Objective
In this lab, you will configure Static NAT (Network Address Translation) on a Cisco router using Packet Tracer. Static NAT creates a permanent one-to-one mapping between a private (inside local) IP address and a public (inside global) IP address, allowing an internal host to be consistently reachable from the outside network.
By the end, you will understand the four NAT address types, how to apply NAT to router interfaces, and how to verify translations using show commands.
Network Topology
| Device | Interface | IP Address | Subnet Mask | NAT Role |
|---|---|---|---|---|
| Router0 | Fa0/0 | 192.168.1.1 | /24 | Inside |
| Router0 | Fa0/1 | 200.0.0.1 | /24 | Outside |
| PC0 | NIC | 192.168.1.2 | /24 | Inside Local |
| PC0 (Translated) | — | 200.0.0.10 | /24 | Inside Global |
| Server | NIC | 200.0.0.2 | /24 | Outside |
NAT Address Types — Quick Reference
| Term | Description |
|---|---|
| Inside Local | The private IP address of the device on the internal network. Example: 192.168.1.2 |
| Inside Global | The public IP address the internal device uses to reach the internet. Example: 200.0.0.10 |
| Outside Global | The public IP address of the destination device on the internet. Example: 200.0.0.2 (the server) |
| Outside Local | How an outside host appears from the inside perspective. Often the same as Outside Global unless NAT is applied in both directions. |
Key Point
Static NAT creates a permanent, one-to-one mapping. Unlike Dynamic NAT or PAT, the same internal IP always maps to the same public IP — no pool or overloading needed.
Static NAT creates a permanent, one-to-one mapping. Unlike Dynamic NAT or PAT, the same internal IP always maps to the same public IP — no pool or overloading needed.
Task 1: Configure Router Interfaces
Assign IP addresses to both router interfaces and bring them up.
Router CLI
Router>enable Router#configure terminal ! Configure the INSIDE interface (connects to LAN) Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#exit ! Configure the OUTSIDE interface (connects to Internet) Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 200.0.0.1 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#exit
Task 2: Define the Static NAT Mapping
Create the one-to-one translation: inside local IP → inside global IP.
Router CLI
! Syntax: ip nat inside source static <inside-local> <inside-global> Router(config)#ip nat inside source static 192.168.1.2 200.0.0.10
Remember
The inside global address (
The inside global address (
200.0.0.10) must be a routable public IP — it does NOT need to be assigned to any interface. It's just a "face" presented to the outside.
Task 3: Mark Interfaces as Inside / Outside
This is the most commonly forgotten step. NAT won't work until you label each interface correctly.
Router CLI
! Mark Fa0/0 as NAT inside (LAN side) Router(config)#interface FastEthernet0/0 Router(config-if)#ip nat inside Router(config-if)#exit ! Mark Fa0/1 as NAT outside (WAN / Internet side) Router(config)#interface FastEthernet0/1 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#end
Pro Tip
If you apply
If you apply
ip nat inside on the wrong interface (or forget both), the router won't translate anything and pings will fail silently. Always double-check with show ip interface brief.
Task 4: Configure the PC Default Gateway
On PC0 in Packet Tracer, go to Desktop → IP Configuration and set:
| Field | Value |
|---|---|
| IP Address | 192.168.1.2 |
| Subnet Mask | 255.255.255.0 |
| Default Gateway | 192.168.1.1 |
Also configure the Server: IP 200.0.0.2, mask 255.255.255.0, gateway 200.0.0.1.
Verification
After sending a ping from PC0 to the Server, use these commands to verify:
Verification Commands
! Show all active/static NAT translations Router#show ip nat translations ! Show NAT statistics (hits, misses, expired) Router#show ip nat statistics ! Debug NAT in real time (use with caution in production) Router#debug ip nat
Expected output of show ip nat translations:
Output
Pro Inside global Inside local Outside local Outside global --- ----------------- ------------------ ------------------ ------------------ --- 200.0.0.10 192.168.1.2 --- --- icmp 200.0.0.10:1 192.168.1.2:1 200.0.0.2:1 200.0.0.2:1
Reading the Output
The static entry (dashes in the Pro column) is always present. When active traffic flows, an ICMP entry appears showing the full 4-tuple: inside local ↔ inside global ↔ outside local ↔ outside global.
The static entry (dashes in the Pro column) is always present. When active traffic flows, an ICMP entry appears showing the full 4-tuple: inside local ↔ inside global ↔ outside local ↔ outside global.
Complete Configuration Summary
Full Router Config
Router>enable Router#configure terminal ! --- Interface Configuration --- Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 200.0.0.1 255.255.255.0 Router(config-if)#ip nat outside Router(config-if)#no shutdown Router(config-if)#exit ! --- Static NAT Mapping --- Router(config)#ip nat inside source static 192.168.1.2 200.0.0.10 Router(config)#end Router#write memory
| Command | Purpose |
|---|---|
ip nat inside source static <local> <global> |
Creates the static 1-to-1 NAT mapping |
ip nat inside |
Marks interface as facing the private LAN |
ip nat outside |
Marks interface as facing the public Internet |
show ip nat translations |
Displays current NAT table |
show ip nat statistics |
Shows hit/miss counters and config summary |
clear ip nat translation * |
Clears all dynamic NAT entries (not static) |