Branch Office — Static NAT + PAT + ACLs
December 10, 2025 - Reading time: 4 minutes

In the previous lessons, you were introduced Static NAT with port restrictions for secure inbound access to internal services. After that we covered PAT (Port Address Translation) for outbound internet access from multiple inside hosts.

In this lesson, we combine these concepts into a single, branch office edge router configuration.


You will:

  1. Configure Static NAT for two servers:

    • Web server: HTTP (port 80) only.

    • FTP server: FTP control channel (port 21) only.

  2. Configure PAT for LAN users so they can share the router’s public IP for outbound internet access.

  3. Secure the configuration with inbound and outbound ACLs:

    • Inbound ACL: Only allows HTTP to the web server and FTP to the FTP server. Blocks everything else from the internet.

    • Outbound ACL: Restricts LAN users to web browsing (HTTP/HTTPS) only.

By the end of this lab, you will see how NAT and ACLs work together to control both inbound and outbound traffic.

Scenario

  • LAN Users: 192.168.1.10–192.168.1.50

  • Web Server: 192.168.1.100 → Public 200.1.1.100 (HTTP only)

  • FTP Server: 192.168.1.101 → Public 200.1.1.101 (FTP control port only)

  • Router Public IP (outside interface): 200.1.1.1 (used for PAT)

Topology:

[LAN] 192.168.1.0/24 --- Fa0/0 [R1] Fa0/1 --- [ISP] 200.1.1.0/24
Fa0/0 (inside):  192.168.1.1/24
Fa0/1 (outside): 200.1.1.1/24

Configuration Steps

Step 1 – Assign IPs and NAT Roles

We must tell the router which interface faces the inside network and which faces the outside network.
This ensures NAT translations occur in the correct direction.

R1(config)# interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# ip nat inside
R1(config-if)# exit

R1(config)# interface FastEthernet0/1
R1(config-if)# ip address 200.1.1.1 255.255.255.0
R1(config-if)# ip nat outside
R1(config-if)# exit

Step 2 – Static NAT for Servers

We create port-specific static NAT so only required services are exposed.
This reduces attack surface while still allowing external access to those services.

Web Server (HTTP only):

R1(config)# ip nat inside source static tcp 192.168.1.100 80 200.1.1.100 80

Maps TCP port 80 of 200.1.1.100 to 192.168.1.100.

FTP Server (FTP control channel only):

R1(config)# ip nat inside source static tcp 192.168.1.101 21 200.1.1.101 21

Maps TCP port 21 of 200.1.1.101 to 192.168.1.101.
This prevents other services on the FTP server from being exposed, unlike full-IP static NAT.

Step 3 – PAT for LAN Users

LAN users share the router’s public IP when accessing the internet.
We first define the inside subnet, then configure PAT to use the outside interface IP.

R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface FastEthernet0/1 overload

This is ideal for branch offices without multiple public IPs.

Step 4 – Inbound ACL (Outside Interface)

NAT itself doesn’t block traffic; it only translates addresses.
We use an inbound ACL to allow only:

  • HTTP traffic to the web server’s public IP.

  • FTP control traffic to the FTP server’s public IP.
    Everything else is denied.

R1(config)# access-list 100 permit tcp any host 200.1.1.100 eq 80
R1(config)# access-list 100 permit tcp any host 200.1.1.101 eq 21
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet0/1
R1(config-if)# ip access-group 100 in

Step 5 – Outbound ACL (Inside Interface)

We restrict LAN users to only HTTP and HTTPS.
This prevents other unwanted outbound connections.

R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config)# access-list 101 deny ip any any
R1(config)# interface FastEthernet0/0
R1(config-if)# ip access-group 101 out

Verification

NAT Translations

R1# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
tcp  200.1.1.100:80     192.168.1.100:80   ---                ---
tcp  200.1.1.101:21     192.168.1.101:21   ---                ---
icmp 200.1.1.1:10008    192.168.1.10:1     8.8.8.8:1           8.8.8.8:1

Shows static NAT entries for the servers and dynamic PAT entries for LAN users.

NAT Statistics

R1# show ip nat statistics
Total active translations: 3 (2 static, 1 dynamic; 1 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: X  Misses: X
Dynamic mappings:
-- Inside Source access list 1 interface FastEthernet0/1 refcount 1

ACL Counters

R1# show access-lists 100
R1# show access-lists 101

Confirm the permit/deny counters increase as expected when testing.

NAT/ACL Planning Table

Public IP Inside Host Ports/Proto Purpose ACL Permit Rule
200.1.1.100 192.168.1.100 TCP 80 Web server (HTTP) permit tcp any host 200.1.1.100 eq 80
200.1.1.101 192.168.1.101 TCP 21 FTP server (FTP control channel) permit tcp any host 200.1.1.101 eq 21
200.1.1.1 192.168.1.0/24 Various PAT for internet-bound user traffic Outbound ACL permit tcp ... eq 80/443 only

Common Mistakes

Mistake Symptom Solution
Full-IP static NAT on servers All services exposed Use port-specific static NAT for only required services
Forgot overload in PAT Only one LAN user online Add overload to PAT config
Missing ACL for inbound control Unwanted traffic reaches inside network Apply inbound ACL on outside interface
ACL rules in wrong order Valid traffic blocked Place permit statements above deny statements
Incorrect NAT roles on interfaces NAT doesn’t work Assign ip nat inside / ip nat outside correctly

User Challenge

Modify this configuration so that:

  1. Only 192.168.1.10 can access HTTPS (TCP 443) outbound; all others can only use HTTP (TCP 80).

  2. Add a new static NAT mapping for an SMTP server 192.168.1.102 → 200.1.1.102 (TCP 25 only) and update the inbound ACL accordingly.

Branch Office — Static NAT + PAT + ACLs | PocketCLI

Search

Categories

LATEST POSTS

Download


>