Back to Dashboard
Module 14
Network Address Translation (NAT)
β Previous Module
Next Module β
# π CCNA 200-301 - Video 14: Network Address Translation (NAT) ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What NAT is and why it's needed - IPv4 address scarcity problem - Static NAT, Dynamic NAT, and PAT (NAT Overload) - NAT terminology (Inside Local, Inside Global, Outside Local, Outside Global) - NAT configuration and verification - NAT troubleshooting --- ## π§ Core Concepts ### 1. The Problem: IPv4 Address Exhaustion **Problem:** IPv4 uses 32-bit addresses, providing approximately 4.3 billion unique addresses. With the explosion of internet-connected devices, this is insufficient. **Analogy:** Think of NAT like a company receptionist. The company has one public phone number (public IP). When employees (private IPs) make calls, the receptionist routes calls through that single number. When calls come in, the receptionist knows which employee to route to based on extension numbers (port numbers). ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β WITHOUT NAT (Every Device Needs Public IP) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Internet β β β β β β β β ββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β ISP β β β β Public IP Range β β β ββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ β β β β β β β β β ββββΌβββ ββββΌβββ ββββΌβββ ββββΌβββ ββββΌβββ β β β PC1 β β PC2 β β PC3 β β PC4 β β PC5 β β β βPublicβ βPublicβ βPublicβ βPublicβ βPublicβ β β β IP β β IP β β IP β β IP β β IP β β β βββββββ βββββββ βββββββ βββββββ βββββββ β β β β PROBLEM: β β β’ Each device needs a unique public IP β β β’ Not enough IPv4 addresses for all devices β β β’ Expensive to acquire public IPs β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β WITH NAT (Private IPs Share Public IP) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Internet β β β β β β β β ββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β ISP β β β β Public IP: 203.0.113.1 β β β ββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β ββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Router β β β β NAT Enabled β β β β Inside Global: 203.0.113.1 β β β ββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ β β β β β β β β β ββββΌβββ ββββΌβββ ββββΌβββ ββββΌβββ ββββΌβββ β β β PC1 β β PC2 β β PC3 β β PC4 β β PC5 β β β β10.1.1.2β β10.1.1.3β β10.1.1.4β β10.1.1.5β β10.1.1.6β β β βPrivateβ βPrivateβ βPrivateβ βPrivateβ βPrivateβ β β βββββββ βββββββ βββββββ βββββββ βββββββ β β β β BENEFIT: All devices share one public IP (or a few) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. Private IP Address Ranges (RFC 1918) **Reserved for private use (not routable on internet):** | Class | Address Range | CIDR | Number of Addresses | |-------|---------------|------|---------------------| | **Class A** | 10.0.0.0 - 10.255.255.255 | 10.0.0.0/8 | 16,777,216 | | **Class B** | 172.16.0.0 - 172.31.255.255 | 172.16.0.0/12 | 1,048,576 | | **Class C** | 192.168.0.0 - 192.168.255.255 | 192.168.0.0/16 | 65,536 | **Also Reserved:** - **Loopback:** 127.0.0.0/8 (localhost) - **Link-Local (APIPA):** 169.254.0.0/16 (DHCP failure) - **Multicast:** 224.0.0.0/4 - **Experimental:** 240.0.0.0/4 --- ### 3. NAT Terminology ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NAT TERMINOLOGY β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β OUTSIDE β β β β (Public Network) β β β β β β β β Outside Local (OL) Outside Global (OG) β β β β = Outside device as seen = Outside device as seen β β β β from inside network from outside network β β β β β β β β Example: 209.165.200.225 = 209.165.200.225 β β β β (same in most cases) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β INSIDE β β β β (Private Network) β β β β β β β β Inside Local (IL) Inside Global (IG) β β β β = Inside device as seen = Inside device as seen β β β β from inside network from outside network β β β β β β β β Example: 192.168.1.10 = 203.0.113.1 β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β NAT TERMS SUMMARY: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Inside Local: Original source IP (private) β β β β β’ Inside Global: Translated source IP (public) β β β β β’ Outside Local: Destination IP as seen from inside (usually public)β β β β β’ Outside Global: Destination IP as seen from outside (public) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 4. Types of NAT | Type | Description | Use Case | Translation | |------|-------------|----------|-------------| | **Static NAT** | One-to-one mapping | Servers that need inbound access | Private IP β Public IP (fixed) | | **Dynamic NAT** | Many-to-many (pool) | Multiple devices share public pool | Private IP β First available public | | **PAT (NAT Overload)** | Many-to-one | Home/office networks | Private IP:Port β Public IP:Unique Port | --- ### 5. Static NAT **Definition:** Static NAT creates a permanent, one-to-one mapping between a private IP address and a public IP address. **Use Case:** Hosting a server (web, email, etc.) that needs to be accessible from the internet. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β STATIC NAT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Internet User Router Web Server β β β β βββββββββββ βββββββββββ βββββββββββ β β β Client β β Router β β Server β β β β8.8.8.8 β β β β10.1.1.10β β β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ β β β β β β β β Dest: 203.0.113.10 β β β β β ββββββββββββββββββββββββββββββΊβ β β β β β β β β β β Dest: 10.1.1.10 β β β β β ββββββββββββββββββββΊβ β β β β β β β β β Src: 10.1.1.10 β β β β β βββββββββββββββββββββ β β β β β β β β Src: 203.0.113.10 β β β β β βββββββββββββββββββββββββββββββ β β β β β β β β β β Static NAT Mapping: β β Inside Local (10.1.1.10) β Inside Global (203.0.113.10) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **Static NAT Configuration:** ```cisco ! Configure static NAT mapping Router(config)# ip nat inside source static 10.1.1.10 203.0.113.10 ! Identify inside and outside interfaces Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# no shutdown Router(config-if)# exit Router(config)# interface gigabitEthernet 0/1 Router(config-if)# ip address 203.0.113.1 255.255.255.0 Router(config-if)# ip nat outside Router(config-if)# no shutdown Router(config-if)# exit ! Verify Router# show ip nat translations Router# show ip nat statistics ``` --- ### 6. Dynamic NAT **Definition:** Dynamic NAT maps private IP addresses to a pool of public IP addresses on a first-come, first-served basis. **Use Case:** When multiple internal devices need internet access but you have a pool of public IPs. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β DYNAMIC NAT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Public IP Pool: 203.0.113.10 - 203.0.113.15 β β β β PC1 (10.1.1.2) β 203.0.113.10 β β PC2 (10.1.1.3) β 203.0.113.11 β β PC3 (10.1.1.4) β 203.0.113.12 β β PC4 (10.1.1.5) β 203.0.113.13 β β β β If more devices than IPs, some wait until IPs free up β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **Dynamic NAT Configuration:** ```cisco ! Define access list for internal networks Router(config)# access-list 10 permit 10.1.1.0 0.0.0.255 ! Define NAT pool (public IPs) Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.15 netmask 255.255.255.0 ! Configure dynamic NAT mapping Router(config)# ip nat inside source list 10 pool PUBLIC_POOL ! Identify inside and outside interfaces Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# exit Router(config)# interface gigabitEthernet 0/1 Router(config-if)# ip address 203.0.113.1 255.255.255.0 Router(config-if)# ip nat outside Router(config-if)# exit ! Verify Router# show ip nat translations Router# show ip nat statistics ``` --- ### 7. PAT (NAT Overload) **Definition:** PAT (Port Address Translation) maps multiple private IP addresses to a single public IP address using different port numbers. This is the most common type of NAT. **Analogy:** An apartment building (private IPs) with one street address (public IP). Mail is delivered to the building, and the doorman (router) delivers to the correct apartment based on apartment number (port number). ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β PAT (NAT OVERLOAD) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Public IP: 203.0.113.1 β β β β PC1 (10.1.1.2) Port 12345 ββββΊ 203.0.113.1:12345 β β PC2 (10.1.1.3) Port 12346 ββββΊ 203.0.113.1:12346 β β PC3 (10.1.1.4) Port 12347 ββββΊ 203.0.113.1:12347 β β β β Outbound Traffic: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Source: 10.1.1.2:12345 βββΊ Source: 203.0.113.1:12345 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Return Traffic: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Dest: 203.0.113.1:12345 βββΊ Dest: 10.1.1.2:12345 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β NAT Translation Table: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Inside Local β Inside Global β β β β 10.1.1.2:12345 β 203.0.113.1:12345 β β β β 10.1.1.3:12346 β 203.0.113.1:12346 β β β β 10.1.1.4:12347 β 203.0.113.1:12347 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **PAT (NAT Overload) Configuration:** ```cisco ! Define access list for internal networks Router(config)# access-list 10 permit 10.1.1.0 0.0.0.255 ! Configure PAT (NAT Overload) Router(config)# ip nat inside source list 10 interface gigabitEthernet 0/1 overload ! Alternative with pool Router(config)# ip nat pool PUBLIC_POOL 203.0.113.1 203.0.113.1 netmask 255.255.255.0 Router(config)# ip nat inside source list 10 pool PUBLIC_POOL overload ! Identify inside and outside interfaces Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# exit Router(config)# interface gigabitEthernet 0/1 Router(config-if)# ip address 203.0.113.1 255.255.255.0 Router(config-if)# ip nat outside Router(config-if)# exit ! Verify Router# show ip nat translations Router# show ip nat statistics ``` --- ### 8. NAT Configuration Steps **Step-by-Step NAT Configuration:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NAT CONFIGURATION STEPS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β STEP 1: Define Inside and Outside Interfaces β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β interface gigabitEthernet 0/0 β β β β ip address 10.1.1.1 255.255.255.0 β β β β ip nat inside β β β β β β β β interface gigabitEthernet 0/1 β β β β ip address 203.0.113.1 255.255.255.0 β β β β ip nat outside β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β STEP 2: Define Translation Method β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Static NAT: β β β β ip nat inside source static 10.1.1.10 203.0.113.10 β β β β β β β β Dynamic NAT: β β β β access-list 10 permit 10.1.1.0 0.0.0.255 β β β β ip nat pool POOL 203.0.113.10 203.0.113.15 netmask 255.255.255.0 β β β β ip nat inside source list 10 pool POOL β β β β β β β β PAT (NAT Overload): β β β β access-list 10 permit 10.1.1.0 0.0.0.255 β β β β ip nat inside source list 10 interface gig0/1 overload β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β STEP 3: Verify Configuration β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β show ip nat translations β β β β show ip nat statistics β β β β show running-config | include nat β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 9. NAT Verification Commands | Command | Purpose | |---------|---------| | `show ip nat translations` | Display active NAT translations | | `show ip nat statistics` | Display NAT statistics (hits, misses, etc.) | | `show ip nat translations verbose` | Detailed translation info | | `clear ip nat translation *` | Clear all translations | | `clear ip nat translation [ip]` | Clear specific translation | | `debug ip nat` | Debug NAT (use cautiously) | **Example Outputs:** ```cisco Router# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 10.1.1.10 --- --- tcp 203.0.113.1:12345 10.1.1.2:12345 209.165.200.1:80 209.165.200.1:80 tcp 203.0.113.1:12346 10.1.1.3:12346 209.165.200.1:443 209.165.200.1:443 icmp 203.0.113.1:12347 10.1.1.4:12347 8.8.8.8:12347 8.8.8.8:12347 Router# show ip nat statistics Total active translations: 4 (1 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 1245 Misses: 23 CEF Translated packets: 1245, CEF Punted packets: 23 Expired translations: 12 Dynamic mappings: -- Inside Source [Id: 1] access-list 10 interface GigabitEthernet0/1 refcount 3 Total doors: 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0 ``` --- ### 10. NAT Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **No Translation** | `show ip nat translations` empty | Verify interfaces marked `ip nat inside/outside` | | **ACL Not Matching** | Traffic not translated | Verify ACL permits source networks | | **Pool Exhausted** | No translations for new hosts | Increase pool size or use PAT | | **Outside Access Failure** | Internal hosts can't