Static NAT – Permanent One-to-One Mapping, Configuration, and Troubleshooting
1. What Is Static NAT?
Static NAT (Network Address Translation) creates a permanent, manually configured one-to-one mapping between a specific private (inside local) IP address and a specific public (inside global) IP address. Unlike Dynamic NAT or PAT, the mapping is always present — it does not depend on traffic being initiated and does not expire.
The defining characteristic that separates Static NAT from all other NAT types is bidirectionality: because the mapping is permanent, external hosts on the internet can initiate connections to the inside host by targeting the public IP. This makes Static NAT the correct and only practical NAT method for any server that must be reachable from the internet.
Internet NAT Router Internal Network
Gi0/1 │ Gi0/0
Any external host ────────────── │ ─────────────────── Web Server
→ connects to 203.0.113.5 │ 192.168.1.10
[static mapping]
203.0.113.5 ↔ 192.168.1.10 (permanent)
Outbound: 192.168.1.10 → 203.0.113.5
Inbound: 203.0.113.5 → 192.168.1.10 ← key difference from Dynamic NAT
Related pages: Dynamic NAT | PAT (NAT Overload) Lab | IPv6 & Private IP | ACLs | ACL/Firewall | Static NAT Configuration Lab | Troubleshooting NAT/PAT
2. The Four NAT Address Terms
The four NAT address terms apply equally to Static, Dynamic, and PAT. They are defined from the NAT router's perspective, combining a location (Inside / Outside) with how the address is seen (Local = as assigned/known internally, Global = as seen on the internet).
| Term | Definition | Example (Static NAT) | Where Seen |
|---|---|---|---|
| Inside Local | The actual private IP of the internal host — the real address assigned in the LAN before NAT | 192.168.1.10 |
Source IP of packets leaving the server toward the router; visible only within the inside network |
| Inside Global | The public IP that represents the inside host on the internet — what external clients connect to | 203.0.113.5 |
Destination IP of packets arriving from the internet; source IP of packets forwarded out the outside interface |
| Outside Local | The IP address of the external host as seen from inside the network — in standard Static NAT without Destination NAT, this equals the Outside Global | 8.8.8.8 |
Destination IP of packets sent from the inside host toward the internet; usually identical to Outside Global |
| Outside Global | The real, routable IP address of the external host on the internet | 8.8.8.8 |
Source IP of packets arriving from the internet; the actual IP of the remote client or server |
Static NAT translation table entry (permanent — always present):
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.5 192.168.1.10 --- ---
The "---" for Outside fields = no active session yet.
When a session is active they populate with the remote host's IP.
Inbound packet (external client → inside server):
External client sends: Dst=203.0.113.5
Router translates: Dst=203.0.113.5 → 192.168.1.10
Delivered to server as: Dst=192.168.1.10
Outbound packet (inside server → external client):
Server sends: Src=192.168.1.10
Router translates: Src=192.168.1.10 → 203.0.113.5
Forwarded to internet: Src=203.0.113.5
3. How Static NAT Works — Bidirectional Traffic Flow
Static NAT is bidirectional by design. The permanent mapping allows translation in either direction — inside-to-outside and outside-to-inside. This is the core property that makes it suitable for public-facing servers.
── INBOUND: External client connects to the web server ────────────
Step 1: Client (1.2.3.4) sends HTTP request to 203.0.113.5:80
Step 2: Packet arrives at router's outside interface (Gi0/1)
Dst IP: 203.0.113.5 → matches static mapping
Step 3: Router rewrites: Dst=203.0.113.5 → Dst=192.168.1.10
Step 4: Packet forwarded to web server at 192.168.1.10:80
Step 5: Web server processes the request and sends response
Src: 192.168.1.10 → Dst: 1.2.3.4
Step 6: Router translates outbound reply:
Src=192.168.1.10 → Src=203.0.113.5
Step 7: Client receives HTTP response from 203.0.113.5 ✓
── OUTBOUND: Web server initiates a connection (e.g., for updates) ──
Step 1: Web server sends outbound packet
Src: 192.168.1.10 → Dst: 203.0.113.1 (update server)
Step 2: Packet arrives at router's inside interface (Gi0/0)
Src=192.168.1.10 → matches static mapping
Step 3: Router translates: Src=192.168.1.10 → Src=203.0.113.5
Step 4: Packet forwarded to internet ✓
Key point: The static mapping entry in the NAT table is
present at all times — even when no traffic is flowing. This is
fundamentally different from Dynamic NAT and PAT, where entries
are only created when inside hosts initiate outbound traffic and
expire after the session ends. A static entry persists across
router reloads and is visible in
show ip nat translations with empty Outside fields
when idle.
