# Static NAT

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/static-nat

## Quick definition

Static NAT is a way to give a device inside a private network a permanent public IP address so it can be reached from the internet. Unlike dynamic NAT, the address mapping is fixed, meaning the same private IP always translates to the same public IP. This is often used for servers that need to be accessible from outside the network. It helps conserve public IP addresses while allowing specific devices to have consistent external identities.

## Simple meaning

Imagine you live in a large apartment building. Each apartment has an internal number, like Apartment 7, that the mail carrier uses inside the building. But to get packages from the outside world, the building has a main address, like 500 Main Street. If you want a friend to send you a package directly, you could tell them to address it to Apartment 7 at 500 Main Street. The building manager then knows that any package for Apartment 7 goes to you, and only you, every single time. That is exactly how Static NAT works.

In computer networking, a company might have many computers using private IP addresses like 192.168.1.10, which are not usable on the public internet. To let one specific computer, such as a web server, be reachable from the internet, the company sets up a Static NAT rule on its router. This rule says that any traffic coming to the public IP address 203.0.113.50 should be forwarded directly to the private IP 192.168.1.10. The mapping never changes, so the server always has the same public identity. This makes it simple for external users to reach the server by name or IP without worrying about address changes.

Static NAT is different from other types of NAT because it is permanent and fixed. With dynamic NAT, a private device gets a temporary public IP from a pool, and it may get a different one next time. With Port Address Translation (PAT), many private devices share a single public IP using different port numbers. Static NAT gives a dedicated public IP to a single private device. This is essential for hosting services like websites, email servers, or VPN gateways that must always be reachable at the same address.

The key benefit of Static NAT is reliability. Because the mapping never changes, remote users, DNS records, and security rules can all depend on that public IP address being constant. It also provides a layer of security by hiding the internal IP structure from the outside world, while still allowing controlled inbound access. Network administrators use Static NAT to ensure that critical servers are always accessible without exposing the entire internal network.

## Technical definition

Static NAT, or Static Network Address Translation, is a method of IP address translation where a one-to-one mapping is manually configured between a private (inside local) IP address and a public (inside global) IP address. This mapping is persistent and remains unchanged until an administrator modifies or removes the configuration. Static NAT operates at Layer 3 of the OSI model (the Network layer) and is commonly implemented on routers, firewalls, and Layer 3 switches.

When a device with a private IP address, such as 10.0.0.5, sends a packet to an external destination, the NAT device (typically the default gateway) intercepts the packet. It checks its NAT translation table and finds the static mapping for the source IP address. The device replaces the source IP address in the packet header with the corresponding public IP address (e.g., 198.51.100.20). It also recalculates the IP header checksum and, if applicable, updates the TCP or UDP checksum. The packet is then forwarded toward the destination over the internet.

For inbound traffic, the process is reversed. When an external host sends a packet destined to the public IP address 198.51.100.20, the NAT device looks up its translation table, finds the static mapping, and changes the destination IP address to the private IP address 10.0.0.5. It then forwards the packet to the internal device. This bidirectional translation is crucial for servers that must be reachable from the internet while using private addressing internally.

Static NAT does not involve port translation by default. Unlike PAT, which maps multiple private IPs to a single public IP by varying the source port, Static NAT translates only the IP address. However, it is possible to combine Static NAT with static port forwarding (sometimes called port mapping) to direct specific ports to specific internal devices. For example, a Static NAT entry for public IP 203.0.113.10 can forward TCP port 80 to internal IP 192.168.1.100 and TCP port 443 to internal IP 192.168.1.101, although this is technically a combination of NAT and port forwarding.

Static NAT is defined in RFC 2663 (IP Network Address Translator Terminology and Considerations) and RFC 3022 (Traditional IP Network Address Translator). These documents outline the behavior and limitations of address translation. Static NAT can be used with both IPv4 and IPv6, though in IPv6 the need for NAT is significantly reduced due to the abundance of public addresses. In IPv6 environments, Static NAT (or NAT66) is sometimes used for compatibility with legacy systems or for specific security policies.

