Network Address Translation (NAT)

NAT Tutorial – CCNA Step-by-Step Guide

1. What Is NAT?

Network Address Translation (NAT) is the process of changing IP address information in a packet as it passes through a router. NAT is commonly used to allow private internal devices to communicate with public networks such as the Internet.

Simple definition: NAT lets private IP addresses use public IP addresses when they communicate outside the local network.

Purpose of NAT

Allows private IPv4 addresses to communicate with public networks.
Conserves public IPv4 addresses by allowing many private hosts to share fewer public IPs.
Hides internal private addressing from outside networks.
Allows inside servers to be reachable from outside using static NAT or static PAT.
Helps connect networks that use private addressing to an ISP or Internet-facing network.

When, Where, How, and Who of NAT

Question	Answer	Using This Topology
When?	NAT happens when traffic crosses between an inside interface and an outside interface.	When PC0 or the Internal Web Server sends traffic from 172.16.0.0/24 toward 200.0.0.1 or another outside network.
Where?	NAT is configured on the edge router between the private LAN and the ISP.	NAT is configured on the Gateway router, between Fa0/0 and Fa0/1.
How?	The router rewrites source or destination IP addresses and may also track port numbers.	Gateway changes 172.16.0.6 to 50.199.145.1 when PAT is used.
Who?	A router, firewall, or Layer 3 security device usually performs NAT.	The Gateway router performs NAT for the inside LAN.

Analogy: School Front Office

Imagine students inside a school want to call people outside the school. The students do not give out their personal classroom phone extensions. Instead, the school front office places the call using the school’s main phone number. When someone calls back, the front office knows which student or classroom should receive the call.

In this analogy:

Student classroom extension = inside local private IP
School main phone number = inside global public IP
Front office = NAT router
Outside caller = external Internet host

Quick NAT Type Summary

Static NAT

One private IP maps to one public IP.
Mapping is permanent.
Best for internal servers that need outside access.
Example: 172.16.0.5 ↔ 50.199.145.1

Dynamic NAT

Private hosts use public IPs from a pool.
Mapping is created only when traffic starts.
Requires enough public IPs for active users.
If the pool runs out, new translations fail.

PAT / NAT Overload

Many private hosts share one public IP.
Uses port numbers to track sessions.
Most common NAT type in real networks.
Example: many 172.16.0.0/24 hosts share 50.199.145.1.

Static PAT

Maps a public IP and port to a private IP and port.
Also called port forwarding.
Best for publishing one service, such as HTTP or SSH.
Example: 50.199.145.1:80 → 172.16.0.5:80

2. Topology Used in This Tutorial

This tutorial uses your updated topology with a private LAN, a Gateway router, an ISP router, an external web server, and a home network.

INSIDE LAN                         PUBLIC / ISP LINK                  OUTSIDE NETWORK
172.16.0.0/24                      50.199.145.0/29                   200.0.0.0/24

 PC0              Switch1              Gateway Router                 ISP Router             External Web Server
172.16.0.6 ---- 172.16.0.10 ---- Fa0/0 172.16.0.1              Fa0/1 50.199.145.6 ---- Fa0 200.0.0.1
                                      Fa0/1 50.199.145.1 -------------

 Internal Web Server
 172.16.0.5

Extra outside/home side:
ISP Eth0/0/0 180.10.0.1 ---- Home Router WAN 180.0.0.2 ---- Home User 192.168.0.2

Device and Interface Table

Device	Hostname	Interface	IP Address	Role
Router	Gateway	Fa0/0	172.16.0.1/24	Inside LAN interface
Router	Gateway	Fa0/1	50.199.145.1/29	Outside public-facing interface
Router	ISP	Fa0/1	50.199.145.6/29	Connected to Gateway
Router	ISP	Fa0/0	200.0.0.100/24	External server network
Router	ISP	Eth0/0/0	180.10.0.1	Cloud/home network side
Switch	Switch1	VLAN 1	172.16.0.10/24	Management IP
PC	PC0	Fa0	172.16.0.6/24	Inside client
Server	Internal Web Server	Fa0	172.16.0.5/24	Inside server
Server	External Web Server	Fa0	200.0.0.1/24	Outside server
Router	Home Wireless Router	WAN	180.0.0.2	Home outside router
Router	Home Wireless Router	LAN	192.168.0.1	Home LAN gateway
PC	Home Wireless User	Wireless	192.168.0.2	Home client

