Static NAT Configuration

Every device that communicates across the internet needs a globally routable public IP address. Private IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are not routable on the internet — routers on the public network drop packets with private source addresses. NAT (Network Address Translation) sits at the boundary between the private internal network and the public internet, translating private addresses to public ones so that internal hosts can communicate externally.

Static NAT creates a permanent, one-to-one mapping between a specific private IP address and a specific public IP address. The mapping is always active — both inbound and outbound traffic is translated. This makes static NAT ideal for internal servers (web servers, mail servers, FTP servers) that must be reachable from the internet at a predictable, fixed public address at all times.

Before starting, complete Basic Interface Configuration and Static Route Configuration to understand routing to the ISP, and Default Route Redistribution into OSPF for distributing the internet default route to internal routers. For NAT concepts and theory see NAT Overview. For dynamic address sharing see Dynamic NAT & PAT Configuration. For ACL concepts used in extended NAT see ACL Overview. For common port numbers used in port forwarding see Common Port Numbers.

1. NAT — Core Concepts and Terminology

NAT Address Types

Cisco uses a four-part terminology to describe addresses in a NAT environment. Understanding each term is essential for reading show ip nat translations output correctly:

Term	Definition	Example
Inside Local	The private IP address of the internal host — as configured on the device itself	192.168.10.10 (web server's real IP)
Inside Global	The public IP address that represents the internal host on the internet — what the outside world sees	203.0.113.10 (public IP mapped to the server)
Outside Global	The public IP address of the external host — as configured on the remote device	8.8.8.8 (Google DNS server)
Outside Local	The IP address used to represent the external host inside the network — only relevant in double-NAT or policy NAT scenarios	Usually same as Outside Global in standard NAT

Memory tip — Local vs Global: Local = the address as seen from inside the network (private). Global = the address as seen from outside the network (public). Inside = the originating host is in your private network. Outside = the originating host is in the public internet.

NAT Types — Comparison

NAT Type	Mapping	Direction	Best Used For
Static NAT	One private IP ↔ one public IP (permanent)	Both inbound and outbound	Internal servers needing a fixed public IP (web, mail, FTP)
Dynamic NAT	Private IP → one of a pool of public IPs (temporary)	Outbound only — no inbound unless a mapping exists	Multiple internal hosts sharing a small pool of public IPs
PAT / NAT Overload	Many private IPs → one public IP (port multiplexing)	Outbound only — port number differentiates flows	Entire LAN sharing a single public IP (most common — home/branch)

Inside and Outside Interfaces

Every NAT configuration requires identifying which router interfaces face the private (inside) network and which face the public (outside) network. NAT translation only occurs when a packet crosses the inside/outside boundary:

Interface Role	IOS Command	Faces	Typical Interface
Inside	`ip nat inside`	The private LAN — hosts with RFC 1918 addresses	LAN-facing GigabitEthernet, sub-interface, or SVI
Outside	`ip nat outside`	The public internet or ISP network	WAN-facing interface connected to the ISP

NAT requires both inside and outside to be defined. If only one interface is marked (e.g., only ip nat inside without ip nat outside), no translation occurs — packets are forwarded unchanged. Both interface roles must be configured for NAT to function.

How Static NAT Translation Works — Packet Walk

Direction	Original Packet	After NAT	Translation
Outbound (inside → outside)	Src: 192.168.10.10 → Dst: 8.8.8.8	Src: 203.0.113.10 → Dst: 8.8.8.8	Inside Local replaced with Inside Global
Inbound (outside → inside)	Src: 8.8.8.8 → Dst: 203.0.113.10	Src: 8.8.8.8 → Dst: 192.168.10.10	Inside Global replaced with Inside Local

2. Lab Topology & Scenario

NetsTuts_R1 is the edge router with one interface facing the private LAN (192.168.10.0/24) and one facing the ISP (203.0.113.0/30). Three internal servers require fixed public IP addresses so they can be reached from the internet — a web server, a mail server, and an FTP server. Each gets a permanent one-to-one static NAT mapping.

