Configuring NAT

For the purpose of this example, I’m going to assume that we’re using NAT overloading (PAT) to allow our internal clients to access the Internet through a single public IP address. We’ll also create a static inbound mapping to allow external clients to gain access to a web server on our private network. The network properties used in this example are the same as those found in this figure.

Our first step involves configuring interface Ethernet 0 with its private IP address, and designating it as the internal NAT interface. The ip nat inside command designates an interface as internal.

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0
Router(config-if)#ip address
Router(config-if)#ip nat inside

The next step involves configuring Serial 0 with an IP address, and specifying it as the external NAT interface. External NAT interfaces are defined with the ip nat outside command.

Router(config-if)#int s0
Router(config-if)#ip address
Router(config-if)#ip nat outside

Depending on the NAT technique being used, a range of IP addresses could be configured as part of the NAT “pool”. Because we’re using NAT overloading, this “pool” will only consist of a single address – The subnet mask associated with an address pool is specified with the prefix command.

Router(config)#ip nat pool Toronto prefix 28

After the pool is defined, it needs to be configured for overloading. This is accomplished using the command shown below, which defines an access list. In this example, access list 88 allows us to control which addresses can access the Internet via NAT.

Router(config)#ip nat inside source list 88 pool Toronto overload
Router(config)#access-list 88 permit

Assuming that internal clients are configured with addresses in the range, and that their default gateways are set to, they should now be able to access the Internet through the router’s NAT implementation.

In order to allow external clients to access the web server on our internal private network, we’ll create a mapping that tells NAT to forward all requests to address port 80 to the internal address, port 80. This is accomplished using the command shown below.

Router(config)#ip nat inside source static tcp 80 80

Once implemented, NAT statistics can be viewed using the show ip nat statistics command, while address translations can be viewed using show ip nat translations.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.