• Rewrites source IP addresses in packet
    • Normally to hide internal IP addresses.
    • Can also resolve overlapping subnet issues
  • Destination IP rewrite may be used for redirection.
    • Normally configured as static mapping.
  • Port Address Translation
    • Many to one translation based on TCP/UDP ports.
    • Common overload.
  • Inside zone – networks translator wants to hide.
    • Inside local – Inside IPs before translation.
    • Inside global – Inside IPs after translation.
  • Outside zone – networks that are external to translator.
    • Outside Global – Original outside IP.
    • Outside Local – Outside IP after translation as its seen inside.
  • On the inside
    • Packets are first routed and then have sources translated.
    • Destination addresses are global so this is ok.
  • On the outside
    • Packets have destinations untranslated first.
    • Routing occurs after translation
    • Allows proper routing for returning packets with translated sources.

The topology above shows a host on the internal RFC 1918 network R6 will be doing some NAT functions to the ‘Internet’. R6 has private IP on the link to host, and public on the link to R4.

Static 1:1

On R6 we need to first enter which interface is outside and which inside.

And the static 1:1 command:

Now if we telnet from ‘Host’ to ‘Internet’ at and then look at the users on the box, we’ll see that the source IP address for the telnet session is the public NAT IP

Can be seen on R6 that’s doing the NAT as well.


1:1 has been erased off R6 and now we’re doing one to many PAT.

Access-list referencing the subnets that will use the PAT.

And the NAT statement that references the access list then specifies which interface we’re doing the port address translation on. ‘Overload’ at the end is needed as well.

Now when we run our telnet again to, we’ll see where we’re coming from.

We now get translated to R6’s ‘outside’ interface.

Policy NAT:

First we’re going to do a port forward from the ‘Internet’ router directly to the host. We’re going to pull an IP out of the IP block from the outside interface of R6.

We are mapping the port 6500 and the IP of to the inside port of 23 and the IP of We can see this when looking at the nat translations from R6.

This is after telnetting from Internet to Host.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s