                        Internet / ISP
                        203.0.113.1 (ISP Gateway)
                               |
                          Gi0/0 (OUTSIDE)
                          203.0.113.2 /30
                    ┌──────────────────────┐
                    │     NetsTuts_R1      │
                    │   NAT Router         │
                    │   Static NAT:        │
                    │   .10.10 ↔ .113.10   │
                    │   .10.11 ↔ .113.11   │
                    │   .10.12 ↔ .113.12   │
                    └──────────────────────┘
                          Gi0/1 (INSIDE)
                          192.168.10.1 /24
                               |
                    ═══════════════════════════
                         192.168.10.0/24
                               |
              ┌────────────────┼────────────────┐
         192.168.10.10    192.168.10.11    192.168.10.12
          [Web Server]    [Mail Server]     [FTP Server]
         Public: .113.10  Public: .113.11  Public: .113.12

Server	Inside Local (Private)	Inside Global (Public)	Service
Web Server	192.168.10.10	203.0.113.10	HTTP/HTTPS (TCP 80/443)
Mail Server	192.168.10.11	203.0.113.11	SMTP/IMAP (TCP 25/143)
FTP Server	192.168.10.12	203.0.113.12	FTP (TCP 20/21)

3. Step 1 — Configure Interface Addressing

Assign IP addresses to both interfaces and bring them up before configuring NAT. The WAN interface (Gi0/0) uses the public IP assigned by the ISP. The LAN interface (Gi0/1) uses the private gateway IP:

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── WAN interface — facing ISP ───────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#description WAN-to-ISP
NetsTuts_R1(config-if)#ip address 203.0.113.2 255.255.255.252
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

! ── LAN interface — facing internal servers ──────────────
NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#description LAN-Internal-Servers
NetsTuts_R1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

! ── Default route toward ISP ─────────────────────────────
NetsTuts_R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.1

4. Step 2 — Define NAT Inside and Outside Interfaces

Mark each interface with its NAT role. This step is mandatory — without these markings, IOS does not know which direction to translate packets and all NAT translations are silently ignored:

! ── Mark WAN as NAT outside ──────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#ip nat outside
NetsTuts_R1(config-if)#exit

! ── Mark LAN as NAT inside ───────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/1
NetsTuts_R1(config-if)#ip nat inside
NetsTuts_R1(config-if)#exit

These two commands tell IOS the direction of translation. When a packet arrives on the inside interface heading out, the source address is translated (Inside Local → Inside Global). When a packet arrives on the outside interface heading in, the destination address is translated (Inside Global → Inside Local).

5. Step 3 — Configure Static NAT Mappings

Each ip nat inside source static command creates a permanent bidirectional mapping. The syntax is always: private IP first, then public IP. These mappings are immediately active — no traffic is required to create them:

! ── Static NAT: Web Server ───────────────────────────────
NetsTuts_R1(config)#ip nat inside source static 192.168.10.10 203.0.113.10

! ── Static NAT: Mail Server ──────────────────────────────
NetsTuts_R1(config)#ip nat inside source static 192.168.10.11 203.0.113.11

! ── Static NAT: FTP Server ───────────────────────────────
NetsTuts_R1(config)#ip nat inside source static 192.168.10.12 203.0.113.12

NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#

The command structure:

ip nat inside source static [inside-local]
    [inside-global]

. "Inside source" means we are translating the source address of packets coming from the inside. "Static" means the mapping is permanent. Each command creates one entry in the NAT translation table that persists even when no traffic is active — unlike dynamic NAT and PAT entries which timeout. After completing configuration save with write memory.

Static NAT Command Breakdown

Command Element	Meaning	Example Value
`ip nat`	Enters the NAT configuration context	—
`inside source`	Translates source addresses of packets originating from the inside network	—
`static`	Creates a permanent one-to-one mapping — always active regardless of traffic	—
`192.168.10.10`	Inside Local — the private IP address of the internal server	Web server's LAN IP
`203.0.113.10`	Inside Global — the public IP address the internet uses to reach this server	ISP-assigned public IP for the web server

6. Step 4 — Static NAT with Port Forwarding (Optional)

Standard static NAT maps an entire IP address — all ports on the public IP go to the same private server. Port Address Translation (Static PAT) refines this by mapping a specific public IP and port to a specific private IP and port. This allows multiple internal servers to share a single public IP, each reachable on a different port:

! ── Single public IP, multiple internal servers via ports ─
! ── HTTP (port 80) → Web Server at 192.168.10.10 ─────────
NetsTuts_R1(config)#ip nat inside source static tcp 192.168.10.10 80 203.0.113.2 80

! ── HTTPS (port 443) → Web Server ────────────────────────
NetsTuts_R1(config)#ip nat inside source static tcp 192.168.10.10 443 203.0.113.2 443

! ── SMTP (port 25) → Mail Server at 192.168.10.11 ────────
NetsTuts_R1(config)#ip nat inside source static tcp 192.168.10.11 25 203.0.113.2 25

! ── FTP (port 21) → FTP Server at 192.168.10.12 ─────────
NetsTuts_R1(config)#ip nat inside source static tcp 192.168.10.12 21 203.0.113.2 21

All four services are now reachable from the internet via R1's single WAN IP (203.0.113.2) on different ports. Internet users connecting to 203.0.113.2:80 reach the web server; connecting to 203.0.113.2:25 reaches the mail server. This is more efficient than allocating a separate public IP per server and is the standard technique for small businesses with limited public IPs.

Port Forwarding Command Syntax

Element	Meaning
`tcp` / `udp`	The transport protocol to translate
`192.168.10.10 80`	Inside Local IP and port — private server address and service port
`203.0.113.2 80`	Inside Global IP and port — public IP and the port internet users connect to

7. Verification

show ip nat translations

NetsTuts_R1#show ip nat translations
Pro  Inside global       Inside local        Outside local       Outside global
---  203.0.113.10        192.168.10.10       ---                 ---
---  203.0.113.11        192.168.10.11       ---                 ---
---  203.0.113.12        192.168.10.12       ---                 ---

Static NAT entries appear immediately — no traffic required. The Pro (protocol) column shows --- for full IP translations (not port-specific). Inside global = public IP. Inside local = private IP. The Outside columns show --- because no active sessions exist yet — static entries show only the two sides of the mapping until traffic flows.

show ip nat translations — After Active Traffic

NetsTuts_R1#show ip nat translations
Pro  Inside global          Inside local          Outside local       Outside global
tcp  203.0.113.10:80        192.168.10.10:80      8.8.8.8:45231       8.8.8.8:45231
tcp  203.0.113.10:443       192.168.10.10:443     1.2.3.4:52100       1.2.3.4:52100
---  203.0.113.10           192.168.10.10         ---                 ---
---  203.0.113.11           192.168.10.11         ---                 ---
---  203.0.113.12           192.168.10.12         ---                 ---

When sessions are active, extended entries appear showing the full five-tuple — protocol, inside global IP:port, inside local IP:port, outside local IP:port, and outside global IP:port. Here two external clients (8.8.8.8 and 1.2.3.4) are actively connected to the web server (192.168.10.10) on ports 80 and 443. The static base entries (without ports) remain permanently alongside the dynamic session entries.

show ip nat translations verbose

NetsTuts_R1#show ip nat translations verbose
Pro Inside global          Inside local      Outside local    Outside global
--- 203.0.113.10           192.168.10.10     ---              ---
    create 00:15:32, use 00:02:11, timeout:never,
    Map-Id(In): 1, Flags: static, use_count: 2

--- 203.0.113.11           192.168.10.11     ---              ---
    create 00:15:32, use 00:15:00, timeout:never,
    Map-Id(In): 2, Flags: static, use_count: 0

The verbose option shows additional detail per entry: timeout:never — static entries never expire (unlike dynamic NAT which has a 24-hour timeout). Flags: static — confirms this is a permanent mapping. use_count: 2 — two active sessions currently using this NAT entry.

show ip nat statistics

NetsTuts_R1#show ip nat statistics
Total active translations: 5 (3 static, 2 dynamic; 2 extended)
Peak translations: 8, occurred 00:10:21 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits: 142    Misses: 3
CEF Translated packets: 139, CEF Punted packets: 3
Expired translations: 0
Dynamic mappings:
Dynamic in use: 0

Key fields: Total active translations: 5 (3 static, 2 dynamic) — the 3 static entries are the permanent server mappings, the 2 dynamic are active sessions. Outside interfaces: Gi0/0 and Inside interfaces: Gi0/1 — confirms both interfaces are correctly marked. Hits: 142 — packets matched a NAT entry and were translated. Misses: 3 — packets that did not match any NAT entry (may indicate misconfiguration or unsolicited inbound traffic).

