branch.

HQ Configuration:

ip dhcp excluded-address
ip dhcp pool BRANCH

Branch Configuration:

interface FastEthernet0/0
 ip address
 ip nat inside
 duplex auto
 speed auto
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
ip nat inside source static 

In the next exercise we're going to us Dynamic NAT configuration (many-to-many translation).