3. NAT Terminology Using This Topology

NAT Term	Example IP	Device	Explanation
Inside Local	172.16.0.6	PC0	The real private IP address of an inside device.
Inside Local	172.16.0.5	Internal Web Server	The real private IP address of the inside web server.
Inside Global	50.199.145.1	Gateway Fa0/1 public address	The public IP address representing an inside device to the outside world.
Outside Global	200.0.0.1	External Web Server	The real IP address of the outside device.
Outside Local	200.0.0.1	External Web Server as seen internally	How the inside network sees the outside host. Usually the same as outside global unless outside NAT is used.

Important: In this lab, the working public/inside global address is 50.199.145.1, which is assigned to Gateway Fa0/1. The ISP next-hop gateway is 50.199.145.6. For Dynamic NAT pools, only use addresses that are actually available in your lab design.

4. Gateway Router Base Configuration Before NAT

Before applying NAT, the router must have working interfaces and a default route toward the ISP.

Gateway> enable
Gateway# configure terminal
Gateway(config)# hostname Gateway

Gateway(config)# interface FastEthernet0/0
Gateway(config-if)# description *** Connected to Switch1 - INSIDE LAN 172.16.0.0/24 ***
Gateway(config-if)# ip address 172.16.0.1 255.255.255.0
Gateway(config-if)# no shutdown
Gateway(config-if)# exit

Gateway(config)# interface FastEthernet0/1
Gateway(config-if)# description *** Connected to ISP Fa0/1 - OUTSIDE PUBLIC LINK 50.199.145.0/29 ***
Gateway(config-if)# ip address 50.199.145.1 255.255.255.248
Gateway(config-if)# no shutdown
Gateway(config-if)# exit

Gateway(config)# ip route 0.0.0.0 0.0.0.0 50.199.145.6
Gateway(config)# end
Gateway# write memory

Command Breakdown

Command	Purpose
`interface FastEthernet0/0`	Enters the LAN interface connected to Switch1.
`ip address 172.16.0.1 255.255.255.0`	Assigns the Gateway router’s LAN IP address.
`interface FastEthernet0/1`	Enters the WAN/public interface connected to the ISP.
`ip address 50.199.145.1 255.255.255.248`	Assigns the Gateway router’s public-facing IP address.
`ip route 0.0.0.0 0.0.0.0 50.199.145.6`	Sends unknown destination traffic to the ISP router.

5. Static NAT Configuration

Static NAT creates a permanent one-to-one mapping between one private IP address and one public IP address.

Use Static NAT when: an internal server needs to be reachable from outside using the same public IP every time.

Goal

Map the Internal Web Server 172.16.0.5 to public IP 50.199.145.1.

Gateway> enable
Gateway# configure terminal

Gateway(config)# interface FastEthernet0/0
Gateway(config-if)# ip nat inside
Gateway(config-if)# exit

Gateway(config)# interface FastEthernet0/1
Gateway(config-if)# ip nat outside
Gateway(config-if)# exit

Gateway(config)# ip nat inside source static 172.16.0.5 50.199.145.1
Gateway(config)# end

Command Breakdown

Command	Description
`ip nat inside`	Marks Fa0/0 as the private/LAN side of NAT.
`ip nat outside`	Marks Fa0/1 as the public/ISP side of NAT.
`ip nat inside source static 172.16.0.5 50.199.145.1`	Permanently translates inside local address 172.16.0.5 to inside global address 50.199.145.1.

Expected `show ip nat translations` Output

Gateway# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
---  50.199.145.1       172.16.0.5        ---                ---

Output Description

Column	Meaning
Pro	Protocol. Static entries may show `---` because no specific TCP/UDP/ICMP session is being displayed.
Inside global	The public IP used to represent the internal server: `50.199.145.1`.
Inside local	The real private IP of the internal server: `172.16.0.5`.
Outside local/global	Blank because no outside host session is active yet.

After External Web Server Accesses Internal Server

Gateway# show ip nat translations
Pro  Inside global       Inside local        Outside local      Outside global
tcp  50.199.145.1:80    172.16.0.5:80      200.0.0.1:49152   200.0.0.1:49152
---  50.199.145.1       172.16.0.5         ---               ---

The TCP line appears because an actual web session is active. The static entry remains because static NAT is permanent.