reach internet | Check default route, NAT configuration | | **Inbound Access Failure** | External can't reach internal server | Verify static NAT, ACLs, routing | | **Translation Errors** | `debug ip nat` shows errors | Check for overlapping addresses, misconfiguration | **Troubleshooting Flow:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NAT TROUBLESHOOTING FLOW β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β START: Can internal hosts ping external IP? β β β β β ββββ NO βββΊ Check: β β β β’ Default route to ISP β β β β’ ISP connectivity β β β β’ NAT configuration β β β β β ββββ YES βββΊ Check `show ip nat translations` β β β β β ββββ Translations exist βββΊ NAT working β β β β β ββββ No translations βββΊ Check: β β β’ ip nat inside/outside on interfaces β β β’ ACL matches source networks β β β’ NAT overload keyword β β β’ show ip nat statistics β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 11. NAT and ACL Order of Operation **Router Processing Order (Inbound):** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ROUTER PROCESSING ORDER β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Inbound (Outside β Inside): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β 1. Inbound ACL (on outside interface) β β β β 2. NAT translation (Outside Local β Outside Global) β β β β 3. Routing decision β β β β 4. Outbound ACL (on inside interface) β β β β 5. NAT translation (Inside Global β Inside Local) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Outbound (Inside β Outside): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β 1. Inbound ACL (on inside interface) β β β β 2. Routing decision β β β β 3. NAT translation (Inside Local β Inside Global) β β β β 4. Outbound ACL (on outside interface) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β IMPORTANT: ACLs should match IP addresses BEFORE translation β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## π§ Complete Configuration Examples ### Lab 1: PAT (NAT Overload) - Home/Office Network **Topology:** ``` Internal Network Router Internet 192.168.1.0/24 βββββββββββ βββββββββββ βββββββββββ β PC1 β β Router β β Internetβ β192.168.1.2β β β β Server β ββββββ¬βββββ β Gi0/0 β β8.8.8.8 β β β192.168.1.1β ββββββ¬βββββ β β β β ββββββΌβββββ β Gi0/1 β β β PC2 β β DHCP β β β192.168.1.3β β Public IPβ β βββββββββββ ββββββ¬βββββ β β β ββββββββββββββββββββββββββ Public IP: 203.0.113.1/24 ``` **Configuration:** ```cisco hostname Router ! ! Configure interfaces interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside no shutdown ! interface GigabitEthernet0/1 ip address dhcp ip nat outside no shutdown ! ! Define internal networks access-list 10 permit 192.168.1.0 0.0.0.255 ! ! Configure PAT (NAT Overload) ip nat inside source list 10 interface GigabitEthernet0/1 overload ! ! Default route to ISP ip route 0.0.0.0 0.0.0.0 dhcp ! end ``` --- ### Lab 2: Static NAT for Web Server **Topology:** ``` Internal Network Router Internet 192.168.1.0/24 βββββββββββ βββββββββββ βββββββββββ β PC1 β β Router β β Internetβ β192.168.1.2β β β β Client β βββββββββββ β Gi0/0 β β8.8.8.8 β β192.168.1.1β ββββββ¬βββββ βββββββββββ β β β β Web β β Gi0/1 β β β Server β β203.0.113.1β β β192.168.1.10β ββββββ¬βββββ β βββββββββββ β β ββββββββββββββββββββββββββ Public IP: 203.0.113.1/24 ``` **Configuration:** ```cisco hostname Router ! ! Configure interfaces interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside no shutdown ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside no shutdown ! ! Static NAT for web server (HTTP/HTTPS) ip nat inside source static 192.168.1.10 203.0.113.10 ! ! PAT for other internal devices access-list 10 permit 192.168.1.0 0.0.0.255 ip nat inside source list 10 interface GigabitEthernet0/1 overload ! ! Default route ip route 0.0.0.0 0.0.0.0 203.0.113.254 ! end ``` --- ### Lab 3: Dynamic NAT with Pool **Topology:** ``` Internal Network Router Internet 10.1.1.0/24 βββββββββββ βββββββββββ βββββββββββ β PC1 β β Router β β Internetβ β10.1.1.2β β β β β βββββββββββ β Gi0/0 β βββββββββββ β10.1.1.1 β βββββββββββ β β β PC2 β β Gi0/1 β β10.1.1.3β β203.0.113.1β βββββββββββ ββββββ¬βββββ β β Public IP Pool: 203.0.113.10-15/24 ``` **Configuration:** ```cisco hostname Router ! ! Configure interfaces interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip nat inside no shutdown ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside no shutdown ! ! Define internal networks access-list 10 permit 10.1.1.0 0.0.0.255 ! ! Define public IP pool ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.15 netmask 255.255.255.0 ! ! Configure dynamic NAT ip nat inside source list 10 pool PUBLIC_POOL ! ! Default route ip route 0.0.0.0 0.0.0.0 203.0.113.254 ! end ``` --- ## π Text-Based Diagrams ### NAT Translation Table Example ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NAT TRANSLATION TABLE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β PC1 (10.1.1.2) initiates web request to 8.8.8.8:80 β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Protocol β Inside Local β Inside Global β Outside Local β Outside Global β β ββββββββββββΌββββββββββββββββββΌββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββ€ β β TCP β 10.1.1.2:54321 β 203.0.113.1:54321β 8.8.8.8:80 β 8.8.8.8:80 β β β TCP β 10.1.1.3:54322 β 203.0.113.1:54322β 8.8.8.8:80 β 8.8.8.8:80 β β β TCP β 10.1.1.4:54323 β 203.0.113.1:54323β 8.8.8.8:443 β 8.8.8.8:443 β β β ICMP β 10.1.1.2:12345 β 203.0.113.1:12345β 8.8.8.8:12345β 8.8.8.8:12345 β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Return Traffic: β β Packet arrives: Dest = 203.0.113.1:54321 β β Router looks up table β Dest = 10.1.1.2:54321 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **NAT Purpose** | Conserve public IPs, allow private IPs to access internet | | **Private IP Ranges** | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 | | **NAT Types** | Static, Dynamic, PAT (NAT Overload) | | **PAT** | Most common; uses port numbers to differentiate | | **NAT Terminology** | Inside Local, Inside Global, Outside Local, Outside Global | | **Commands** | `ip nat inside`, `ip nat outside`, `ip nat inside source` | ### Common Exam Scenarios: **Scenario 1:** "A company has 200 internal devices but only 5 public IPs. Which NAT type should be used?" - **Answer:** PAT (NAT Overload) - allows many devices to share few public IPs **Scenario 2:** "A web server must be accessible from the internet with a fixed public IP. Which NAT type is appropriate?" - **Answer:** Static NAT - one-to-one permanent mapping **Scenario 3:** "`show ip nat translations` shows no translations. What is the most likely issue?" - **Answer:** Interfaces not marked with `ip nat inside/outside`, or ACL not matching traffic ### Mnemonics: **Private IP Ranges:** **"10 is a lot, 172 is medium, 192 is small"** - 10.0.0.0/8 (large) - 172.16.0.0/12 (medium) - 192.168.0.0/16 (small) **NAT Terminology:** **"Inside Local is inside looking in, Inside Global is inside looking out"** - Inside Local = Private IP (as seen from inside) - Inside Global = Public IP (as seen from outside) --- ## π Summary (1-Minute Revision) ``` NAT (Network Address Translation): PURPOSE: βββ Conserve public IPv4 addresses βββ Allow private IPs to access internet βββ Hide internal network structure PRIVATE IP RANGES (RFC 1918): βββ 10.0.0.0/8 (Class A) βββ 172.16.0.0/12 (Class B) βββ 192.168.0.0/16 (Class C) NAT TYPES: βββ Static NAT: 1:1 permanent mapping βββ Dynamic NAT: Many:Many (pool) βββ PAT (NAT Overload): Many:1 (most common) TERMINOLOGY: βββ Inside Local: Original private IP βββ Inside Global: Translated public IP βββ Outside Local: Destination as seen from inside βββ Outside Global: Destination as seen from outside CONFIGURATION STEPS: βββ ip nat inside (on inside interface) βββ ip nat outside (on outside interface) βββ Define ACL for internal networks βββ Configure NAT mapping βββ ip nat inside source list [acl] interface [int] overload VERIFICATION: βββ show ip nat translations βββ show ip nat statistics βββ debug ip nat PAT (NAT OVERLOAD): βββ ip nat inside source list 10 interface gi0/1 overload ``` --- ## π§ͺ Practice Questions **1. Which RFC defines private IP address ranges?** - A) RFC 1918 - B) RFC 791 - C) RFC 826 - D) RFC 2131 <details> <summary>Answer</summary> <b>A) RFC 1918</b> - This defines private IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). </details> **2. Which NAT type maps many private IPs to a single public IP using port numbers?