📘 CCNA 200-301 v1.1
4.1 Configure and verify inside source NAT using static and pools
1. What is NAT?
NAT (Network Address Translation) is a way to change the IP address of devices inside a network so that they can communicate with devices outside the network (like the Internet).
- Inside local – the IP address of a device inside your network (private IP, like 192.168.1.10).
- Inside global – the IP address seen on the outside network (public IP, like 203.0.113.5).
Purpose in IT networks:
- Allows multiple devices inside a private network to use a smaller number of public IP addresses.
- Hides internal IP addresses for security.
2. Types of Inside Source NAT
Inside source NAT translates inside local IPs to inside global IPs. There are two main types for CCNA:
A. Static NAT
- Maps one inside local IP to one inside global IP permanently.
- Use when you need a device inside your network to always be reachable from outside (like a server).
Example:
Inside local IP: 192.168.1.10
Inside global IP: 203.0.113.10
Every time this device sends or receives traffic from the Internet, the NAT translation is always the same.
Configuration in Cisco IOS:
ip nat inside source static 192.168.1.10 203.0.113.10
ip nat inside source static→ command for static NAT192.168.1.10→ inside local IP203.0.113.10→ inside global IP
B. Dynamic NAT using Pools
- Maps inside local IPs to a pool of public IP addresses dynamically.
- Use when you have many devices inside but fewer public IPs. Not every device is guaranteed an IP at all times.
Example:
- Inside local network: 192.168.1.0/24
- Public IP pool: 203.0.113.1 – 203.0.113.5
When a device sends traffic outside, NAT picks an available public IP from the pool. When the session ends, the IP is returned to the pool for others to use.
Configuration in Cisco IOS:
ip nat pool MY_POOL 203.0.113.1 203.0.113.5 netmask 255.255.255.0
ip nat inside source list 1 pool MY_POOL
ip nat pool MY_POOL 203.0.113.1 203.0.113.5 netmask 255.255.255.0→ defines the public IP poolip nat inside source list 1 pool MY_POOL→ says which internal devices (from access-list 1) can use NAT- Access list example:
access-list 1 permit 192.168.1.0 0.0.0.255
This means all devices in 192.168.1.0/24 network can use NAT.
3. How to tell which interfaces use NAT
- Cisco requires you to mark interfaces as inside or outside for NAT to work:
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/1
ip address 203.0.113.2 255.255.255.0
ip nat outside
ip nat inside→ internal interfaceip nat outside→ external interface (toward Internet)
4. How to Verify NAT
Once NAT is configured, you can check:
- Check NAT translations:
show ip nat translations
- Shows which inside local IPs are mapped to which inside global IPs.
- Check NAT statistics:
show ip nat statistics
- Shows how many translations are active, pool usage, etc.
- Test connectivity:
- Use ping or traceroute from internal device to outside network to see if NAT works.
5. Key Points for CCNA Exam
- Static NAT: 1-to-1 mapping, always the same.
- Dynamic NAT (pools): many-to-few mapping, chooses an available IP from pool.
- Interfaces must be marked as inside/outside.
- Verify using
show ip nat translationsandshow ip nat statistics. - Access-lists control which inside devices can use NAT pools.
✅ Simple IT-focused summary:
Think of NAT as a “translator” for your network: it lets devices inside your network talk to the Internet using public IP addresses. Static NAT is like assigning a permanent translator to one device, while dynamic NAT uses a pool of translators for many devices.
