two questions on NAT

1. What is the difference between the "port forwarding" feature on low end routers, and "static nat" on cisco routers?  Are they the same thing but with different names?  Does Cisco have a "port forwarding" type command?

2. Instead of static NAT, couldn't you accomplish the same thing with static routes?  Or do static routes only route you to networks, not hosts?  Whereas static NAT gets you to specific hosts?

3. Please dont answer question #3 if you dont feel like it, I'm just trying to get a grip on this stuff. What is going on in certain parts of this config  (i marked the three areas I didnt understand)?
  interface Ethernet 0
    ip add
    ip nat outside      <----------------------------------(does this mean something like "enable NAT for packets going outbound" ?)
    interface serial 0
    ip add
    ip nat inside         <--------------------------------- (what does this mean)
  ip nat inside source static     (what significance does this have?)
   ip route
   ip route
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1.  A static NAT on a Cisco router is a "one to one" NAT.  A one to one or static NAT translates a single address to another address.  Basically all ports are forwarded to the inside host when using a static NAT.  Port forwarding is used when you have a one to many setup.  One public address is used for all inside hosts, hence, you need to forward traffic based on ports.  You can also use PAT (port forwarding) on a Cisco router (ip nat inside source static tcp 80 <outside address or interface> 80)

2.  Static routes are responsible for forwarding traffic.  NAT translates an address, it doesn't actually do the forwarding.  Routing still takes care of that part.

3.  The "ip nat outside" and "ip nat inside" basically enable NAT on the interface.  The inside and outside keyword in the command defines which interface is the outside NAT interface and which is the inside.
Just to clarify on question 1.

On a Cisco router, to emulate a SOHO router like a Linksys/Netgear, you can use the following command:

ip nat inside source list 1 interface ethernet0 overload

The "overload" keyword is used for one-to-many translation (like a SOHO router).

Port forwarding compliments the above and is used to forward to inside hosts based on port.
1. Port forwarding on soho routers uses one and only one public IP address and you can forward different individual ports to different inside hosts. Static nat, on the other hand, allows you to provide a complete 1-to-1 map from 1 public IP to 1 private IP, multiple times. And yes, there is also an equivelent of port forwarding where you only nat specified ports. In other words, you can map 200 public IP's to 400 different hosts using a varity of 1-1 and port forwarding. Additionally on a Cisco router, the inside address is not limited to only a local LAN ip, it can be any IP address anywhere on the inside of the network- behind several other routers if necessary.

2. Not at all. NAT changes the source IP address to the "outside" address as it passes from the "inside" through the "outside" defined interfaces (more about that in #3). Since it changes the source IP, then it also must keep a table on who really sent that packet so that the response goes back to the appropriate host. Routing never changes the source IP address, so there must be routing all the way to and back, every router in the patch must maintain the source/destination pair. Especially if you are using Private IP addresses, these addresses are not routeable on the Internet, so you have no choice except to NAT them to a public IP address.

3. When using NAT, you must designate which interfaces are "outside" and which ones are "inside", then you define the ip nat "inside" rules. As traffic passes from an inside interface through the outside designated interface, the nat rules are examined. In the example above, only the one rule is defined that says any traffic from host as it passes out interface E0, the source IP will change to Now anything beyond that router will see the incomming packet as being from It does not have to know anything about the 192.168.2.x network, does not have to have a route to it or anything. There are many ways to define and apply rules to the nat process.

Example of a 1-1 static nat rule:
  ip nat inside source static
  ip nat inside source static
  ip nat inside source static
Add in some static port forwarding (single public, multiple private, specified ports):
  ip nat inside source tcp 25 25
  ip nat inside source tcp 80 80
  ip nat inside source tcp 110 110
  ip nat inside source tcp 3389 3389

Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
  access-list 1 permit
  ip nat inside source list 1 interface Ethernet0 overload
Add in a dynamic NAT pool to use .78 - .99 as "rotary" 1-1 nat as needed
  access-list 2 permit
  ip nat pool POOL1 netmask
  ip nat inside source list 2 pool POOL1
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Damn! JFrederick29 beat me to the submit button!
Been doing that a little bit lately, eh? lrmoore :)

Great answer though, very detailed.
I think the best way to sum it up, is you are trying to compare a Chevy to a Cadillac so to say. Most low-end routers have basic NAT functions, while higher end routers like Cisco have about every conceivable NAT capability.