4. Cisco IOS Configuration — Step by Step
Static NAT requires only two elements: interface role assignments and a static mapping command. No ACL or NAT pool is needed.
Step 1 — Assign Interface Roles
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat inside ! LAN-facing / internal interface
Router(config-if)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat outside ! WAN-facing / internet interface
Router(config-if)# exit
! CRITICAL: Both roles must be configured.
! Without ip nat inside on the LAN interface AND
! ip nat outside on the WAN interface, no translation occurs.
Step 2 — Create the Static Mapping
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.5
! │ │ │
! inside source Inside Local Inside Global
! (LAN→internet) (private IP) (public IP)
! This single command creates the permanent bidirectional mapping.
! No timeout, no pool, no ACL required.
! The mapping survives router reboots (saved to running/startup config).
Multiple Static NAT Entries
Each server requires its own mapping command using a separate public IP for each:
! Web server:
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.5
! Mail server:
Router(config)# ip nat inside source static 192.168.1.11 203.0.113.6
! CCTV/DVR:
Router(config)# ip nat inside source static 10.0.0.100 203.0.113.7
! Each inside device requires its own unique public IP address.
! This is the fundamental scalability limitation of Static NAT.
Complete Configuration at a Glance
! ── Interface roles ──────────────────────────────────────────────
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
! ── Static mappings ──────────────────────────────────────────────
ip nat inside source static 192.168.1.10 203.0.113.5
ip nat inside source static 192.168.1.11 203.0.113.6
Step 3 — Verify
Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 203.0.113.5 192.168.1.10 --- ---
--- 203.0.113.6 192.168.1.11 --- ---
! Static entries show "---" in the Outside columns when no active session.
! When an active session exists, Outside fields show the remote IP:
tcp 203.0.113.5 192.168.1.10 1.2.3.4 1.2.3.4
(80) (80) (49320) (49320)
See: Static NAT Configuration Lab | show running-config | show ip interface brief
5. Static NAT with Port Forwarding (Port-Level Static NAT)
Standard Static NAT maps an entire IP address. A variation — sometimes called Port Address Static NAT or port forwarding — maps a specific public IP and port combination to a specific inside IP and port. This allows multiple servers to share a single public IP while remaining individually accessible on different port numbers.
! Scenario: Only one public IP (203.0.113.5) but two internal servers.
! Forward port 80 to the web server and port 25 to the mail server.
Router(config)# ip nat inside source static tcp 192.168.1.10 80 203.0.113.5 80
! External clients → 203.0.113.5:80 → translated → 192.168.1.10:80 (web)
Router(config)# ip nat inside source static tcp 192.168.1.11 25 203.0.113.5 25
! External clients → 203.0.113.5:25 → translated → 192.168.1.11:25 (mail)
! Syntax:
! ip nat inside source static {tcp|udp} [inside-local-IP] [inside-port]
! [inside-global-IP] [global-port]
! Result in NAT table:
Pro Inside global Inside local
tcp 203.0.113.5 : 80 192.168.1.10 : 80
tcp 203.0.113.5 : 25 192.168.1.11 : 25
Port forwarding is widely used on home routers (where a single public IP must serve multiple internal services) and in small business environments. From a CCNA perspective, it is important to understand that this combines Static NAT's permanence with port-level specificity.
