ip nat inside source list [acl] pool [name]
Configures dynamic NAT by translating inside local IP addresses to inside global addresses from a pool, based on an access list.
ip nat inside source list [acl] pool [name]When to Use This Command
- Translating a group of private IP addresses (e.g., 192.168.1.0/24) to a public IP pool (e.g., 203.0.113.1-10) for internet access.
- Allowing multiple internal hosts to share a limited number of public IPs by dynamically assigning addresses from a pool.
- Enabling outbound internet connectivity for a branch office with a /28 public subnet.
- Translating internal servers to specific public IPs for inbound access while using dynamic pool for other hosts.
Command Examples
Basic dynamic NAT with pool
ip nat inside source list 1 pool MY_POOLThis command enables dynamic NAT: traffic matching ACL 1 will have its source IP translated to an address from the pool named MY_POOL.
Verification with show ip nat translations
show ip nat translationsPro Inside global Inside local Outside local Outside global --- 203.0.113.2 192.168.1.10 198.51.100.1 198.51.100.1 --- 203.0.113.3 192.168.1.11 198.51.100.2 198.51.100.2
The output shows active translations: Inside local (private IP) is translated to Inside global (public IP from pool). Outside local/global are typically the same for outbound traffic. Each row represents a single translation entry.
Understanding the Output
The command itself does not produce output; it configures the router. To verify, use 'show ip nat translations'. The output shows active NAT entries. Key columns: 'Inside global' is the translated public IP from the pool; 'Inside local' is the original private IP; 'Outside local' and 'Outside global' are typically identical for outbound traffic. A healthy translation shows a one-to-one mapping. If you see many translations with the same inside global IP, it may indicate PAT (overload) is also configured. Watch for '---' in the protocol column indicating no protocol-specific entry. If translations are missing, check ACL and pool configuration.
CCNA Exam Tips
Remember that the ACL defines which inside local addresses are eligible for translation; the pool defines the inside global addresses.
The pool must have enough addresses for simultaneous translations; otherwise, packets are dropped.
CCNA often tests the difference between dynamic NAT (this command) and PAT (ip nat inside source list 1 pool MY_POOL overload).
You must also configure 'ip nat inside' on the inside interface and 'ip nat outside' on the outside interface.
Common Mistakes
Forgetting to apply 'ip nat inside' and 'ip nat outside' on the correct interfaces, causing no translation to occur.
Creating an ACL that is too permissive (e.g., permit any) or too restrictive, leading to unintended translation or no translation.
Using a pool that is too small for the number of simultaneous translations, causing packet drops.
Related Commands
ip nat inside source static [local-ip] [global-ip]
Configures static NAT to map a single inside local IP address to a single inside global IP address, allowing internal hosts to be reachable from external networks.
show ip nat statistics
Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.
show ip nat translations
Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions