Static NAT Configuration

July 16, 2025 - Reading time: 2 minutes

Static NAT (Network Address Translation) is used to create a consistent one-to-one mapping between a private internal IP address and a public external IP address. This allows internal devices, such as web or mail servers, to be accessible from external networks using a fixed public IP address.

In this lesson, we will focus on IP-only static NAT, where only the address is translated — ports remain unchanged. This form of NAT is typically used when an internal device must always be reachable from the outside using the same public IP address.

Step-by-Step Lab:

Scenario:

A web server inside the LAN has a private IP address of 192.168.1.100.
The router's public IP interface is 200.1.1.1.
We want to map 192.168.1.100 to the public IP 200.1.1.100.

Network Topology:

R1 Fa0/0 (inside): 192.168.1.1
R1 Fa0/1 (outside): 200.1.1.1
Server IP: 192.168.1.100

Configuration Steps (on R1)

R1# configure terminal
R1(config)# interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# ip nat inside
R1(config-if)# exit

R1(config)# interface FastEthernet0/1
R1(config-if)# ip address 200.1.1.1 255.255.255.0
R1(config-if)# ip nat outside
R1(config-if)# exit

R1(config)# ip nat inside source static 192.168.1.100 200.1.1.100
R1(config)# end

NAT must know which side is inside (private network) and which is outside (public/ISP).
Inside traffic is translated from internal private addresses to public addresses, while outside traffic is translated to internal hosts.
Creates a one-to-one mapping from 200.1.1.100 to 192.168.1.100.
Any traffic sent to 200.1.1.100 from the internet will be translated to the web server’s private IP

Verification Commands & Expected Output

1. Check NAT Translations

R1# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
---  200.1.1.100        192.168.1.100      ---                ---

Confirms static mapping is active.

2. Check NAT Statistics

R1# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: 0  Misses: 0

Confirms NAT is enabled and interface roles are correctly set.

3. Ping from ISP-side device (simulated)

Assume you're on an external device with reachability to 200.1.1.100:

> ping 200.1.1.100
Reply from 200.1.1.100: bytes=32 time<1ms TTL=64

Confirms NAT is working and traffic reaches internal server.

Common Mistakes

Mistake	Symptom	Solution
Missing ip nat inside / ip nat outside	No NAT translation occurs	Apply the correct ip nat direction on interfaces
Wrong IP in static NAT mapping	Traffic doesn’t reach internal device	Ensure private/public IPs in the NAT rule are correct
Access control blocking NAT traffic	Ping or access fails	Confirm no ACLs are blocking NAT or inbound/outbound traffic
Interface not up	NAT translation does not occur	Verify show ip interface brief to confirm interfaces are up/up

The lab is available for download from this link. Try recreating the sample lab above using the provided IP addressing scheme.

User Challenge

Modify the lab to configure two static NAT mappings (e.g., for a web server and an FTP server).
Download the NAT1 and NAT2 troubleshooting scenarios and apply what you've learned.
(requires version 2.12)

Static NAT Configuration | PocketCLI

Search

CURRENT BUILD: v2.17
Version History

Download

Labs