Configuration of Static NAT varies by vendor. In Cisco IOS, the command is typically: ip nat inside source static 192.168.1.10 203.0.113.50. On a Linux system, iptables rules can accomplish the same: iptables -t nat -A PREROUTING -d 203.0.113.50 -j DNAT --to-destination 192.168.1.10. In cloud environments like AWS, Static NAT is implemented using Elastic IP addresses attached to instances or through NAT Gateways with specific routing.

Key technical considerations include address conservation, routing symmetry, and impact on stateful firewalls. Static NAT consumes one public IP per internal device, which can be expensive if many devices require persistent mappings. Because the mapping is static, return traffic always reaches the correct internal host as long as the routing path is symmetric. However, if asymmetric routing occurs, stateful firewalls may drop packets, as they expect traffic from a given flow to traverse the same NAT device in both directions. Protocols that embed IP addresses in the application layer (e.g., FTP, SIP) can break with Static NAT unless the NAT device has an Application Layer Gateway (ALG) to perform additional translations.

## Real-life example

Think of a large office building with a single main reception desk. Everyone inside the building has an internal phone extension, like 101 for accounting and 102 for sales. If a client from outside the building wants to reach the sales department directly, they cannot just dial extension 102 from their cell phone because the phone company does not recognize internal extensions. Instead, the office has a main phone number, 555-1234. The reception desk has a fixed rule: anytime a call comes in for extension 102, transfer it immediately to the sales department's phone. This rule is written down and never changes; extension 102 always belongs to sales.

In this analogy, the internal phone extensions are private IP addresses. The main phone number 555-1234 is the public IP address. The reception desk acts as the NAT device, performing the translation. The fixed rule that extension 102 always gets calls is the Static NAT mapping. The sales department never has to worry about their extension changing, and external clients always know that dialing the main number and asking for extension 102 will reach the right people.

Now consider a home scenario. You have a security camera system that you want to view from your smartphone when you are away. Your home router assigns the camera a private IP address like 192.168.1.50. Your home's public IP address (assigned by your internet provider) is 72.14.205.100. To watch the camera remotely, you set up a Static NAT rule in your router: any incoming traffic to port 8080 on the public IP should be sent to private IP 192.168.1.50 on port 80. This mapping remains until you change it. The camera always has the same private IP, and the external access path always uses the same public IP and port. This is a practical everyday use of Static NAT that many people rely on for home automation and security.

These examples show that Static NAT is about establishing a permanent, predictable bridge between the outside world and a specific internal resource. It removes the uncertainty of dynamic addressing, making services reliable and manageable. Whether in a corporate data center or a smart home, the principle is the same: a fixed translation rule ensures consistent access.

## Why it matters

Static NAT matters because it enables critical internet services to operate reliably from behind private IP addresses. Without Static NAT, hosting a public-facing service like a website, email server, or remote access VPN would require either assigning public IPs directly to each server or relying on less predictable translation methods. Static NAT provides the stability needed for DNS records and security certificates, both of which rely on IP addresses remaining constant. If the public IP associated with your web server changed frequently, users would experience connectivity issues, and SSL/TLS certificates tied to that IP would fail.

From a security perspective, Static NAT allows organizations to hide their internal network structure while still offering controlled external access. An outside attacker sees only the public IP addresses; the internal IP ranges remain hidden. This adds a layer of obfuscation. By placing Static NAT rules on a firewall, administrators can enforce strict access control policies, permitting only specific traffic to reach the internal server. This is far more secure than placing a server directly on the internet with a public IP.

In enterprise environments, Static NAT is essential for high-availability configurations. For example, a pair of load balancers might use the same public IP for a cluster of web servers, but each server itself may have a Static NAT mapping for management access. Network monitoring tools and centralized logging systems often rely on static mappings to consistently address devices across the network. Without Static NAT, managing a large network would become chaotic, as administrators would constantly need to track changing IP addresses.