6. Verifying Static NAT
| Command | What It Shows | When to Use It |
|---|---|---|
show ip nat translations |
All NAT entries — static entries are always present (even with no active sessions); active sessions add Outside Local/Global fields and port numbers | Confirm the static mapping exists; verify translations are being created when traffic flows; identify active sessions to the inside server |
show ip nat translations verbose |
Adds creation timestamp and idle timer per entry | Distinguish static (no expiry) from dynamic entries (have timers); diagnose session state |
show ip nat statistics |
Total translations (static + dynamic), hit/miss counters, inside/outside interface assignments, CEF statistics | Confirm interface roles are set correctly; check translation counts; verify no misses (missed translations indicate a config problem) |
show ip interface <int> |
Shows whether ip nat inside or
ip nat outside is set on the interface |
Verify interface roles; check for the line "NAT: inside (if a nat inside statement is configured)" |
show running-config | include nat |
All NAT-related config lines | Quick audit of all static mapping commands and interface role assignments |
debug ip nat |
Real-time translation events — shows every packet being translated with before/after IP addresses | Active troubleshooting when translations are suspected but not visible in the table; use on low-traffic routers only |
7. Use Cases for Static NAT
| Use Case | Example | Why Static NAT? |
|---|---|---|
| Public-facing web server | Internal 192.168.1.10 (nginx) →
public 203.0.113.5 |
Clients must be able to connect inbound to a fixed, predictable IP; DNS records point to this static IP |
| Mail server (SMTP/IMAP) | Internal 192.168.1.20 (mail) →
public 203.0.113.6 |
MX records require a stable public IP; mail delivery from external MTAs requires inbound connection support |
| Remote access / VPN endpoint | Internal 10.0.0.1 (VPN concentrator) →
public 203.0.113.10 |
Remote users connect to a known public IP; VPN clients are pre-configured with this address |
| CCTV / DVR remote viewing | Internal 10.0.0.100 (DVR) →
public 203.0.113.7 |
Mobile apps connect to the DVR's fixed public IP for live and recorded footage |
| Legacy systems with fixed IPs | Industrial control system requiring consistent IP for vendor remote support | Vendor's firewall rules and VPN are pre-configured for a specific public IP; cannot use a dynamic mapping |
| Database server for multi-tenant access | Internal 192.168.1.50 (DB) →
public 203.0.113.8 |
External application partners connect to the DB on a fixed IP/port; whitelisted in their firewalls |
8. Static NAT vs Dynamic NAT vs PAT — Full Comparison
| Feature | Static NAT | Dynamic NAT | PAT / NAT Overload |
|---|---|---|---|
| Mapping type | One-to-one (permanent) | Many-to-many (temporary, pool-based) | Many-to-one (port-based, temporary) |
| Mapping duration | Permanent — survives reboots; always in NAT table | Session-lifetime; expires on idle timeout | Session-lifetime; expires on idle timeout |
| Inbound connections supported? | Yes — bidirectional; external hosts can initiate connections to the fixed public IP at any time | No — translations only created by outbound traffic; no predictable address for external clients | No — without additional port forwarding rules; port forwarding can enable specific inbound ports |
| Public IPs required | One dedicated public IP per inside device | One pool IP per simultaneous session | Single IP for all sessions (thousands simultaneously) |
| ACL required? | No — the static command directly specifies the mapping | Yes — ACL identifies eligible inside hosts | Yes — ACL identifies eligible inside hosts |
| Translation identifier | IP address only (or IP + port for port forwarding) | IP address only | IP address + Layer 4 source port number |
| Key configuration command | ip nat inside source static [local] [global] |
ip nat inside source list [acl] pool [name] |
ip nat inside source list [acl] interface [int] overload |
| Scalability | Low — one public IP consumed per inside host | Moderate — limited by pool size | Very high — ~65,535 sessions per public IP |
| Typical use case | Internet-facing servers (web, mail, VPN, CCTV) that must be reachable from the internet | Medium enterprise with a small public IP block and apps that need real (unshared) public IPs | Home and office internet sharing — the overwhelming majority of real-world NAT deployments |
9. Security Considerations
Static NAT exposes an inside host to the public internet by design — it is the mechanism that enables inbound access. This means the security implications are significantly different from Dynamic NAT or PAT, where inside hosts are unreachable from outside by default.