When you think about it, since most low end routers will never have more than one public IP address, there really is no need to have extended static NAT mapping capabilities. Although I have seen some low-end routers that do allow you to map everything coming in from it’s public IP address to one host, the basic equivalent to Cisco’s static NAT, or what I like to call a NAT bridging function, since when you enable it for all practical purposes you have the equivalent of a bridge.

Also take this in consideration, if they provided full NAT capabilities on low-end routers, think of all the tech support requests it would generate for a feature few Could use? The fact is most of them go into the hands of people with little, or no networking experience. You’d see a lot of them trying to use static NAT functions when they only have one IP address, when all they could do is PAT. I have seen plenty of people trying to send the same public port to several hosts already, and give static NAT I know there would be a lot of people trying to map the one address to several hosts calling tech support.              
dissolvedAuthor Commented:
Thanks guys. So much good info, I had to read this page 7 times (not joking lol).  Let me see if I am comrehending this accurately (bear with me) :

-PAT: "nats" a public IP to a private IP, with specific ports (ie: 80, 25)

-static NAT: translates one public IP, to one private IP..including all ports (unless of course a firewall is blocking certain ports)

-dynamic NAT: ???

-a NAT table is maintained in every router that NATs. NAT works by swapping L3 addresses. It maintains a table of "what it swapped."

what is "dynamic NAT."  Is that when EVERY address going through a NAT router is swapped.  I'm guessing the configuration in the router would be very general as far as hosts go. We would specify a range to "NAT" instead of specifying individual hosts.

Am I on the right track?

thanks again.

dissolvedAuthor Commented:
woops: I now see lrmoore's example of dynamic NAT:

>> Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
>>  access-list 1 permit
>>  ip nat inside source list 1 interface Ethernet0 overload

i'm guessing the "overload" command must be used in conjunction with dynamic NAT?
You're getting the hang of this!
PAT = Port Address Translation which is just the same as Port forwarding
NAT = Network Address Translation. Oftentimes "nat" is used when actually meaning "pat", as NAT is the more generic term.

My example of dynamic nat is actually dynamic PAT, because it uses a single IP address (that of the interface) for all inside hosts, and that is only possible because of the "overload" command.

Another example of dynamic nat incudes using a pool of IP addresses that the inside hosts use, one at a time until used up, then the "overload" can take over (which I deliberately left off my example above), or the next host simply does not get an ip address. If we add the overload to the pool, then the last IP address in the pool will be used to PAT all further addresses. In this pool example, the first PC that does not have a static assignment, and wants to go out, will be dynamically assigned the first IP in the pool, the next PC the 2nd IP in the pool and so on until the pool is exhausted. Since they are dynamic, when the first PC is finished, the existing traslations will time out and the IP again available for use.

To add more information, we can even create a "network" nat, like
   ip nat inside source static network
This creates a dynamic NAT mapping where inside host = outside host id: = = =

This is just the tip of the iceburg as to what we can do with NAT/ least on Cisco routers..


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
whoa, just threw another term at me there ...dynamic pat :-)
I think I understand though.

so in your example:
>> Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
>>  access-list 1 permit
>>  ip nat inside source list 1 interface Ethernet0 overload

The above is dynamic PAT because all inside devices will be using e0s address to send packets to the internet.
One interface for many clients

Dynamic NAT on the otherhand would pull from a predefined "pool" of addresses. Then, when the last address in the pool is used, it will PAT on the last address for any additional addresses that want to send out to the internet.

static PAT is just port forwarding (stuff you can do in low end cable routers)

static NAT is just public IP to private IP translating (at layer 3). Using static NAT exposes all of the private IPs ports to the internet (if a firewall isnt blocking it somewhere along the way).

Are my interpretations correct?

"This is just the tip of the iceburg as to what we can do with NAT/ least on Cisco routers.."
Yes to all your questions.
Isn't this fun to learn all this new stuff?
dissolvedAuthor Commented:
yes it is. I cant believe some of the stuff you, jfrederick, and Dr. IP  know (and remember). It's scary. You guys must scare yourselves sometimes lol

Thanks for the help guys!

Hey everyone,

I have a NAT question as well. I am trying to configure a cisco 2611 to do NAT. Here is a snipet of the config that I am working in. This particular config is for a point-to-point private T1. I need to NAT all traffic going out of the fastethernet to be /

Please help,


interface FastEthernet0/0
 description ethernet side to Miami
 ip address
 no ip directed-broadcast
 ip nat outside
 duplex auto
 speed 100
interface Serial0/0
 bandwidth 1544
 ip address
 no ip directed-broadcast
 service-module t1 timeslots 1-24

ip default-gateway
ip nat outside source static
ip classless
ip route
no ip http server
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.