For IT professionals, understanding Static NAT is fundamental to troubleshooting connectivity issues. When a service is unreachable from outside the network, checking the NAT configuration is one of the first steps. Misconfigured Static NAT rules are a common source of network problems. Knowing how to verify, test, and fix these rules is a core skill for network engineers, system administrators, and cloud architects alike.

## Why it matters in exams

Static NAT appears as a core topic in several major IT certification exams. For CompTIA Network+, it is part of the Domain 2.0 on Network Implementation, specifically under NAT and PAT concepts. The exam expects you to understand the difference between Static NAT, Dynamic NAT, and PAT, and to identify scenarios where one is more appropriate than another. Similarly, CCNA (Cisco Certified Network Associate) covers Static NAT in depth within the IP Connectivity section. You may be asked to interpret or write configuration snippets, identify the effects of NAT on packet headers, or troubleshoot NAT-related issues on routers.

In security-focused exams like CompTIA Security+ and the AWS Certified Solutions Architect Associate (SAA), Static NAT is relevant but often in a supporting role. Security+ includes NAT as a network segmentation technique that helps protect internal addressing. The exam might present a scenario where you must recommend a NAT strategy to allow external access to a server while maintaining a security boundary. AWS SAA covers Static NAT implicitly through Elastic IP addresses and NAT Gateways. You need to know when to use a Static NAT (Elastic IP) versus a NAT Gateway for outbound-only traffic.

For Microsoft Azure exams (AZ-104), Static NAT appears in relation to Azure Load Balancer and Virtual Network configurations. You may encounter questions about configuring inbound NAT rules that are essentially Static NAT mappings. Google Associate Cloud Engineer (ACE) similarly includes Cloud NAT and static external IP assignments. The Google ACE exam expects you to understand how to allow external access to a VM using a static external IP address and appropriate firewall rules, which is the direct application of Static NAT in the cloud.

Exam question types range from multiple-choice conceptual questions (e.g., Which NAT type uses a one-to-one fixed mapping?) to scenario-based questions where you must choose the correct configuration command (e.g., ip nat inside source static 192.168.1.10 203.0.113.50). Troubleshooting questions might present a simulator or description of a problem and ask you to identify the misconfigured NAT rule. Cloud exams often require understanding the cost implications of Static NAT, since public IP addresses (especially Elastic IPs) may incur charges when not in use. Knowing these specifics can make the difference between passing and failing.

## How it appears in exam questions

Static NAT questions in certification exams typically fall into three categories: conceptual, configuration, and troubleshooting. In conceptual questions, you might be asked to identify the characteristics of Static NAT. For example, a question could state: Which type of NAT provides a one-to-one mapping between private and public IP addresses that does not change? The answer is Static NAT. Another common conceptual question involves comparing NAT variants, such as: An administrator needs to host a web server that must always be reachable at the same public IP address. Which NAT method should be used? The correct answer is Static NAT.

Configuration questions often require you to interpret or complete a command line from a router or firewall. For CCNA, you could see: A network administrator wants to map the internal server 192.168.1.100 to the public IP 209.165.200.225. Which Cisco IOS command should be used? The correct answer is ip nat inside source static 192.168.1.100 209.165.200.225. The exam might also show a running configuration and ask: Based on the output, what is the effect of this NAT configuration? You would need to recognize that the static mapping allows inbound traffic to the server.

Troubleshooting questions present a problematic scenario. For example: Users report that they cannot access the company's web server from the internet. The server is at 10.0.0.5 and the public IP is 203.0.113.77. The administrator checks the NAT table and sees no entries. What is the most likely cause? The answer is that the Static NAT rule has not been configured or has been removed. Another troubleshooting pattern involves asymmetrical routing: A static NAT rule is in place, but traffic is passing through a different firewall on the return path, causing sessions to be dropped. The question would ask you to identify the cause of the problem.

