Static NAT on Cisco IOS

Let’s look at how to configure static NAT on a Cisco router. Here’s the topology I will use:

static nat inside outside

Above, you see 3 routers called Host, NAT, and Web1. Imagine our host is on our LAN and the webserver is somewhere on the Internet. Our NAT router in the middle is our connection to the Internet.

There’s a cool trick on our routers that we can use. It’s possible to disable “routing” on a router that turns it into a normal host that requires a default gateway. This is very convenient because it will save you the hassle of connecting real computers/laptops to your lab. Use no ip routing to disable the routing capabilities:

Host(config)#no ip routing
Web1(config)#no ip routing

The routing table is now gone. Let me show you:

Host#show ip route 
Default gateway is not set

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty
Web1#show ip route 
Default gateway is not set

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty

As you can see, the routing table on the host and Web1 is gone. We’ll have to configure a default gateway on router Host and Web1, or they won’t be able to reach each other:

Host(config)#ip default-gateway 192.168.12.2
Web1(config)#ip default-gateway 192.168.23.2

Both routers can use router NAT as their default gateway. Let’s see if they can reach each other:

Host#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

Reachability is no issue, as you can see. Now let me show you a neat trick:

Web1#debug ip packet 
IP packet debugging is on

I can use debug ip packet to see the IP packets that I receive. Don’t do this on a production network, or you’ll be overburdened with debug messages! Now let’s send that ping again…

Web1#
IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1

Above, you see that our router has received an IP packet with the source IP address 192.168.12.1 and the destination IP address 192.168.23.3.

IP: tableid=0, s=192.168.23.3 (local), d=192.168.12.1 (FastEthernet0/0), routed via RIB

And it will reply with an IP packet with source address 192.168.23.3 and destination address 192.168.12.1.

Now let’s configure NAT so you can see the difference:

NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat inside
NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat outside

First we’ll have to configure the inside and outside interfaces. Our host is the “LAN” side so it’s the inside. Our web server is “on the Internet” so it’s the outside of our network. Now we can configure our static NAT rule:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
570 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Hello Rene.

    Fantastic lesson. I have some doubts about NAT like the one described below using your example:

    When a ping is done from the NAT server to the Webserver there is a failure.

    Logs from NAT are reporting this:

    NAT#ping 192.168.23.3
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
    
    *Mar  1 00:12:43.191: IP: tableid=0, s=192.168.23.2 (local), d=192.168.23.3 (FastEthernet0/1), routed via FIB
    *Mar  1 00:12:43.191: IP: s=192.168.23.2 (local), d=192.168.23.3 (FastEthernet0/1), len 100, sending
    *Mar  1 00:1
    ... Continue reading in our forum

  2. Hi Klaus,

    It would be easier if I could see the entire config but something to keep in mind is that traffic generated locally on the router that is configured for NAT doesn’t get translated. Packets have to flow through the router…

    Rene

  3. Renee

    Great lab this one … just out of interest I wanted to see what would happen … (the lab was so succcessful i had to try something to mess it up …) … if I also removed the ip default gateway from the host too (as well as removing the default gateway from the webserver) and it still worked … should this have been the case ? and if so can you explain how the #host (ping) could still get to through to the webserver … jsut curious really if you can have a look

    thanks again
    Will

  4. NOTE: it worked the (translated) ping after having removed BOTH default gateway commands on BOTH #host and #webserver :slight_smile:

  5. Hi William,

    If you used the same topology then you will require a default gateway only on the host and not on the web server anymore. The host will be sending packets to an IP address outside its own subnet but the web server will be communicating with 192.168.23.2 which is on its own subnet.

    Rene

52 more replies! Ask a question or join the discussion by visiting our Community Forum