Verify Interface NAT Roles

NetsTuts_R1#show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 203.0.113.2/30
  NAT: Outside interface
  ...

NetsTuts_R1#show ip interface GigabitEthernet0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 192.168.10.1/24
  NAT: Inside interface
  ...

show ip interface confirms the NAT role of each interface — NAT: Outside interface and NAT: Inside interface. If either shows "NAT: disabled", the ip nat inside or ip nat outside command was not applied to that interface.

Test Inbound Connectivity — Internet → Web Server

! ── Simulate internet client connecting to public IP ─────
! ── From an external host (or simulated with ping) ───────
NetsTuts_R1#ping 203.0.113.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
NetsTuts_R1#

! ── Check translation table after ping ───────────────────
NetsTuts_R1#show ip nat translations
Pro  Inside global       Inside local        Outside local    Outside global
icmp 203.0.113.10:1     192.168.10.10:1     203.0.113.2:1   203.0.113.2:1
---  203.0.113.10        192.168.10.10       ---             ---
---  203.0.113.11        192.168.10.11       ---             ---
---  203.0.113.12        192.168.10.12       ---             ---

A live ICMP entry appears after the ping — the icmp protocol row shows 203.0.113.10 being translated to 192.168.10.10 for the active ping session. The static base entry remains. This confirms both the static mapping and the bidirectional translation are working correctly.

Verification Command Summary

Command	What It Shows	Primary Use
`show ip nat translations`	All NAT entries — static mappings and active session entries with full five-tuple	Primary NAT verification — confirm mappings exist and sessions are translating
`show ip nat translations verbose`	Extended detail — timeout, flags (static/dynamic), use count per entry	Confirm static entries never expire and check session count
`show ip nat statistics`	Translation counts, inside/outside interfaces, hits/misses, dynamic pool usage	Verify interface roles and check for translation failures (misses)
`show ip interface [int]`	Per-interface NAT role — "NAT: Inside interface" or "NAT: Outside interface"	Confirm `ip nat inside/outside` was applied correctly
`clear ip nat translation *`	Removes all dynamic NAT entries — static entries are not affected	Reset active sessions during troubleshooting without losing static mappings
`show ip route`	Verify the default route toward the ISP exists — required for translated traffic to exit	Confirm routing is intact before troubleshooting NAT

8. Troubleshooting Static NAT Issues

Problem	Symptom	Cause	Fix
No translation entries in table	`show ip nat translations` shows no output — not even static entries	Static NAT mappings not configured, or inside/outside interface roles not set	Verify `show running-config \| include ip nat` — confirm static statements exist and both interfaces have `ip nat inside`/`ip nat outside`
Static entries exist but sessions fail	NAT table shows static base entries but no active session entries — traffic not flowing	Routing issue — no default route to ISP, or the public IP (Inside Global) is not reachable from the internet. Also check firewall rules on the ISP side.	Verify `show ip route` — confirm 0.0.0.0/0 default route exists. Ping the ISP gateway (203.0.113.1) from R1. Confirm the public IP range is advertised by the ISP.
Inbound connections fail — outbound works	Internal server can reach internet but external hosts cannot reach the server's public IP	Static NAT missing or reversed — command may have inside local and inside global swapped. Or the outside interface is not marked with `ip nat outside`	Verify the mapping: `show ip nat translations` — confirm Inside Global = public IP and Inside Local = private IP. Check the WAN interface has `ip nat outside` with `show ip interface Gi0/0`
Translations incrementing but connectivity fails	`show ip nat statistics` Hits counter increases but ping/connection still fails	NAT is translating correctly but the internal server is unreachable (host down, firewall on server, incorrect default gateway on server)	Verify the server's default gateway is set to R1's LAN IP (192.168.10.1). Ping the server directly from R1: `ping 192.168.10.10`. Check server firewall.
NAT miss counter increasing	`show ip nat statistics` shows Misses counter rising — some traffic not translated	Traffic from an inside host whose IP is not covered by any NAT mapping — hitting the router but finding no matching NAT entry	Check `debug ip nat` to identify which source IPs are missing translations. Add static NAT entries or configure PAT / Dynamic NAT to cover remaining hosts. See also Troubleshooting Layer 3 Routing.
Cannot delete a static NAT entry	`no ip nat inside source static` returns an error — entry in use	Active sessions are using the static mapping — IOS prevents deletion while sessions exist	Clear active sessions first: `clear ip nat translation *` then remove the static mapping with `no ip nat inside source static [local] [global]`