In cloud certification exams like AWS SAA, questions often present a scenario with a web application on an EC2 instance that needs a static public IP. You might be asked: Which combination of resources provides a permanent public IP address for an EC2 instance? The answer involves an Elastic IP address attached to the instance, which is essentially a form of Static NAT at the cloud infrastructure level. Similarly, Azure AZ-104 questions may ask: You need to provide inbound access to a VM using a static public IP and port forwarding. Which resource should you configure? The answer is an inbound NAT rule on a load balancer or a static NAT rule on a firewall.

Finally, some questions test your understanding of the limitations of Static NAT. For instance: Which of the following is a disadvantage of using Static NAT for all devices in a network? The correct answer is that it consumes a public IP address for each private IP, potentially exhausting the public IP address pool. These questions ensure that candidates not only know what Static NAT is but also understand its trade-offs.

## Example scenario

A small business called TechFix IT services runs a web server, an email server, and a file sharing server from their office. The office network uses private IP addresses in the 192.168.1.0/24 range. The web server is at 192.168.1.10, the email server is at 192.168.1.20, and the file server is at 192.168.1.30. The company has a single internet connection with a public IP address provided by their ISP, which is 203.0.113.100. However, they also purchased two additional public IP addresses from their ISP: 203.0.113.101 and 203.0.113.102.

The owner wants all three servers to be accessible from the internet using consistent public IP addresses. Since the company has exactly three public IPs (one main plus two additional), they can assign one public IP to each server. They decide that:
- The web server (192.168.1.10) will use public IP 203.0.113.100
- The email server (192.168.1.20) will use public IP 203.0.113.101
- The file server (192.168.1.30) will use public IP 203.0.113.102

The administrator logs into the office firewall and configures three Static NAT rules. For the web server, the rule says: any inbound traffic destined for 203.0.113.100 should be sent to 192.168.1.10. Similarly for the other two. Now, when a customer types http://203.0.113.100 in their browser, the packet reaches the firewall, which looks up the Static NAT table, rewrites the destination IP to 192.168.1.10, and forwards the packet to the web server. The server responds, and the firewall reverses the translation so the customer sees the reply coming from 203.0.113.100.

This setup works well until one day the ISP changes the public IP for 203.0.113.102 due to a renumbering event. The file server becomes unreachable until the administrator updates the Static NAT mapping to the new public IP. This illustrates that Static NAT, while providing stable addressing, still depends on the public IP being maintained by the ISP. The company eventually moves to a cloud provider to avoid this dependency, but the Static NAT concept remains essential for their understanding of cloud networking.

## How Static NAT Establishes One-to-One Mapping

Static Network Address Translation, or static NAT, is a method of mapping a single private IP address to a single public IP address on a one-to-one, permanent basis. This contrasts with dynamic NAT, which uses a pool of public addresses and assigns them on a first-come, first-served basis, and with Port Address Translation, which multiplexes many private addresses onto a single public address using different ports. In a static NAT configuration, the translation table is manually populated by an administrator and does not change over time. For example, a web server with a private IP address of 192.168.1.10 might be statically mapped to the public IP address 203.0.113.50. Every packet that arrives at the router or firewall from the internet destined for 203.0.113.50 is translated to 192.168.1.10 and forwarded accordingly. Similarly, packets leaving the server are translated back so that the source address appears as 203.0.113.50.

