How to configure Dynamic NAT on Cisco IOS Router

It’s time to configure dynamic NAT where we use a pool of IP addresses for translation. I’ll use a fairly simple topology with two hosts and 1 router that will perform NAT:

This time we have 2 host routers on the left side and I’m using another subnet. Let’s prepare the host routers:

Host1(config)#no ip routing
Host1(config)#default gateway 192.168.123.3

Host2(config)#no ip routing
Host2(config)#ip default-gateway 192.168.123.3

Next step is to configure NAT:

NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat inside 

NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat outside

First we’ll configure the correct inside and outside interfaces. Now I will create a pool with IP addresses that we can use for the translation:

NAT(config)#ip nat pool MYPOOL 192.168.23.10 192.168.23.20 prefix-length 24

The ip nat pool command lets us create a pool. I’m calling mine “MYPOOL” and I’m using IP address 192.168.23.10 up to 192.168.23.20. We can now select the hosts that we want to translate:

NAT(config)#access-list 1 permit 192.168.123.0 0.0.0.255

The access-list above matches network 192.168.123.0 /24. That’s where host1 and host2 are located. The last step is to put the access-list and pool together:

NAT(config)#ip nat inside source list 1 pool MYPOOL

The command above selects access-list 1 as the source and we will translate it to the pool called “MYPOOL”. This ensures that host1 and host2 are translated to an IP address from our pool. Now let’s verify our configuration!

Host1#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/28 ms

Host1 is able to ping the webserver, now let’s take a look at our NAT router:

NAT#show ip nat translations  
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.10:3   192.168.123.1:3    192.168.23.3:3     192.168.23.3:3
--- 192.168.23.10      192.168.123.1      ---                ---

As you can see above host1 has been translated to IP address 192.168.23.10. Now let’s send some traffic from host2 to see the difference in our NAT table…

Host2#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms

NAT#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.10:4   192.168.123.1:4    192.168.23.3:4     192.168.23.3:4
--- 192.168.23.10      192.168.123.1      ---                ---
icmp 192.168.23.11:2   192.168.123.2:2    192.168.23.3:2     192.168.23.3:2
--- 192.168.23.11      192.168.123.2      ---                ---

And as you can see host2 has been translated to IP address 192.168.2.11. Excellent our dynamic NAT is working! In case you are wondering…what do the inside global, inside local, outside local and outside global addresses mean? Let me explain to you:

• Inside global is the IP address on the outside interface of your router performing NAT.
• Inside local is the IP address of one of your inside hosts that is translated with NAT.
• Outside local is the IP address of the device you are trying to reach, in our example the webserver (Web1).
• Outside global is also the IP address of the device you are trying to reach, in our example the webserver (Web1).

Why are the outside local and outside global IP address the same? Well this is way outside the scope of the CCNA exam but with NAT it’s possible to translate more than just from “inside” to “outside”. It’s possible to create an entry in our NAT router that whenever one of the hosts sends a ping to an IP address (let’s say 5.5.5.5) that it will be forwarded to Web1. In this example the “outside webserver” is “locally” seen by our hosts as 5.5.5.5, not 192.168.23.3.

hostname Host1
!
interface FastEthernet0/0
 ip address 192.168.123.1 255.255.255.0
!
no ip routing
ip default-gateway 192.168.123.3
!
end

hostname Host2
!
interface FastEthernet0/0
 ip address 192.168.123.2 255.255.255.0
!
no ip routing
ip default-gateway 192.168.123.3
!
end

hostname NAT
!
interface FastEthernet0/0
 ip address 192.168.123.3 255.255.255.0
 ip nat inside 
!
interface FastEthernet1/0
 ip address 192.168.23.2 255.255.255.0
 ip nat outside
!
ip nat pool MYPOOL 192.168.23.10 192.168.23.20 prefix-length 24
access-list 1 permit 192.168.123.0 0.0.0.255
ip nat inside source list 1 pool MYPOOL
!
end

hostname Web1
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
!
end

That’s the end of this Dynamic NAT tutorial. I hope this has been helpful to you. If you have any questions feel free to ask!