Lab 23: Static NAT — Publishing an Internal Server
PAT gets insiders out; static NAT lets outsiders IN — a permanent one-to-one mapping that publishes your internal web server on a public address. Difficulty: Intermediate · Time: ~25 min.
Lab objectives
- Create a one-to-one static NAT mapping
- Mark inside/outside interfaces
- Reach the internal server from the outside PC
- Read the permanent translation entry
Topology & addressing
R1: inside 192.168.1.0/24 (web server at .10), outside link 203.0.113.0/30 toward an ISP router with an external test PC beyond. Public address for the server: 203.0.113.10.
Step-by-step configuration
interface gi0/0 → ip nat insideinterface gi0/1 → ip nat outside | Role-mark the interfaces |
ip nat inside source static 192.168.1.10 203.0.113.10 | The one-to-one publication |
| (ISP/outside needs a route toward 203.0.113.10) | Public IP must be reachable from outside |
Verification
From the OUTSIDE PC, browse http://203.0.113.10 — the internal server's page loads. show ip nat translations shows the static entry permanently present (unlike PAT's come-and-go rows), plus per-session lines during access. That mapping is exactly how real servers get published (minus a firewall you'd add in production).
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
How is static NAT different from PAT?
Static is a fixed one-to-one mapping that also allows outside-initiated connections; PAT is many-to-one, outbound-initiated only.
Why does the static entry never disappear?
It's configuration, not session state — the translation exists permanently regardless of traffic.
Is static NAT alone safe for a real server?
No — pair it with ACL/firewall rules restricting which ports (e.g. only 80/443) can reach the published address.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.