The mechanism operates at layer 3 of the OSI model, meaning it translates the IP header addresses but does not alter the transport layer port numbers. This is a key distinction from PAT. Because static NAT does not use port translation, each private IP requires its own dedicated public IP. This makes it ideal for devices that must be reachable from the internet using a fixed, well-known public address, such as mail servers, web servers, or VPN endpoints. From an exam perspective, static NAT is often tested in the context of security policies, remote access, and server hosting in a cloud or on-premises environment. For the CompTIA Security+, CCNA, AWS SAA, and Azure AZ-104 exams, candidates must understand when a one-to-one mapping is appropriate versus when using PAT or dynamic NAT would be more efficient. The key concept to remember is that static NAT is always manual, always persistent, and does not conserve public IP address space. In AWS, for example, static NAT is not a native service, but Elastic IP addresses serve a similar role for EC2 instances. On Cisco routers, static NAT is configured using the "ip nat inside source static" command, while on firewalls it may be part of a policy rule. Understanding the fundamental packet flow and the absence of port translation is essential for correctly answering exam questions about asymmetric routing, deep packet inspection, and VPN traversal.

## Static NAT Configuration for Inbound and Outbound Traffic

Configuring static NAT requires careful planning for both inbound and outbound traffic. In a typical enterprise network, an administrator will designate which internal devices need permanent public addresses. This is common for email servers, web servers, and terminal servers that must be accessed by remote users or partners. The configuration involves three main steps on most routing or firewall platforms: defining the inside and outside interfaces, creating the static mapping, and optionally applying access control lists to restrict traffic. For Cisco IOS routers, the commands are issued in global configuration mode. For example, to map the private address 10.0.0.5 to the public address 198.51.100.20, the administrator types "ip nat inside source static 10.0.0.5 198.51.100.20". The router must also have its inside interface specified with "ip nat inside" and its outside interface with "ip nat outside". This ensures that packets traversing the correct interfaces are processed. On a firewall like the Cisco ASA or a Palo Alto Networks appliance, static NAT is typically configured as part of a security policy or a NAT rule. The administrator specifies the original source or destination address, the translated address, and the service or port if applicable. 

In cloud environments, static NAT concepts appear differently. In AWS, an Elastic IP address is a static public IPv4 address that can be associated with an EC2 instance. This is functionally equivalent to static NAT, as the instance retains the same public IP until it is explicitly disassociated. In Azure, a static public IP address is assigned to a VM's network interface, often using a Standard SKU public IP resource. Google Cloud offers static external IP addresses for VMs. Exam questions on the AWS SAA, Azure AZ-104, and Google ACE will test whether you understand that static public IPs are used for servers that need a fixed endpoint, such as bastion hosts or application endpoints. They also test the cost implications, because static IPs that are not attached to running instances incur charges. For the CCNA exam, expect configuration scenarios on a router with two interfaces. The candidate must be able to identify which interface is inside and which is outside, apply the static NAT command, and verify the translation using "show ip nat translations". Troubleshooting may involve ensuring that routing is correct and that there are no conflicting ACL entries that block the translated traffic. Always remember that static NAT does not automatically create a security hole; it is the absence of a firewall rule that allows traffic. Therefore, many exam questions pair static NAT with access lists to test the understanding that NAT and ACLs are independent functions.

## Static NAT Impact on IP Fragmentation and MTU

One of the more advanced and often overlooked aspects of static NAT is its interaction with IP fragmentation and the maximum transmission unit (MTU) of a path. Because static NAT rewrites the IP header address but does not typically adjust the IP identification field or the fragment offset values, packets that are already fragmented can sometimes cause issues. Consider a scenario where an internal server sends a large packet that exceeds the MTU of an intermediate link. The packet is fragmented by the server or a router before it reaches the NAT device. The NAT device receives two or more fragments, each containing a partial IP payload. The static NAT process must translate the source or destination IP address in every fragment. Typically, this works because the IP header is present in each fragment. However, some older stateful NAT implementations rely on looking up the session state for the first fragment and then apply the same translation to subsequent fragments based on the IP identification field. If the session table is cleared or if the NAT device is load-balanced, later fragments may be dropped because they do not match an existing translation. This is particularly problematic for UDP traffic, which is connectionless and often used with DNS or voice applications. 