6. Dynamic NAT Configuration

Dynamic NAT uses a pool of public IP addresses. Internal hosts receive a public address from the pool only when they generate traffic.

Use Dynamic NAT when: you have multiple public IP addresses and want inside devices to borrow them as needed.

Goal

Allow hosts in 172.16.0.0/24 to dynamically translate using an available public pool. In this lab, 50.199.145.1 is the Gateway public interface and 50.199.145.6 is the ISP gateway. Use 50.199.145.1 for PAT/overload testing. Only use 50.199.145.2 - 50.199.145.5 as a Dynamic NAT pool if those addresses are available and routed to the Gateway.

Gateway> enable
Gateway# configure terminal

Gateway(config)# interface FastEthernet0/0
Gateway(config-if)# ip nat inside
Gateway(config-if)# exit

Gateway(config)# interface FastEthernet0/1
Gateway(config-if)# ip nat outside
Gateway(config-if)# exit

Gateway(config)# access-list 1 permit 172.16.0.0 0.0.0.255
Gateway(config)# ip nat pool PUBLIC_POOL 50.199.145.2 50.199.145.5 netmask 255.255.255.248
Gateway(config)# ip nat inside source list 1 pool PUBLIC_POOL
Gateway(config)# end

Command Breakdown

Command	Description
`access-list 1 permit 172.16.0.0 0.0.0.255`	Identifies which inside local addresses are allowed to be translated.
`ip nat pool PUBLIC_POOL 50.199.145.2 50.199.145.5 netmask 255.255.255.248`	Creates a pool of public addresses for Dynamic NAT only if those addresses are available in your lab.
`ip nat inside source list 1 pool PUBLIC_POOL`	Connects ACL 1 to the NAT pool. Matching inside hosts will use the pool.

Before Traffic

Gateway# show ip nat translations
Gateway#

No entries appear because Dynamic NAT does not create translations until traffic matches the ACL.

After PC0 Pings External Web Server

PC0> ping 200.0.0.1

Gateway# show ip nat translations
Pro  Inside global      Inside local       Outside local      Outside global
icmp 50.199.145.1:1    172.16.0.6:1       200.0.0.1:1       200.0.0.1:1
---  50.199.145.1      172.16.0.6         ---               ---

Output Description

172.16.0.6 is the inside local address of PC0.
50.199.145.1 is borrowed from the NAT pool.
200.0.0.1 is the outside web server.
The translation will eventually time out if no traffic continues.

7. NAT Overload / PAT Configuration

PAT, also called NAT Overload, allows many inside devices to share one public IP address by using different port numbers.

Most common real-world NAT: PAT is what most homes, schools, and businesses use when many users share one Internet connection.

Analogy: Apartment Building Mailroom

Many people live at one street address, but each person has a different apartment number. PAT works the same way. Many inside devices share one public IP address, but the router tracks each session using port numbers.

Goal

Allow all inside hosts on 172.16.0.0/24 to share Gateway public interface IP 50.199.145.1.

Gateway> enable
Gateway# configure terminal

Gateway(config)# interface FastEthernet0/0
Gateway(config-if)# ip nat inside
Gateway(config-if)# exit

Gateway(config)# interface FastEthernet0/1
Gateway(config-if)# ip nat outside
Gateway(config-if)# exit

Gateway(config)# access-list 1 permit 172.16.0.0 0.0.0.255
Gateway(config)# ip nat inside source list 1 interface FastEthernet0/1 overload
Gateway(config)# end

Command Breakdown

Command	Description
`access-list 1 permit 172.16.0.0 0.0.0.255`	Identifies inside devices that are allowed to use PAT.
`interface FastEthernet0/1`	Uses the public IP address assigned to Fa0/1.
`overload`	Enables port-based sharing so many inside hosts can use one public IP.

Expected Output After Multiple Devices Access Outside

Gateway# show ip nat translations
Pro  Inside global          Inside local          Outside local        Outside global
tcp  50.199.145.1:1025     172.16.0.6:1025      200.0.0.1:80        200.0.0.1:80
tcp  50.199.145.1:1026     172.16.0.5:1026      200.0.0.1:80        200.0.0.1:80
icmp 50.199.145.1:3        172.16.0.6:3         200.0.0.1:3         200.0.0.1:3

Output Description

What You See	What It Means
`50.199.145.1:1025`	The public IP plus port number used to represent PC0.
`172.16.0.6:1025`	The real inside device and its original port/session ID.
`50.199.145.1:1026`	Same public IP, different port, representing another inside session.
`200.0.0.1:80`	External web server being accessed using HTTP.