| Consideration | Detail and Mitigation |
|---|---|
| Full IP exposure | The entire public IP is reachable on all ports by default. Unlike PAT (where no port is open unless specifically forwarded), a Static NAT entry with no ACL means any external host can attempt to connect to any TCP/UDP port on the inside server. Always pair Static NAT with an inbound ACL on the outside interface to restrict which ports are accessible. |
| ACL filtering is essential | Apply an extended ACL on the outside interface (in
direction) to permit only the specific protocols and ports
needed — e.g., only TCP/80 and TCP/443 to the web server's
public IP, denying everything else. |
| No port-level control from NAT alone | Standard Static NAT translates the IP address only — not individual ports. Port-level control requires either port-forward static NAT entries or a firewall in front of the server. |
| Inside host is fully responsible for its own security | NAT is not a substitute for patching, a host-based firewall, or secure service configuration on the inside server. A vulnerable service on the server is directly exploitable once a Static NAT entry exists. |
| NAT does not hide the inside IP from logged traffic | Logs on the inside server show the real client IPs. Logs on the NAT router show both the public destination (Inside Global) and the inside server's real IP (Inside Local). This is useful for forensics but should be factored into privacy and logging policies. |
| Consider a DMZ architecture | For production internet-facing servers, place them in a dedicated DMZ segment with a firewall on both sides (internet-facing and LAN-facing). Static NAT alone provides only address translation — a full firewall provides stateful inspection and application-layer filtering. |
10. Limitations of Static NAT
| Limitation | Detail | Alternative |
|---|---|---|
| One public IP per inside device | Every server that needs to be independently reachable from the internet requires its own dedicated public IP address. With five servers, five public IPs are consumed permanently — regardless of whether they are receiving traffic. | Port-forwarding static NAT entries (Section 5) can allow multiple servers to share one IP on different ports |
| No scalability for outbound users | Static NAT is designed for servers, not for general internet access by many clients. Using Static NAT for 100 internal users would require 100 public IPs. | PAT Lab allows thousands of users to share a single public IP |
| Manual configuration and maintenance | Each mapping must be configured individually. When a server is decommissioned or its internal IP changes, the static entry must be manually updated. | Good documentation and change management processes; scripted configuration management |
| No IP conservation | Public IPs are consumed even when the mapped inside host is powered off or not sending any traffic. The mapping persists unconditionally. | Remove unused static entries; use Dynamic NAT when the host only needs outbound access |
11. Troubleshooting Static NAT
| Symptom | Likely Cause | Diagnostic Steps |
|---|---|---|
Static entry not visible in show ip nat translations |
Mapping command not entered; typo in IP address; command entered under wrong config mode | show running-config | include nat to
confirm the ip nat inside source static
command is present with correct IPs |
| Entry is present but external clients cannot reach the server | Interface roles missing or on wrong interfaces; ISP is not routing the public IP to this router; an ACL on the outside interface is blocking inbound traffic | show ip nat statistics — confirm inside/outside
interfaces are correct; verify ISP routing with a
traceroute from an external host; check
show access-lists for inbound ACL on Gi0/1 |
| Inbound connections time out; server never receives traffic | Server's default gateway is not set to the NAT router; server-side firewall (iptables, Windows Firewall) blocking the service port; service is not listening | Ping the server from within the LAN; confirm gateway
with netstat -rn on the server; confirm
the service is listening with netstat -an | grep 80 |
| Outbound from the server works but inbound does not | Outside interface does not have ip nat outside
configured; an upstream device (ISP router, firewall)
is blocking the public IP |
show ip interface Gi0/1 — look for
"NAT: outside" line; confirm with ISP that the public
IP is routed to this router's upstream interface |
| Traffic appears translated in the table but replies are dropped | Asymmetric routing — reply packets are returning through a different path that does not have the NAT state | Trace the return path; ensure all traffic for a session
traverses the same NAT router; use
debug ip nat to confirm both directions
are being translated |
Debug Commands
! Enable real-time NAT translation events:
Router# debug ip nat
! Sample output — inbound translation (internet → server):
NAT: s=1.2.3.4, d=203.0.113.5->192.168.1.10 [1001]
! Sample output — outbound translation (server → internet):
NAT*: s=192.168.1.10->203.0.113.5, d=1.2.3.4 [1001]
! The asterisk (*) means CEF-switched translation (normal for high-speed)
! Without asterisk = process-switched translation
! Turn off debug:
Router# no debug ip nat (or: undebug all)
! Show statistics:
Router# show ip nat statistics
! Clear dynamic entries (static entries are NOT removed by this command):
Router# clear ip nat translation *
See: show ip route | show running-config | ACL Configuration | Troubleshooting NAT/PAT Lab
12. Complete End-to-End Scenario
A company runs three internal servers and needs each to be
independently accessible from the internet on dedicated public IPs.
The ISP has allocated 203.0.113.5/29
(six usable IPs: .5 through .10). The internal LAN is
192.168.1.0/24.