For exams like the Network+ and CCNA, fragmentation-related questions often appear in the context of VPN tunnels or jumbo frame support. When static NAT is used together with IPSec VPN, the encryption adds overhead that can cause packets to exceed the MTU of the physical link. If the packet is fragmented before encryption, the receiving side must be able to reassemble and decrypt. NAT can complicate this because the NAT device may be positioned before or after the encryption device. In practice, most modern routers and firewalls handle fragmentation transparently, but exam questions love to test the principle that NAT does not reassemble fragments. Instead, it translates each fragment individually. Another common issue is the Path MTU Discovery black hole. When a host sends a packet with the Don't Fragment flag set, and the packet is too large for a downstream link, an ICMP Fragmentation Needed message is sent back to the source. However, if the source is behind static NAT, the ICMP message is sent to the translated public address, and the NAT device must forward it to the original private address. If the NAT device does not have a state for the ICMP error or if it does not handle ICMP translation, the packet is lost, and the sender never learns to reduce its packet size. This results in a connection timeout. The exam clue is to check that ICMP is not blocked and that the NAT device is capable of translating ICMP type 3 code 4 messages. For the Security+ and CySA+ exams, understanding that NAT can break certain protocols is part of the troubleshooting mindset. Always remember that static NAT is a layer-3-only translation, and any protocol that embeds IP addresses in the payload, such as FTP or SIP, requires additional application layer gateway support.

## Asymmetric Routing and Static NAT Stateful Issues

A major real-world challenge that appears frequently in advanced networking exams is the issue of asymmetric routing in conjunction with static NAT. Asymmetric routing occurs when the forward path of a packet takes a different route from its return path. For example, traffic from the internet to a server arrives through Router A, which applies static NAT and forwards the packet to the internal server. However, the server's response might be routed out through Router B because of a different routing metric or policy. Router B may not have any knowledge of the static NAT translation that occurred on Router A. Since the response packet has a source address of the private IP of the server, Router B will send it out with that private source address, or if it has its own NAT configuration, it might translate it to a completely different public IP. This breaks the session because the client on the internet receives a packet from a different public IP than expected, or it receives a private IP address that is not routable on the internet. The connection will appear to hang or time out. 

To fix asymmetric routing with static NAT, administrators must ensure that all paths in and out of the network go through the same NAT device. This is often achieved by using policy-based routing, route redistribution, or implementing a stateful firewall with a single exit point. In cloud environments, asymmetric routing is less common because traffic typically flows through a single virtual router or internet gateway. However, when using multiple NAT gateways or instance-level public IPs, the issue can reappear. For the CCNA and CCNP exams, candidates are often presented with a scenario where static NAT is not working and the symptoms include intermittent connectivity. The examiner expects you to check the routing table on both routers, verify that the inside global and inside local addresses are consistent, and ensure that the return traffic is indeed going back through the NAT device. Another subtle issue is when the NAT device is also performing stateful inspection for TCP. The TCP sequence numbers are not changed by static NAT, but the firewall must still track the state. If asymmetric routing causes the return packet to bypass the stateful firewall, it will be dropped as an invalid session. Therefore, static NAT in a stateful environment demands symmetric routing. For the Security+ and CASP+ exams, this concept is tied to the design of secure network architectures and the use of load balancers. A load balancer that sits behind a static NAT must either be the target of the NAT translation or the clients must connect to the virtual IP of the load balancer directly. Exam clues often involve drawing a topology and asking where the translation should occur. The correct placement is always at the edge, just after the internet-facing router, and before any internal load balancing. The body of knowledge for the AWS SAA exam also touches on this when discussing NAT instances versus NAT gateways, where the gateway is always in a single availability zone and routing must be symmetric. Asymmetric routing is the enemy of static NAT, and diagnosing it requires careful analysis of both the data and control plane.

