NAT Config Builder
Updated May 20, 2026
Select a NAT type, fill in your interfaces and addresses, and get a ready-to-paste Cisco IOS configuration block with a plain-English explanation of what the config does, what it does not do, common mistakes, and verification commands.
Supports Static NAT (one-to-one), Dynamic NAT (pool-based), and PAT/NAT Overload (many-to-one with port translation). Includes a NAT-T/IPsec guidance section with firewall requirements, DPD keepalive recommendations, and a quick checklist for allowing UDP/500, UDP/4500, and ESP. Configs are educational examples — review before applying to production.
Maps a pool of private addresses to a pool of public addresses. Translations are allocated on demand and released when idle.
Inside (Private)
‹network›/‹cidr›
GigabitEthernet0/0
Dynamic NAT
Many : Many
Outside (Public)
NAT_POOL
GigabitEthernet0/1
Configuration Parameters
Network address of the inside hosts
Enter CIDR to auto-calculate masks
First address in the public pool
Last address in the public pool
→ GigabitEthernet0/0
→ GigabitEthernet0/1
Cisco IOS Configuration
! ── Access Control List ─────────────────────────────
access-list 1 permit ‹source-ip› ‹wildcard›
! ── NAT Pool ────────────────────────────────────────
ip nat pool NAT_POOL ‹start-ip› ‹end-ip› netmask ‹netmask›
! ── NAT Translation Rule ────────────────────────────
ip nat inside source list 1 pool NAT_POOL
! ── Interface Configuration ─────────────────────────
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
Verification & Troubleshooting Commands
show ip nat translations
View active NAT translation table entries
show ip nat statistics
View NAT hit counts, pool usage, and misses
show running-config | include nat
Show all NAT-related lines in the running config
clear ip nat translation *
Clear all dynamic NAT translations
debug ip nat
Enable real-time NAT debugging (use with caution in production)
NAT Type Comparison
| Feature | Dynamic | Static | PAT |
|---|---|---|---|
| Mapping | Many → Many | One → One | Many → One |
| IP Conservation | Moderate | Poor (1:1 ratio) | Excellent |
| Typical Use | Medium offices, multiple public IPs | Servers, DMZ hosts | Small offices, home, most enterprises |
| Bidirectional | No (outbound-initiated) | Yes | No (outbound-initiated) |
| Port Remapping | No | No | Yes |
| Translation Lifetime | Idle timeout (default 24 h) | Permanent | Idle timeout (varies by protocol) |
NAT-T / IPsec Traversal Guidance
When running IPsec VPN through a NAT device, NAT Traversal (NAT-T, RFC 3947/3948) is required.
| Requirement | Why |
|---|---|
| Allow UDP/500 (IKE) | Initial IKE negotiation uses this port before NAT detection |
| Allow UDP/4500 (NAT-T) | After NAT is detected, all IKE + ESP traffic switches here |
| Allow ESP (IP proto 50) | Needed if peers are NOT behind NAT; NAT-T encapsulates ESP in UDP only when NAT is present |
| Confirm peer supports NAT-T | Both sides must advertise NAT-T via Vendor ID payloads in IKE_SA_INIT |
| Check for double NAT / CGNAT | Multiple NAT layers compound port-mapping instability and break keepalives |
| Set DPD / keepalives ≤ 20 s | NAT mappings expire silently; keepalives prevent mid-session drops |
NAT-T Limitations
- • NAT-T adds ~20 bytes of UDP overhead to every ESP packet, reducing effective MTU
- • Some carrier-grade NAT (CGNAT) devices aggressively time out UDP mappings — keepalive intervals below 20 s are recommended
- • Symmetric NAT may cause NAT-T to fail entirely — the mapped port changes per destination, breaking return-path routing
- • Hardware crypto offload may not support UDP-encapsulated ESP, falling back to software processing
Credit to M. Shirra for the indirect feature request.