8. Static PAT / Port Forwarding

Static PAT maps a public IP and port to a private IP and port. This is commonly called port forwarding.

Use Static PAT when: outside users need to access a specific internal service, such as a web server, while you still use one public IP.

Goal

Allow outside users to access the Internal Web Server 172.16.0.5 using public address 50.199.145.1 on TCP port 80.

Gateway> enable
Gateway# configure terminal

Gateway(config)# interface FastEthernet0/0
Gateway(config-if)# ip nat inside
Gateway(config-if)# exit

Gateway(config)# interface FastEthernet0/1
Gateway(config-if)# ip nat outside
Gateway(config-if)# exit

Gateway(config)# ip nat inside source static tcp 172.16.0.5 80 50.199.145.1 80
Gateway(config)# end

Expected Output

Gateway# show ip nat translations
Pro  Inside global        Inside local       Outside local      Outside global
tcp  50.199.145.1:80     172.16.0.5:80     ---                ---

Output Description

This means that traffic arriving at 50.199.145.1 on TCP port 80 will be forwarded to the internal web server 172.16.0.5 on TCP port 80.

9. How to Test NAT Configuration

After configuring NAT, students should test in a predictable order. Do not start with debug. First confirm basic connectivity, then confirm NAT translations, then troubleshoot.

Testing Process Overview

Verify interface status.
Verify default gateway settings on end devices.
Verify routing between Gateway and ISP.
Generate traffic from the inside network to the outside network.
Check the NAT translation table.
Check NAT statistics.
Use debug only if the previous steps do not explain the problem.

Step 1: Verify Gateway Interfaces Are Up

Gateway# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        172.16.0.1      YES manual up                    up
FastEthernet0/1        50.199.145.1    YES manual up                    up

What to look for: Both interfaces should show up/up. If an interface is administratively down, use no shutdown.

Step 2: Test Local LAN Connectivity

From PC0, ping the Gateway LAN interface.

PC0> ping 172.16.0.1

Expected result: The ping should succeed. If it fails, check PC0 IP address, subnet mask, default gateway, switch cabling, and Gateway Fa0/0.

Step 3: Test Gateway to ISP Connectivity

Gateway# ping 50.199.145.6

Expected result: The ping should succeed. This confirms the Gateway can reach the ISP router on the public link.

Step 4: Verify the Default Route

Gateway# show ip route
Gateway of last resort is 50.199.145.6 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 50.199.145.6

What to look for: The default route should point to 50.199.145.6. Without this route, the Gateway may not know how to send traffic to outside networks.

Step 5: Generate Inside-to-Outside Traffic

From PC0, ping the External Web Server.

PC0> ping 200.0.0.1

You can also test HTTP if the external server has web services enabled:

PC0 Browser: http://200.0.0.1

Step 6: Check NAT Translations

Gateway# show ip nat translations
Pro  Inside global          Inside local          Outside local        Outside global
icmp 50.199.145.1:3        172.16.0.6:3         200.0.0.1:3         200.0.0.1:3

What this proves: PC0’s private address 172.16.0.6 was translated to the public address 50.199.145.1.

Step 7: Check NAT Statistics

Gateway# show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: 8  Misses: 1

What this proves: The router knows which interfaces are inside and outside, and NAT traffic is being matched.

Step 8: Test Static NAT From Outside

If Static NAT maps 172.16.0.5 to 50.199.145.1, test from the External Web Server or ISP side:

ExternalWebServer> ping 50.199.145.1
ExternalWebServer Browser: http://50.199.145.1

Expected result: Traffic should reach the Internal Web Server at 172.16.0.5.

Step 9: Test Static PAT / Port Forwarding

If Static PAT forwards 50.199.145.1:80 to 172.16.0.5:80, test from outside:

ExternalWebServer Browser: http://50.199.145.1

Expected result: The outside client should reach the Internal Web Server web page.

Step 10: Use Debug Only When Needed

Gateway# debug ip nat
NAT: s=172.16.0.6->50.199.145.1, d=200.0.0.1 [45]
NAT*: s=200.0.0.1, d=50.199.145.1->172.16.0.6 [46]
Gateway# undebug all

What this proves: The first line shows outbound translation. The second line shows return traffic being translated back to the inside local address.