** - A) Static NAT - B) Dynamic NAT - C) PAT (NAT Overload) - D) Source NAT <details> <summary>Answer</summary> <b>C) PAT (NAT Overload)</b> - Port Address Translation uses port numbers to differentiate multiple connections to one public IP. </details> **3. What is the inside local address?** - A) Public IP of internal device as seen from outside - B) Private IP of internal device as seen from inside - C) Public IP of external device as seen from inside - D) Private IP of external device <details> <summary>Answer</summary> <b>B) Private IP of internal device as seen from inside</b> - Inside Local is the original private IP address of the internal host. </details> **4. Which command marks an interface as the inside NAT interface?** - A) `ip nat inside` - B) `ip nat outside` - C) `nat inside` - D) `inside nat` <details> <summary>Answer</summary> <b>A) `ip nat inside`</b> - This designates the interface as the internal (private) side for NAT. </details> **5. What is the purpose of the `overload` keyword in NAT configuration?** - A) Enable static NAT - B) Enable PAT (many-to-one translation) - C) Enable dynamic NAT - D) Enable logging <details> <summary>Answer</summary> <b>B) Enable PAT (many-to-one translation)</b> - `overload` enables Port Address Translation, allowing multiple hosts to share one public IP. </details> **6. Which IP address range is reserved for private use?** - A) 192.0.0.0/8 - B) 172.32.0.0/12 - C) 10.0.0.0/8 - D) 169.254.0.0/16 <details> <summary>Answer</summary> <b>C) 10.0.0.0/8</b> - This is one of the RFC 1918 private address ranges. </details> **7. What command displays active NAT translations?** - A) `show nat translations` - B) `show ip nat translations` - C) `show ip nat table` - D) `show nat table` <details> <summary>Answer</summary> <b>B) `show ip nat translations`</b> - This shows all active NAT translation entries. </details> **8. A company has 1000 internal devices and 1 public IP. Which NAT type is most appropriate?** - A) Static NAT - B) Dynamic NAT - C) PAT (NAT Overload) - D) NAT Pool <details> <summary>Answer</summary> <b>C) PAT (NAT Overload)</b> - PAT allows many devices to share a single public IP using port numbers. </details> **9. Which command configures static NAT mapping?** - A) `ip nat inside source static 10.1.1.10 203.0.113.10` - B) `ip nat static 10.1.1.10 203.0.113.10` - C) `nat static 10.1.1.10 203.0.113.10` - D) `ip nat inside static 10.1.1.10 203.0.113.10` <details> <summary>Answer</summary> <b>A) `ip nat inside source static 10.1.1.10 203.0.113.10`</b> - Correct syntax for static NAT mapping. </details> **10. What does `clear ip nat translation *` do?** - A) Removes all NAT translations - B) Displays NAT statistics - C) Disables NAT - D) Saves NAT configuration <details> <summary>Answer</summary> <b>A) Removes all NAT translations</b> - This clears all active translation entries from the NAT table. </details> **11. Which NAT type is best for hosting a public web server behind a private IP?** - A) PAT - B) Dynamic NAT - C) Static NAT - D) Source NAT <details> <summary>Answer</summary> <b>C) Static NAT</b> - Provides a fixed, permanent mapping for inbound access to servers. </details> **12. A router shows 0 hits in `show ip nat statistics`. What is the most likely cause?** - A) NAT is working correctly - B) No traffic is being translated - C) Too many translations - D) Interface is down <details> <summary>Answer</summary> <b>B) No traffic is being translated</b> - Zero hits indicates no packets have been translated by NAT. </details> --- ## π Next Steps After completing Video 14, you should be ready for: - **Video 15:** IPv6 Addressing and Configuration - **Video 16:** IPv6 Routing and Transition Mechanisms **Lab Practice:** 1. Configure PAT (NAT Overload) for a LAN to access internet 2. Configure static NAT for a web server 3. Configure dynamic NAT with a pool of public IPs 4. Verify with `show ip nat translations` and `show ip nat statistics` 5. Test connectivity from internal hosts to external 6. Test inbound access to static NAT server --- **Ready for Video 15?** Share the link or say "next" and I'll continue with IPv6 Addressing and Configuration. I'll create comprehensive deep notes for **Video 15: IPv6 Addressing and Configuration** based on the standard CCNA 200-301 curriculum. ---