Static NAT 1

By certskills April 22, 2016 09:05

Static NAT matches a single inside local address with a single inside global address. It does not conserve addresses, but it does let you make a server reachable to external devices with a permanent address to use with the static NAT entry. This lab asks you to configure static NAT for a small set of servers that need to be made available to users in the Internet.


Configure static Network Address Translation (NAT) on R1 for devices S1, S2, and S3. The specific rules for this lab are:

  • Configure S1 to use the as an inside global address
  • Configure S2 to use the as an inside global address
  • Configure S3 to use the as an inside global address
  • Use static routes so that R2 can forward packets back to these inside global addresses through a route for subnet
  • Assume all router interfaces shown in the lab are up, working, and configured with IP addresses


Figure 1: Static NAT Topology

Initial Configuration

Example 1 and 2 show the beginning configuration state of R1 and R2.

Example 1: R1 Config

Example 2: R2 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear or other tools, configure the lab using them.

To test your solution if you happen to try it with VIRL or real gear, you can verify the NAT configuration by checking the reachability of S1, S2 and S3 from R2 or vice versa. For instance, from R2, try the ping command, pinging S1’s inside global address, which tests the static NAT configuration. Again from R2, you could connect to a server with SSH using the ssh -l cisco global-inside-address command. Or, from the servers, try to ping R2, or Telnet/SSH to R2.

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

All interfaces in topology match the lab figure.

Network Device Info:

The switch used in the lab is an unmanaged switch.

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.


IP Address








Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath

To connect to another node within the topology: telnet

Answers: Remote DHCP Server 1
Answers: Static NAT 1
By certskills April 22, 2016 09:05
Write a comment


  1. Wieslaw December 1, 21:32

    I do not understand why in this exercise 3 inside global addresses are from Private Address Space. RFC 1918 to Those addresses cannot be used in the internet. Does it mean after R2 another NAT is required…? In my understanding NAT server is placed just between private @ and internet. ip nat outside should be configured on the router interface directly connected to the internet.

    Reply to this comment
    • CCENTSkills December 18, 10:27

      Hi Wieslaw,
      I agree that is is popular to use NAT between a company’s private IP address space and the Internet as you describe. But NAT as a tool can be used anywhere. In this exercise, I just happened to use privates on both sides. It doesn’t affect the NAT logic, but I agree it may be confusing if all the examples you ever see show privates as the local addresses and publics as the global addresses.

      If you substitute 172.16 for say 172.15, and make that link between the two routers use some other public address space, I think the exercise would fit your expectations a little better – feel free to do so if that helps.

      Reply to this comment
  2. RN March 6, 17:36

    Hello Wendell,

    Its seems that the NW is redundant.

    Am I right?



    Reply to this comment
    • CCENTSkills May 15, 13:11

      Yep, it is. It appears that I meant for that loopback to match the initial config, with IP address, so that the subnet used by NAT sits on the loopback interface. I’ll update the figure to match the config. Thanks!

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.