Important: Always turn off debugging with undebug all after testing.

9. Verification Commands and Output Explanations

A. `show ip nat translations`

Gateway# show ip nat translations
Pro  Inside global          Inside local          Outside local        Outside global
tcp  50.199.145.1:1025     172.16.0.6:1025      200.0.0.1:80        200.0.0.1:80

Purpose: Shows active NAT translations.

Column	Description
Pro	Protocol being translated: TCP, UDP, ICMP, or static entry.
Inside global	The public address representing the inside device.
Inside local	The real private address of the inside device.
Outside local	How the outside device appears to the inside network.
Outside global	The real address of the outside device.

B. `show ip nat statistics`

Gateway# show ip nat statistics
Total active translations: 3 (1 static, 2 dynamic; 2 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: 24  Misses: 2
Expired translations: 4
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface FastEthernet0/1 refcount 2

Output Description

Line	Meaning
`Total active translations`	Number of current NAT entries.
`Outside interfaces`	Interfaces marked with `ip nat outside`.
`Inside interfaces`	Interfaces marked with `ip nat inside`.
`Hits`	Packets that successfully matched an existing NAT translation.
`Misses`	Packets that did not match an existing translation and may need a new one.
`Dynamic mappings`	Shows ACLs, pools, or overload interfaces used for NAT.

C. `debug ip nat`

Gateway# debug ip nat
NAT: s=172.16.0.6->50.199.145.1, d=200.0.0.1 [45]
NAT*: s=200.0.0.1, d=50.199.145.1->172.16.0.6 [46]

Output Description

s=172.16.0.6->50.199.145.1 means the source IP was translated from private to public.
d=50.199.145.1->172.16.0.6 means return traffic destination was translated back to the private host.
The number in brackets is an internal packet/session reference.

Warning: Debug commands can use router CPU. In a real network, use debug carefully and turn it off with undebug all or u all.

D. Other Useful Verification Commands

Command	Purpose
`show running-config \| include nat`	Shows NAT-related commands in the configuration.
`show running-config interface fa0/0`	Confirms inside interface settings.
`show running-config interface fa0/1`	Confirms outside interface settings.
`show access-lists`	Verifies ACL matches used by dynamic NAT or PAT.
`show ip route`	Confirms the router knows where to send traffic.
`ping 200.0.0.1`	Tests reachability to the external web server.
`traceroute 200.0.0.1`	Shows the path traffic takes toward the outside network.

10. Troubleshooting NAT

Common Problem 1: No NAT Translations Appear

Gateway# show ip nat translations
Gateway#

Possible causes:

No traffic has been generated yet.
The ACL does not match the inside network.
ip nat inside or ip nat outside is missing.
Routing is broken.

Fix:

Gateway# show running-config | include ip nat
Gateway# show access-lists
Gateway# show ip route
Gateway# ping 200.0.0.1

Common Problem 2: ACL Does Not Match

Wrong ACL example:

Gateway(config)# access-list 1 permit 172.16.1.0 0.0.0.255

This does not match your LAN because your LAN is 172.16.0.0/24.

Correct ACL:

Gateway(config)# access-list 1 permit 172.16.0.0 0.0.0.255

Common Problem 3: Inside and Outside Interfaces Are Reversed

If Fa0/0 and Fa0/1 are labeled incorrectly, NAT will not work correctly.

Correct:
Gateway(config)# interface fa0/0
Gateway(config-if)# ip nat inside

Gateway(config)# interface fa0/1
Gateway(config-if)# ip nat outside

Common Problem 4: Missing Default Route

The Gateway router needs a default route pointing to the ISP.

Gateway(config)# ip route 0.0.0.0 0.0.0.0 50.199.145.6

Common Problem 5: Dynamic NAT Pool Exhaustion

If all pool addresses are in use, new hosts cannot be translated.

NAT: translation failed (E), dropping packet s=172.16.0.20 d=200.0.0.1

Fix: Use PAT overload or increase the public address pool.

Common Problem 6: Stale Translations

Gateway# clear ip nat translation *

This clears dynamic NAT entries. Static NAT entries remain because they are permanent configuration entries.

