Most likely, at least once, you needed to open public access to a server sitting on a private range, behind a NAT router. When you needed it, you have probably google’d it and found a solution using static/permanent mapping between the public and the private IP addresses – you would achieve this mapping using the NAT based command: ip nat inside source static (…).

But there is also another way, this time, using a dynamic mapping!

To illustrate, I will be using the following topology:


  1. Disabled HTTP & HTTPS on NATR1 router
  2. Enabled HTTP on WWW2 router; disabled HTTPS
  3. Enabled HTTPs on WWW1 router; disabled HTTP

The end result: Host1 and Host2 (or any other host) should be able to connect to ports 80 & 443; depending on which TCP port is requested, the connection should be automatically forwarded to the relevant server.

I will be using static NAT for connection on port 443, while using dynamic NAT to forward connections on port 80. Both will be implemented on the same router, namely, NATR1.

So, let’s get started …



When setting up static translations, what you are actually doing is setting up a static entry in the NAT table which will be mapping a private IP to a Public IP; the mapping looks like this: {(Private-IP/443), (Public-IP/any)}. So this is how you achieve this:

1. Define your inside and outside interfaces:

interface FastEthernet0/0
 ip nat inside

interface FastEthernet0/1
ip nat outside

2. Define the static NAT entry:

ip nat inside source static tcp 443 interface FastEthernet0/1 443

3. Testing:




With Dynamic translation, there is slightly more configuration and involves similar steps as above:

1. Define your inside and outside interfaces:

interface FastEthernet0/0
ip nat inside

interface FastEthernet0/1
 ip nat outside

2. Define a NAT pool of internal IP addresses:

ip nat pool pool-NAT netmask type rotary

1. It doesn’t matter we are using a /24 mask since the IP address range encompasses one address only; in fact, you are not allowed to use a host mask with this command.

2. Also, in regards to the rotary keyword, you don’t have to use it; though,  if you don’t use it, you will get a warning regarding unpredictable behavior.

3. Define an access-list matching on the public IPs and optionally, the port number:

access-list 120 permit tcp any host eq www

4. Define the dynamic entry:

ip nat inside destination list 120 pool pool-NAT

5. Testing:


This last scenario is very similar to the configuration you apply should you need to do NAT Load Balancing – the biggest difference being the fact that, the pool of private (inside) IP addresses will have more than one IP Address (see step 2 above).


Thank you,
View Rafael A Couto Cabral's profile on LinkedIn

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>