Dynamic NAT also creates one-to-one mappings between addresses and does not conserve IP addresses, just like static NAT. However, dynamic NAT creates a pool of inside global IP addresses to be mapped to an access list identifying inside local IP addresses. So basically we have two sets of addresses being mapped and not individual addresses. The same inside local address may not map to the same inside global address every time. The configuration should help make these concepts more understandable.
Here is a sample dynamic NAT configuration for the scenario in Figure 10-3.
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat pool MyPool 18.104.22.168 22.214.171.124 ?
netmask Specify the network mask
prefix-length Specify the prefix length
R1(config)#ip nat pool MyPool 126.96.36.199 188.8.131.52 netmask 255.255.255.0
R1(config)#access-list 1 permit host 192.168.1.2
R1(config)#access-list 1 permit host 192.168.1.3
R1(config)#access-list 1 permit host 192.168.1.4
R1(config)#ip nat inside source list 1 pool MyPool
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#ip address 184.108.40.206 255.255.255.0
R1(config-if)#ip nat outside
There are three parts of the above configuration.
First, the command ip nat pool MyPool 220.127.116.11 18.104.22.168 netmask 255.255.255.0 is used to create a pool of inside global addresses from 22.214.171.124 to 126.96.36.199. That is a total of 3 addresses only with a subnet mask of 255.255.255.0. Please note that we chose MyPool as NAT pool name but this choice is arbitrary and NAT pool name can be anything you like, even your first name. Also note that a network mask has to be specified using netmask keyword when defining a NAT pool.
Second, the ip access-list 1 commands create a standard access list matching interesting traffic for address translation. The access list would match IP addresses of the three inside hosts.
Third and last, the ip nat inside source list 1 pool MyPool command instructs the router to dynamically translate source IP addresses of packets coming in at the inside interface that match access-list 1 to an address found in the ip nat pool named MyPool.
Let’s verify it now:
There is no output so far as there are no static mappings between inside local and inside global addresses. Let’s generate some traffic from each of the three inside hosts and run the show ip nat translations command again:
Pro Inside global Inside local Outside local Outside global
icmp 188.8.131.52:15 192.168.1.2:15 184.108.40.206:15 220.127.116.11:15
— 18.104.22.168 192.168.1.2 — —
icmp 22.214.171.124:16 192.168.1.3:16 126.96.36.199:16 188.8.131.52:16
— 184.108.40.206 192.168.1.3 — —
icmp 220.127.116.11:17 192.168.1.4:17 18.104.22.168:17 22.214.171.124:17
— 126.96.36.199 192.168.1.4 — —
Let’s issue the clear ip nat translations * command and view tha translation table again:
R1#show ip nat translations
The translation table is empty now as there were no entries as a result of static mapping.
If you can recall what we learned in the chapter on access lists, access lists were presented as tools to match packets comprising of interesting traffic. The access lists here is also being used to match interesting traffic for address translation. The access list is not used for traffic filtering because the access list was never applied to an interface using ip access-group command.
Please keep in mind that both static and dynamic NAT create one-to-one mapping of inside local and inside global addresses. The only difference is that for static NAT we need to specify explicitly which inside local address maps to which inside global address. While, for dynamic NAT we just have to create an access list to identify inside local addresses and a pool to specify inside global addresses. The actual mapping is done dynamically as the router performing NAT receives interested packets.