Key Points & Exam Tips

Static NAT creates a permanent one-to-one mapping between a private IP (Inside Local) and a public IP (Inside Global). The mapping is always active — both inbound and outbound traffic is translated automatically.
NAT requires both ip nat inside on the LAN interface and ip nat outside on the WAN interface. If either is missing, no translation occurs regardless of the static mapping configuration.
The command syntax is always private IP first, public IP second: ip nat inside source static [inside-local] [inside-global].
Inside Local = private IP on the device. Inside Global = public IP seen by the internet. These are the two most important terms for reading show ip nat translations output.
Static NAT entries appear in show ip nat translations immediately after configuration — no traffic is required. They also never expire (timeout:never in verbose output).
Port-based static NAT (Static PAT) extends the concept by mapping a specific public IP:port to a specific private IP:port — allowing multiple internal servers to share a single public IP on different ports.
show ip nat statistics is the best single-command overview — it confirms inside/outside interface roles, shows hit/miss counters, and displays the total translation count broken down by static vs dynamic.
A high Misses counter in show ip nat statistics indicates packets are traversing the NAT boundary without matching any translation entry — investigate with debug ip nat.
To remove a static NAT entry, active sessions must be cleared first with clear ip nat translation * — IOS refuses to delete a mapping that is actively in use.
On the CCNA exam: know the four NAT address types (Inside Local, Inside Global, Outside Local, Outside Global), the difference between static/dynamic/PAT, the mandatory inside/outside interface configuration, and what each column in show ip nat translations represents.

Next Steps: Static NAT provides fixed public mappings for servers. For hosts that only need outbound internet access, continue to Dynamic NAT & PAT Configuration for pool-based translation and single-IP overload. For distributing the default route across internal routers, see Default Route Redistribution into OSPF and OSPF Single-Area Configuration. For Layer 3 troubleshooting after NAT see Troubleshooting Layer 3 Routing.

TEST WHAT YOU LEARNED

1. A web server at 192.168.10.10 has a static NAT mapping to 203.0.113.10. An internet user at 1.2.3.4 opens a browser and connects to 203.0.113.10:80. What does the NAT router change in the incoming packet?

A. The source address — changes 1.2.3.4 to 203.0.113.10 before forwarding to the server B. The destination address — changes 203.0.113.10 (Inside Global) to 192.168.10.10 (Inside Local) before forwarding to the internal server. The source (1.2.3.4) is unchanged C. Both source and destination addresses are changed on inbound packets D. The source port only — IP addresses are not changed on inbound traffic with static NAT

Correct answer is B. For inbound traffic (outside → inside), static NAT translates the destination address — the packet arrives addressed to the public IP (203.0.113.10, the Inside Global) and the router rewrites the destination to the private IP (192.168.10.10, the Inside Local) before forwarding it to the server. The external client's source address (1.2.3.4) is not changed. For outbound traffic the opposite occurs — the source address is translated from private to public. This bidirectional translation is what makes static NAT suitable for servers that must receive inbound connections.

2. What is the mandatory minimum configuration required for static NAT to translate any packets on a Cisco router?

A. Only the ip nat inside source static command — interface marking is optional B. ip nat inside on the LAN interface only — the outside interface does not need marking C. ip nat outside on the WAN interface only — NAT only applies to outbound traffic D. Three components are all required: ip nat inside on the LAN interface, ip nat outside on the WAN interface, and at least one ip nat inside source static mapping. Any missing element causes NAT to silently fail

Correct answer is D. All three components are mandatory for static NAT to function. The ip nat inside and ip nat outside interface markings tell IOS which direction translation applies — without both, IOS does not know which packets to translate. The static mapping defines what to translate — without it, there is no translation table entry. A common troubleshooting scenario is having the mapping configured but forgetting to mark one of the interfaces, causing all traffic to pass untranslated. Always verify all three components with show ip nat statistics (interface roles) and show ip nat translations (mappings).

3. `show ip nat translations verbose` shows `timeout:never` for a static NAT entry. What does this mean and why is it different from dynamic NAT entries?