Network diagram:
Internet ── Gi0/1 [Router R1] Gi0/0 ── 192.168.1.0/24
├── 192.168.1.10 (web server)
├── 192.168.1.20 (mail server)
└── 192.168.1.30 (VPN endpoint)
! ── Step 1: Interface roles ────────────────────────────────────
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip nat inside
R1(config-if)# exit
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip nat outside
R1(config-if)# exit
! ── Step 2: Static mappings ─────────────────────────────────────
R1(config)# ip nat inside source static 192.168.1.10 203.0.113.5
R1(config)# ip nat inside source static 192.168.1.20 203.0.113.6
R1(config)# ip nat inside source static 192.168.1.30 203.0.113.7
! ── Step 3: ACL to restrict inbound access ──────────────────────
R1(config)# ip access-list extended INBOUND_FILTER
R1(config-ext-nacl)# 10 permit tcp any host 203.0.113.5 eq 80
R1(config-ext-nacl)# 20 permit tcp any host 203.0.113.5 eq 443
R1(config-ext-nacl)# 30 permit tcp any host 203.0.113.6 eq 25
R1(config-ext-nacl)# 40 permit tcp any host 203.0.113.6 eq 993
R1(config-ext-nacl)# 50 permit udp any host 203.0.113.7 eq 500
R1(config-ext-nacl)# 60 deny ip any any log
R1(config-ext-nacl)# exit
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip access-group INBOUND_FILTER in
! ── Step 4: Verify ───────────────────────────────────────────────
R1# show ip nat translations
R1# show ip nat statistics
R1# show ip interface GigabitEthernet0/1
13. Static NAT in IPv6
Static NAT as described in this guide applies to IPv4. In IPv6, the enormous address space (2128 addresses) eliminates the scarcity that motivated NAT in IPv4 — every device can have its own globally routable IPv6 address without translation.
However, two related IPv6 mechanisms exist for specific use cases:
- NAT64 (RFC 6146) — Translates between IPv6 and IPv4 networks, allowing IPv6-only clients to access IPv4 servers and vice versa. Used during IPv4-to-IPv6 migration periods.
- NPTv6 (Network Prefix Translation for IPv6) — Translates one IPv6 prefix to another, sometimes used in multi-homed networks for provider-independent addressing — conceptually similar to Static NAT but prefix-based rather than host-based.
See: IPv6
14. Exam Tips & Key Points
- Static NAT creates a permanent one-to-one mapping that is always in the NAT table, survives reboots, and enables bidirectional traffic — both inside-to-outside and outside-to-inside.
- The Inside Local is the private IP; the Inside Global is the public IP it maps to. Outside Local and Outside Global are both the external destination IP in standard Static NAT (equal, no Destination NAT).
- Static NAT requires only two configuration elements:
interface roles (
ip nat inside/ip nat outside) and the mapping command (ip nat inside source static [local] [global]). No ACL or pool is needed. - Unlike Dynamic NAT, Static NAT does not require an ACL to function. The static command directly specifies which inside host is being mapped.
- Inbound connections are supported — this is the key distinguishing feature from Dynamic NAT and PAT. External hosts can reach the inside server by connecting to its Inside Global (public) IP.
- Static NAT entries show
---in the Outside columns ofshow ip nat translationswhen idle. When a session is active, the remote IP populates those fields. clear ip nat translation *removes dynamic entries only — static entries are never removed by this command. Remove a static entry withno ip nat inside source static [local] [global].- For port-level control, pair Static NAT with an inbound ACL on the outside interface — Static NAT alone exposes all ports.
15. Summary Reference Table
| Topic | Static NAT Detail |
|---|---|
| NAT type | One-to-one permanent mapping |
| Mapping command | ip nat inside source static <inside-local> <inside-global> |
| Port forwarding variant | ip nat inside source static tcp <local-ip> <local-port> <global-ip> <global-port> |
| Inside interface | ip nat inside |
| Outside interface | ip nat outside |
| ACL required? | No — static command is self-contained; ACL is recommended separately for security filtering |
| Inbound connections | Supported — bidirectional; external hosts initiate to Inside Global IP |
| Verify translations | show ip nat translations |
| Entry persistence | Permanent — present even with no active traffic;
survives clear ip nat translation * |
| Remove static entry | no ip nat inside source static <local> <global> |
| Scalability limitation | One public IP consumed per inside device — low scalability |
| Best used for | Internet-facing servers: web, mail, VPN endpoints, CCTV/DVR, any host that must accept inbound connections from the internet |