Static NAT on Cisco IOS

Let’s look at how to configure static NAT on a Cisco router. Here’s the topology I will use:

static nat inside outside

Above, you see 3 routers called Host, NAT, and Web1. Imagine our host is on our LAN and the webserver is somewhere on the Internet. Our NAT router in the middle is our connection to the Internet.

There’s a cool trick on our routers that we can use. It’s possible to disable “routing” on a router that turns it into a normal host that requires a default gateway. This is very convenient because it will save you the hassle of connecting real computers/laptops to your lab. Use no ip routing to disable the routing capabilities:

Host(config)#no ip routing
Web1(config)#no ip routing

The routing table is now gone. Let me show you:

Host#show ip route 
Default gateway is not set

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty
Web1#show ip route 
Default gateway is not set

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty

As you can see, the routing table on the host and Web1 is gone. We’ll have to configure a default gateway on router Host and Web1, or they won’t be able to reach each other:

Host(config)#ip default-gateway
Web1(config)#ip default-gateway

Both routers can use router NAT as their default gateway. Let’s see if they can reach each other:


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

Reachability is no issue, as you can see. Now let me show you a neat trick:

Web1#debug ip packet 
IP packet debugging is on

I can use debug ip packet to see the IP packets that I receive. Don’t do this on a production network, or you’ll be overburdened with debug messages! Now let’s send that ping again…

IP: s= (FastEthernet0/0), d=, len 100, rcvd 1

Above, you see that our router has received an IP packet with the source IP address and the destination IP address

IP: tableid=0, s= (local), d= (FastEthernet0/0), routed via RIB

And it will reply with an IP packet with source address and destination address

Now let’s configure NAT so you can see the difference:

NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat inside
NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat outside

First we’ll have to configure the inside and outside interfaces. Our host is the “LAN” side so it’s the inside. Our web server is “on the Internet” so it’s the outside of our network. Now we can configure our static NAT rule:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 791 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

1596 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hello Rene.

    Fantastic lesson. I have some doubts about NAT like the one described below using your example:

    When a ping is done from the NAT server to the Webserver there is a failure.

    Logs from NAT are reporting this:

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    *Mar  1 00:12:43.191: IP: tableid=0, s= (local), d= (FastEthernet0/1), routed via FIB
    *Mar  1 00:12:43.191: IP: s= (local), d= (FastEthernet0/1), len 100, sending
    *Mar  1 00:1
    ... Continue reading in our forum

  2. Hi Klaus,

    It would be easier if I could see the entire config but something to keep in mind is that traffic generated locally on the router that is configured for NAT doesn’t get translated. Packets have to flow through the router…


  3. Renee

    Great lab this one … just out of interest I wanted to see what would happen … (the lab was so succcessful i had to try something to mess it up …) … if I also removed the ip default gateway from the host too (as well as removing the default gateway from the webserver) and it still worked … should this have been the case ? and if so can you explain how the #host (ping) could still get to through to the webserver … jsut curious really if you can have a look

    thanks again

  4. NOTE: it worked the (translated) ping after having removed BOTH default gateway commands on BOTH #host and #webserver :slight_smile:

  5. Hi William,

    If you used the same topology then you will require a default gateway only on the host and not on the web server anymore. The host will be sending packets to an IP address outside its own subnet but the web server will be communicating with which is on its own subnet.


52 more replies! Ask a question or join the discussion by visiting our Community Forum