Network Address Translation Lab

Network Address Translation Lab


The purpose of this exercise is to learn how to configure NAT for a campus network. We will be setting up NAT on the border router so that the campus private IPv4 address space (172.2X.0.0/16) will be NATed so that devices using that private address space can reach the public Internet.

Setting up NAT on the Border Router

NOTE: Make sure you replace X with your Campus number.

Create a pool of addresses to use for NAT:

ip nat pool CAMPUSX 100.68.X.33 100.68.X.46 prefix-length 28

Create an access list that defines the addresses that should be translated:

ip access-list extended NATplus
 remark Do not NAT NREN address space
 deny   ip any 
 remark Do not NAT our public address space
 deny ip 100.68.X.0 any
 remark NAT traffic which goes to the Internet
 permit ip 172.2X.0.0 any
 remark Do not NAT anything else - and log anything that gets this far
 deny ip any any log

Link the access list and the address pool together:

ip nat inside source list NATplus pool CAMPUSX overload

The command you have just entered will look for incoming packets matching the NATplus list, and translate them into the address specified in CAMPUSX. The overload command ensures that the router can map many internal addresses to the small range of external public addresses. Without overload, the router NAT will simply map one internal address to one external address – and with only 14 addresses in the CAMPUSX pool, that would mean only 14 internal addresses would be NATed before the pool is exhausted.

Now add the address translation to the network interfaces of the Border router:

interface GigabitEthernet0/0
 description Link to NREN
 ip nat outside
interface GigabitEthernet0/1
 description Link to Core Router
 ip nat inside


Log into one of your switches. These have addresses in the 172.2X.0.0/16 range.

Can you ping your border router?

Now try to ping the NREN Transit router on – does it work?

Can you ping This is the default gateway in the workshop network.

The Transit router doesn’t know anything about your 172.2X.0.0/16 so if the Network Address Translation is working then the original IP address of the packet has been translated into the range:

100.68.X.32 100.68.X.47

You can use the command

show ip nat translations
show ip nat translations verbose

on your Border router to see what’s happening.

Can you ping hosts on the wider Internet from one of your switches? For example, can you ping

If the ping works, try using trace to What do you see?

NAT timeouts

After a traceroute to on the edge switches, look at the NAT state on the border router:

bdr1.campus1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
... etc

Traceroute cycles through UDP ports for each hop, and generates NAT state for each one. The default settings keep these generic UDP translations open for 300 seconds, and 60 seconds for DNS and ICMP.

You can save memory and NAT ports on your router by making them expire more quickly:

ip nat translation udp-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30

Additional Exercise

If you have completed the above and demonstrated that it is all working, and you have some spare time, try this configuration.

Rather than having one NAT pool for the entire campus, NAT the private IPv4 address space used for each class of user into its own pool. So for example, NAT the MGMT address space into one public address, the STAFF1 address space into another public pool, and the STUDENT1 address space into a third public pool, etc.

Ask the instructors if you need any help – use the example above to guide you for this scenario.

Hint 1 – use this table for your NAT mapping:

VLANInternal Address BlockExternal Address
MGMT1, MGMT2172.2X.10.0/24 & 172.2X.20.0/24100.68.X.33

Hint 2 – set up a pool for each VLAN and set up a mapping for each pool

Once you have made it work, show the workshop instructors.

Question: why can we not use 100.68.X.32 and 100.68.X.47 in the above?

Answer: We have noted that the subnet is a /28, and Cisco IOS treats the first and last address as unavailable for NAT as they are network and broadcast address respectively. This means that in the /28, 100.68.X.32 and 100.68.X.47 are unusable for the NAT pool.

YSO Avatar