## Common mistakes

- **Mistake:** Confusing Static NAT with Port Forwarding
  - Why it is wrong: Port forwarding maps a specific port on a public IP to a specific port on a private IP, often without a full IP translation. Static NAT maps an entire IP address, not specific ports. Learners often think that any port mapping is Static NAT, but pure Static NAT translates the IP address for all ports.
  - Fix: Remember that Static NAT is about IP-to-IP mapping for all ports. If only specific ports are forwarded, it is port forwarding, which is often combined with a default deny for other ports.
- **Mistake:** Thinking Static NAT hides all internal devices
  - Why it is wrong: Static NAT only translates the IP of the one device in the mapping. It does not hide other internal devices. Learners sometimes believe that once a Static NAT rule is set, the entire internal network becomes invisible, which is false.
  - Fix: Understand that Static NAT only affects the specific private IP that is mapped. Other devices rely on other NAT types or have no internet access unless separately configured.
- **Mistake:** Assuming Static NAT is always the best choice for outbound traffic
  - Why it is wrong: Static NAT is primarily for inbound traffic to a specific server. For regular outbound internet access from many workstations, using Static NAT for each device would waste public IPs. Dynamic NAT or PAT is more efficient.
  - Fix: Use Static NAT only when you need a fixed public identity for inbound access. For general outbound internet, use PAT (overloading) which lets many devices share one public IP.
- **Mistake:** Configuring Static NAT on the wrong interface
  - Why it is wrong: NAT rules require specifying inside and outside interfaces. If you misidentify the interfaces (e.g., setting the LAN interface as outside), translation will not work, or traffic will be dropped.
  - Fix: Always remember: the inside interface is where private devices are connected, and the outside interface connects to the internet. Double-check the configuration before applying.
- **Mistake:** Forgetting to update DNS and security rules after changing a Static NAT mapping
  - Why it is wrong: If you change the public IP in a Static NAT mapping, DNS records that point to the old public IP will break. Also, firewall rules that allow traffic to the old IP will no longer match. Learners often only change the NAT rule and wonder why connectivity fails.
  - Fix: When updating a Static NAT mapping, always review and update any DNS A records and firewall rules that reference the public IP. Plan changes carefully to minimize downtime.
- **Mistake:** Believing Static NAT provides anonymity or strong security
  - Why it is wrong: Static NAT only changes IP addresses; it does not encrypt traffic or protect against application-layer attacks. Some learners think that using NAT is equivalent to a firewall, but it is not a security feature on its own.
  - Fix: Use Static NAT in combination with a proper firewall rule set that restricts traffic to necessary ports and sources. Never rely on NAT alone for security.

## Exam trap

{"trap":"The question states: 'A network administrator configures a Static NAT mapping from 10.0.0.10 to 203.0.113.50. A host on the internet sends a packet to 203.0.113.50. Which IP address will be in the source address field of the packet when it reaches 10.0.0.10?'","why_learners_choose_it":"Many learners think that because Static NAT is one-to-one, the source IP will also be translated. They might think the source becomes 10.0.0.10 or that both source and destination are swapped.","how_to_avoid_it":"Understand that NAT typically translates only the destination IP for inbound traffic. In this scenario, the destination IP is changed from 203.0.113.50 to 10.0.0.10, but the source IP remains the public IP of the external host. The source IP is not translated unless you configure source NAT (SNAT) rules, which is separate from the Static NAT for the server. Always read carefully: the question asks about the source address field, which remains unchanged unless specified otherwise."}

