Previously we learned the fundamentals and techniques of NAT/PAT protocol, and. now we will examine our knowledge of NAT/PAT by doing hands-on experience in a lab environment. As Cisco products are expensive and you may not have access to them in your home laboratory, I have created a lab in Packet Tracer which allows you to perform NAT/PAT functionalities. As you know, lab is very important when you take your exam and also for when you enter the industry.. I am hopeful this lab will allow you to get started in NAT/PAT configuration. So grab a cup of tea or coffee and start working with me as I examine the below scenario of NAT/PAT Protocol in Cisco 2621 series router:

In the above scenario (Fig. 1), you understand that a company’s internal network is connected to an ISP that has a connection to a Web-Server (10.1.1.2 – IP address of the web server as shown in Figure 1 and I also included a Packet Tracer file for your practice). You have public IP addresses (a single IP address in case of PAT) that is visible to the outside world. Your company will use network and port translation to supply IP translations to the hosts inside your network. You can use a browser on the PC to see this website via the ISP. Routing using EIGRP has already been set up for you but you will need to configure Static NAT and also the dynamic NAT/ PAT as described in the Packet Tracer file.

Remember you do not need to change any of the configurations on the ISP router nor on the web server.

Save your work regularly both on the router and on the Packet Tracer application. I have no sympathy for people who ignore this and lose work. You should always remember this, because it is extremely important to save your work while you’re working in the industry also. When setting up NAT/ PAT on your router, you will need to decide which of the interfaces are inside the NAT/ PAT scheme and which addresses are outside the NAT/ PAT scheme. You can think of the NAT/PAT as an imaginary dividing line across your router.

Write down which of the interfaces on your Site A routers are inside the NAT scheme and which interface is outside the NAT scheme.

The first step you will need to carry out is to visit each interface and apply it as either ip nat outside or ip nat inside as follows:

interface FastEthernet0/0

ip nat inside

You do not need to change any other interface details. Do this for each of your interfaces according to whether they are inside or outside the NAT scheme.

You will now need to define two access lists to allow traffic that will cross the NAT/ PAT boundary to be defined. (ACLs to permit internal N/Ws are only for dynamic NAT/PAT. It’s not necessary for Static NAT )

Two access list entries are required to allow you to specify the TWO LAN address ranges.

Type the following:

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 10 permit 192.168.2.0 0.0.0.255

The last step is to apply the addresses that you wish to cross the boundary to the serial interface.

Type the following:

ip nat inside source list 10 interface serial 1/0 overload

This command takes the addresses defined in access-list 10 above and applies them to the serial1/0 interface with the part of the command source list 10 .

The word overload is a command to the router to allow more than one inside address to share the address that is applied to the serial interface itself.

If you have typed all of the configurations correctly, you have set up the NAT/ PAT and have finished this part of the lab.

Verifying NAT/ PAT

To test whether the address translation is actually taking place, you will need to use one of the PCs to communicate with a computer outside your network.

Go to a PC and visit the Desktop, Command Prompt and type ping 10.1.1.2

If this is successful, go to the CLI of your gateway router and type the following command:

SiteA# show ip nat translations



The output above shows the Inside local address that has been translated and the port that was associated with the application.



The outside global address is the address carried across the outside network and the port associated with it.

Further Testing

Go to the CLI of your gateway router and type the following command:

clear ip nat translations *



Now use the browser on one of the PCs to find the page located at ping 10.1.1.2 (address of web server). In my case, I use Host1A to ping 10.1.1.2.

If this is successful, go to the CLI of your gateway router and type the following command:

show ip nat translations

This should give output similar to that shown below:

Packet Tracer 5.x was used to carry out this work, so thanks to the developing team of Packet Tracer in Cisco. You can use any Packet Tracer version of software 5 or above. For clarification on how to perform NAT/PAT, please read my article on NAT/PAT, or you can write to me in the comments section.