A. Static NAT entries are permanent — they never expire regardless of inactivity because they represent configured server mappings that must always be available. Dynamic NAT entries time out after a period of inactivity (default 24 hours for TCP) and are removed from the table B. timeout:never means the entry is currently in use — it resets to a normal timeout when the session ends C. All NAT entries use timeout:never — the timeout only applies to access-list entries D. timeout:never is a warning that the entry cannot be cleared — a router reload is required to remove it

Correct answer is A. Static NAT entries are manually configured permanent mappings — they persist in the NAT table indefinitely, even when no sessions are active. This is intentional: a web server must always be reachable at its public IP, not just when a session is in progress. Dynamic NAT entries are created automatically when traffic flows and removed after an inactivity timeout (24 hours for TCP by default, 5 minutes for UDP). If dynamic entries are not cleared, they hold IP addresses from the pool unnecessarily. Static entries can only be removed by deleting the configuration — after clearing active sessions with clear ip nat translation *.

4. An engineer configures port-based static NAT: `ip nat inside source static tcp 192.168.10.10 80 203.0.113.2 80`. What exactly does this translation do?

A. All TCP traffic from 192.168.10.10 is translated to 203.0.113.2, regardless of port B. Any TCP traffic arriving on port 80 of any interface is forwarded to 192.168.10.10 C. Specifically maps TCP port 80 on the public IP (203.0.113.2) to TCP port 80 on the internal server (192.168.10.10). Only TCP/80 traffic to 203.0.113.2 is forwarded to the web server — other protocols and other ports on 203.0.113.2 are unaffected by this rule D. Changes only the port number — the IP address 203.0.113.2 is not translated, only the port from 80 to a dynamic port

Correct answer is C. Port-based static NAT (Static PAT) is specific to both IP and port. This rule only matches packets destined for 203.0.113.2 on TCP port 80 — traffic to 203.0.113.2 on port 443, 25, or any other port is handled by separate rules (or not translated at all). When matched, the router changes the destination IP from 203.0.113.2 to 192.168.10.10 and the destination port from 80 to 80 (same in this case). This enables multiple servers to share R1's single WAN IP (203.0.113.2), each reachable on a different port — HTTP on .10, SMTP on .11, FTP on .12.

5. `show ip nat statistics` shows Hits: 500, Misses: 47. What does the Misses counter indicate?

A. 47 packets were dropped by the router before reaching the NAT table B. 47 packets failed ICMP reachability checks during NAT C. 47 dynamic NAT sessions timed out and were removed D. 47 packets crossed the NAT boundary (inside/outside interface pair) but did not match any entry in the NAT translation table — either from hosts not covered by a static or dynamic NAT mapping, or unsolicited inbound traffic targeting IPs with no mapping

Correct answer is D. A NAT "miss" occurs when a packet crosses the inside-to-outside (or outside-to-inside) boundary but no matching NAT entry exists for that packet. Common causes: an internal host (not covered by static NAT) tries to reach the internet without a dynamic or PAT mapping — the packet is forwarded with its private source IP unchanged and will be dropped by the ISP. Also occurs for unsolicited inbound packets targeting public IPs that have no active static mapping. Use debug ip nat to identify which source/destination IPs are generating misses and add the appropriate NAT configuration.

6. What is the difference between "Inside Local" and "Inside Global" in the NAT translation table?

A. Inside Local is the private IP address configured on the internal device — what the device itself uses. Inside Global is the public IP address that represents that device on the internet — what external hosts see when communicating with it B. Inside Local is the IP address assigned by the ISP and Inside Global is the address assigned internally by DHCP C. Inside Local refers to the router's LAN interface IP and Inside Global refers to the router's WAN interface IP D. Inside Local is used for inbound traffic and Inside Global for outbound — they alternate based on direction

Correct answer is A. These are the two most important NAT terms for the CCNA exam. Inside Local = the private IP address as configured on the internal host (e.g., 192.168.10.10 on the web server's NIC). Inside Global = the public IP address that the internet uses to reach that same host (e.g., 203.0.113.10). The word "local" means "as seen from inside the network" (private) and "global" means "as seen from the internet" (public). In show ip nat translations, the Inside Global column is the public IP and Inside Local is the private IP — always read left to right: public → private.