11. NAT Configuration Process Students Can Follow

Step 1: Identify inside and outside networks

Inside is usually the private LAN. Outside is usually the ISP or Internet-facing interface.

Step 2: Configure interface IP addresses

Make sure the router can reach the LAN and the ISP before adding NAT.

Step 3: Add a default route

The Gateway router must know where to send unknown outside traffic.

Step 4: Mark NAT interfaces

interface fa0/0
 ip nat inside
interface fa0/1
 ip nat outside

Step 5: Choose the NAT type

Need	Use
One internal server needs one permanent public IP	Static NAT
Inside users borrow public IPs from a pool	Dynamic NAT
Many inside users share one public IP	PAT / NAT Overload
Outside users access one inside service by port	Static PAT / Port Forwarding

Step 6: Test traffic

Generate traffic from an inside host to the outside server, such as ping 200.0.0.1 or browsing to the web server.

Step 7: Verify NAT

show ip nat translations
show ip nat statistics
show access-lists
show ip route

Step 8: Troubleshoot systematically

Check interfaces, ACLs, routes, NAT rules, and then use debug only when needed.

12. Quick Reference Summary

Task	Command
Mark inside interface	`ip nat inside`
Mark outside interface	`ip nat outside`
Static NAT	`ip nat inside source static 172.16.0.5 50.199.145.1`
Dynamic NAT pool	`ip nat pool PUBLIC_POOL 50.199.145.1 50.199.145.5 netmask 255.255.255.248`
PAT overload	`ip nat inside source list 1 interface fa0/1 overload`
Static PAT	`ip nat inside source static tcp 172.16.0.5 80 50.199.145.1 80`
Show translations	`show ip nat translations`
Show statistics	`show ip nat statistics`
Debug NAT	`debug ip nat` Contact Us Powered by Warner Academy Login Username or Email Address Password Remember Me Lost Your Password? Register Don't have an account? Register one! Register an Account

Network Address Translation (NAT)

1. What Is NAT?

Purpose of NAT

When, Where, How, and Who of NAT

Analogy: School Front Office

Quick NAT Type Summary

Static NAT

Dynamic NAT

PAT / NAT Overload

Static PAT

2. Topology Used in This Tutorial

Device and Interface Table

3. NAT Terminology Using This Topology

4. Gateway Router Base Configuration Before NAT

Command Breakdown

5. Static NAT Configuration

Goal

Command Breakdown

Expected show ip nat translations Output

Output Description

After External Web Server Accesses Internal Server

6. Dynamic NAT Configuration

Goal

Command Breakdown

Before Traffic

After PC0 Pings External Web Server

Output Description

7. NAT Overload / PAT Configuration

Analogy: Apartment Building Mailroom

Goal

Command Breakdown

Expected Output After Multiple Devices Access Outside

Output Description

8. Static PAT / Port Forwarding

Goal

Expected Output

Output Description

9. How to Test NAT Configuration

Testing Process Overview

Step 1: Verify Gateway Interfaces Are Up

Step 2: Test Local LAN Connectivity

Step 3: Test Gateway to ISP Connectivity

Step 4: Verify the Default Route

Step 5: Generate Inside-to-Outside Traffic

Step 6: Check NAT Translations

Step 7: Check NAT Statistics

Step 8: Test Static NAT From Outside

Step 9: Test Static PAT / Port Forwarding

Step 10: Use Debug Only When Needed

9. Verification Commands and Output Explanations

A. show ip nat translations

B. show ip nat statistics

Output Description

C. debug ip nat

Output Description

D. Other Useful Verification Commands

10. Troubleshooting NAT

Common Problem 1: No NAT Translations Appear

Common Problem 2: ACL Does Not Match

Common Problem 3: Inside and Outside Interfaces Are Reversed

Common Problem 4: Missing Default Route

Common Problem 5: Dynamic NAT Pool Exhaustion

Common Problem 6: Stale Translations

11. NAT Configuration Process Students Can Follow

Step 1: Identify inside and outside networks

Step 2: Configure interface IP addresses

Step 3: Add a default route

Step 4: Mark NAT interfaces

Step 5: Choose the NAT type

Step 6: Test traffic

Step 7: Verify NAT

Step 8: Troubleshoot systematically

12. Quick Reference Summary

Expected `show ip nat translations` Output

A. `show ip nat translations`

B. `show ip nat statistics`

C. `debug ip nat`