Dynamic NAT:
Still not great. Still requires routable public IP addresses. However, at least we don't have to manually map internal IPs to external IPs. Dynamic NAT sets up an IP address pool that internal hosts can use. If you have 250 internal hosts and only 20 routable IPs, only 20 can be used at a time. After about 24 hours of inactivity, the IP address "used" by the inside host will be cleared and available for the next internal host.
R1(config)#int g0/1
R1(conifg-if)#ip nat inside
^ Define the "inside" interface
R1(config-if)#int g0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
^ Define the "outside" interface
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
^ Set up an ACL to be applied later. Notice wildcard mapping. Traffic permitted by this ACL will be translated.
R1(config)#ip nat pool POOL1 100.0.0.0 100.0.0.255 prefix-length 24
^ This establishes a pool of IP addresses called "POOL1" starting at 100.0.0.0 and going up to 100.0.0.255.
The prefix-length is used by IOS to ensure the pool is within the same subnet range.
R1(config)#ip nat inside source list 1 pool POOL1
^ This configures dynamic NAT by assigning the ACL to the pool and activating NAT.
R1#show ip nat translations
^ Shows which internal IPs have been assigned to an IP from the external pool that was configured. Works the same way as static NAT, but we did not have to manually do the mapping of internal:external.
R1#show ip nat statistics
^ Works same way as static NAT, but also shows the configured setting of ACL 1 to POOL 1.
PAT AKA NAT overload:
Finally! This is what we think of when we think of NAT. Most commonly used; PAT allows many internal hosts to share a single externally routable public IP address.
PAT translates both the IP and also the port number if necessary. By using a unique port number for each communication flow, a single public IP address can be used by many different internal hosts. Since port number is 16 bits, 2^16 = over 65,000 available port numbers. The router keeps track of which inside local IP address is using which translated public IP and port number.
Works mostly the same way. In the sequence of commands below, notice we reduce the number of externally routable IP addresses and we also add the keyword "overload" to the last configuration command. Other than that, this is a copy/paste of the dynamic NAT config from above:
R1(config)#int g0/1
R1(conifg-if)#ip nat inside
R1(config-if)#int g0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool POOL1 100.0.0.0 100.0.0.3 prefix-length 24
^ Notice fewer public IP addresses
R1(config)#ip nat inside source list 1 pool POOL1 overload
^ Notice the additional "overload" keyword.
Here's where dyanmic NAT looks different from PAT:
R1#show ip nat translations
^ Won't display the 1:1 dynamic mapping entries. That's because there aren't any - it's a 1:many mapping.
Here is an easier, and more common way, to configure PAT. This method tells the router to use its own public IP address as the mapped address.
First, the stuff that is copy/paste the same:
R1(config)#int g0/1
R1(conifg-if)#ip nat inside
R1(config-if)#int g0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
Now, the difference:
R1(config)#ip nat inside source list 1 interface g0/0 overload
We don't specify a pool with this approach. We just use the router's external interface.
[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]
