Answers: Interface PAT 1

By certskills June 29, 2016 09:10

#PAT configuration does not take a lot of configuration, but it can be easy to overlook the basics. Today’s post asks you to configure PAT, using a single global address (an interface address). The lab requirements are at this post; answers in this post.



Figure 1: PAT Topology (CL128.jpg)

 Example 3: R1 Config



There are a number of different ways to configure NAT including static NAT, dynamic NAT, and Port Address Translation (PAT). Static NAT is typically used for one-to-one translations from a specific inside address (called an inside local address) to an specific outside address (called an inside global address). Dynamic NAT is slightly different because the outside address to be used will be allocated from a configured pool, which address in the pool that will be used for a specific device is not specified. The third major type of NAT is called PAT (or NAT overload); this type of NAT can be configured either with a specific outside address or with a configured pool.

The difference between PAT and the other types is that the mapping is not one-to-one from an inside address to an outside address. With PAT, there is a many-to-one mapping between the inside local address and the inside global address by using unique TCP and UDP port numbers to decide where and how to translate the packets.

For this lab, you were tasked with configuring PAT using R1’s G0/2 interface IP address for translations and access list 1. The ACL should match only R1’s LAN connecting to S1, S2, and S3. Once this is configured, the last step is to configure a PAT statement to use R1’s G0/2 interface and the ACL to map entries from R1’s LAN to its interface IP address.

To begin, you have to determine which interface(s) connect to hosts inside the network, and which hosts connect to the outside network. For this lab, R1’s G0/1 interface is connected to S1, S2, and S3 and is considered the inside interface. To configure this, use the ip nat inside command while in interface configuration mode. R1’s G0/2 interface is connected to R2 and is considered the outside interface. To configure this, use the ip nat outside command while in interface configuration mode.

The second task to perform is to configure the ACL to match R1’s LAN connecting to S1, S2, and S3, all in subnet The global command access-list 1 permit configures the entire ACL.

The third and final task uses one long command that ties the ideas together. It ties packets entering source interfaces, to matching logic based on ACL 1, to the use of one inside global address (the address of the G0/2 interface), and to use PAT (overload). The command: ip nat inside source list 1 interface GigabitEthernet0/2 overload.

Also note that the requirements tell you to configure static routes on R2 as needed for the inside global addresses. In this case, the configuration uses a range of addresses that exist in the subnet between R1 and R2, so R2 already has a connected route that includes the addresses used by NAT. So there is no need for any additional static routes.

PPP over Ethernet 1
Answers: PPP over Ethernet 1
By certskills June 29, 2016 09:10
Write a comment


  1. Ruben December 13, 19:32

    Hello Wendell!
    I believe you forgot to input the answer for:
    “Configure static routes as needed on R2 so that R2 can forward packets back to these inside global addresses”

    To anyone reading, should be something like:
    ip route

    PS: As a joke for Wendell: I’m starting to see all the details! 🙂

    Reply to this comment
    • Ruben December 13, 20:02

      After solving all the other exercises in this chapter, I realize that this route, albeit correct, is not needed at all.
      So much for my attention to detail…
      Mr. Wendell, feel free to delete my comments if you believe they are error inducing for others to read!

      Reply to this comment
    • CCENTSkills December 14, 09:41


      Reply to this comment
  2. Sam October 3, 05:20

    I was just thinking about this and i saw your comment xD i noticed that in the debug log messages on R2 when i ping from one of the servers to R2, it shows the dst ip as that of R1’s outside address, as required in the lab. Anyways, i had configured the static route as asked, everything worked, but then i removed this static route and it sill worked. My question is, is it really required to configure this static route, or is it just for practice?
    Thanks, xD

    Reply to this comment
    • CCENTSkills October 3, 13:06

      Hi Sam,
      I agree you don’t need any such static route on R2 in this case. (See the last paragraph – I think that covered it?)

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.