7. An engineer tries to remove a static NAT entry with `no ip nat inside source static 192.168.10.10 203.0.113.10` but gets an error. What must be done first?

A. Remove the ip nat inside statement from the interface before deleting the static mapping B. Shut down the interface facing the server to close all active sessions automatically C. Clear all active NAT sessions with clear ip nat translation * first — IOS refuses to remove a static mapping while active sessions are using it. After clearing, the no command will succeed D. Save the configuration with wr before removing — static entries cannot be deleted from running-config without a prior write

Correct answer is C. Cisco IOS protects active NAT sessions from being disrupted — if a static mapping is currently in use (active session entries appear in the translation table for that IP), IOS prevents the mapping from being deleted. The solution is to first run clear ip nat translation * which removes all dynamic session entries from the table. After clearing, no sessions are using the static mapping and the no ip nat inside source static command completes successfully. Note that clearing translations is service-affecting — all active sessions are reset. Plan maintenance windows accordingly.

8. A router has static NAT configured but `show ip nat translations` shows no entries at all — not even the static base entries. What is the most likely cause?

A. No traffic has passed through the router yet — static entries only appear after the first packet B. The ip nat inside source static commands are missing from the configuration — static entries appear immediately when configured, regardless of traffic. If the table is completely empty, the mappings were never entered or were accidentally removed C. The router needs to be reloaded for static NAT entries to populate the translation table D. The NAT translation table is cleared automatically every 60 seconds — wait for the next cycle

Correct answer is B. This is one of the clearest indicators of missing NAT configuration. Unlike dynamic NAT and PAT entries (which only appear when traffic flows), static NAT entries populate the translation table immediately upon configuration — no traffic is required. If show ip nat translations returns completely empty output, the static mapping commands were never entered, were entered incorrectly, or were accidentally removed. Verify with show running-config | include ip nat inside source. Also confirm ip nat inside and ip nat outside are on the correct interfaces with show ip nat statistics.

9. Which NAT type is most appropriate for an internal mail server at 192.168.10.11 that must always be reachable from the internet at a consistent public IP address on port 25?

A. PAT (NAT Overload) — all internal hosts share one public IP with port multiplexing B. Dynamic NAT — the server receives a public IP from a pool when it initiates outbound traffic C. Dynamic NAT with the server's IP always first in the pool — it reliably gets the same address D. Static NAT — either a full IP mapping (ip nat inside source static 192.168.10.11 203.0.113.11) or port-based (ip nat inside source static tcp 192.168.10.11 25 203.0.113.2 25). Only static NAT provides a permanent, predictable mapping that works for inbound connections at all times

Correct answer is D. Dynamic NAT and PAT only create translation entries when the internal host initiates outbound traffic — there is no pre-existing entry for inbound connections. An external mail server trying to deliver email to 203.0.113.11 needs a NAT entry to exist before the inbound SMTP connection arrives. Only static NAT provides a permanent, always-present mapping that allows inbound connections at any time — regardless of whether the mail server has recently sent any outbound traffic. This is the defining use case for static NAT: any server that must accept inbound connections from the internet.

10. In `show ip nat translations`, the Outside Local and Outside Global columns both show the same IP address (e.g., 8.8.8.8). What does this indicate?

A. A routing loop — the same IP appears twice because the packet is being translated twice B. The outside host (8.8.8.8) is also behind NAT — its address is being translated on the way in C. This is normal for standard single NAT deployments — Outside Local and Outside Global are identical when the external host's address is not being translated. NAT is only modifying the inside address. Both columns show the same value because the outside host's IP is unchanged throughout the translation D. The NAT table entry is corrupt — Outside Local should always differ from Outside Global in a healthy translation

Correct answer is C. In standard NAT (translating only inside addresses), the outside host's address is never modified — it passes through unchanged. Therefore Outside Local (the outside host's address as seen from inside) and Outside Global (the outside host's actual address) are identical. Both columns show 8.8.8.8 because 8.8.8.8 is 8.8.8.8 from every perspective. Outside Local only differs from Outside Global in advanced scenarios like Double NAT (NAT on both sides of a connection) or policy-based NAT where the outside address is also being translated. For the CCNA exam, Outside Local = Outside Global is the expected normal state.

Back to Home