## Commonly confused with

- **Static NAT vs Dynamic NAT:** Dynamic NAT uses a pool of public IP addresses and assigns them on a first-come, first-served basis to private devices. The mapping is temporary and changes each time a device initiates a new session or after a timeout. Static NAT uses a permanent, manually configured mapping that never changes. (Example: In a company, a web server always needs the same public IP, so it gets Static NAT. Employees' computers share a pool of public IPs via Dynamic NAT, getting whichever is free at the moment.)
- **Static NAT vs Port Address Translation (PAT):** PAT, also known as NAT overload, maps many private IP addresses to a single public IP address by using different source port numbers. Static NAT maps exactly one private IP to one public IP, without port variation. PAT is for outbound traffic sharing; Static NAT is for inbound service hosting. (Example: A home router uses PAT so all family members' devices browse the internet using the same public IP, but with different port numbers. A home security camera that needs to be accessed remotely uses Static NAT with a dedicated port mapping.)
- **Static NAT vs Port Forwarding:** Port forwarding is the practice of forwarding traffic on a specific port (e.g., TCP 80) from a public IP to a specific private IP and port. It can be used without Static NAT, and it does not necessarily translate the IP address for all ports. Static NAT translates the entire IP address, which can be for one-to-one IP mapping or combined with port forwarding for granular control. (Example: You can have a static IP mapping of 1.2.3.4 to 10.0.0.5, and then separately forward port 8080 to a different internal server. Port forwarding alone might just forward port 443 from the public IP to a single internal host without full IP translation.)
- **Static NAT vs Proxy Server:** A proxy server acts as an intermediary for application-layer traffic, often caching content and filtering requests. It terminates client connections and creates new connections to the destination. Static NAT works at the network layer, translating only IP addresses without terminating connections or inspecting application data. (Example: A web proxy forwards HTTP requests on behalf of users and can cache web pages. Static NAT simply changes IP addresses in packet headers without understanding what application data is being sent.)

## Step-by-step breakdown

1. **Administrator defines the mapping** — The network administrator manually configures a rule that links a specific private IP address (inside local) to a specific public IP address (inside global). This mapping is stored in the NAT table of the router or firewall. No automatic discovery happens; it must be explicitly typed or entered via a management interface.
2. **Internal device sends outbound packet** — A device with the private IP address sends a packet to an external server. The packet has a source IP (the private IP) and a destination IP (the external server's IP). The device does not know about NAT; it simply sends the packet to its default gateway.
3. **Gateway intercepts the packet** — The default gateway (typically a router or firewall) receives the packet on its inside interface. It checks whether the packet matches any NAT rule. Since a Static NAT mapping exists for the source IP, the gateway proceeds to translation.
4. **Source IP translation occurs** — The gateway replaces the source IP address in the IP header with the public IP address from the Static NAT mapping. The packet now appears to come from the public IP. The original source port (for TCP/UDP) remains unchanged unless PAT is also applied. The gateway recalculates the IP header checksum.
5. **Packet is forwarded to destination** — After translation, the gateway forwards the packet out through its outside interface toward the internet. The destination server sees the packet as coming from the public IP address. When the server replies, it sends the reply back to that public IP address.
6. **Inbound packet arrives at public IP** — An external host sends a packet destined for the public IP address that is part of the Static NAT mapping. The packet arrives at the outside interface of the gateway. The destination IP is the public address.
7. **Destination IP translation occurs for inbound traffic** — The gateway looks up the Static NAT table and finds the mapping for the destination public IP. It replaces the destination IP with the private IP address from the mapping. The source IP of the external host remains unchanged. The gateway then recalculates the checksum.
8. **Packet is forwarded to internal device** — The gateway forwards the translated packet to the internal device on the inside network. The internal device sees the packet as coming from the external host's IP and destined for its own private IP. It processes the packet as normal. For subsequent packets in the same flow, the same translation steps repeat.

## Practical mini-lesson

Static NAT is one of the most fundamental networking concepts that IT professionals must master, especially those working with Cisco, Linux, or cloud environments. In practice, Static NAT is used almost exclusively for servers that need to be reachable from the internet, web servers, email servers, FTP servers, or game servers. The configuration is straightforward, but troubleshooting can be tricky because the flow involves both outbound and inbound traffic, each with different translation requirements.

When configuring Static NAT on a Cisco router, you typically enter global configuration mode and issue the command: ip nat inside source static 192.168.1.10 203.0.113.50. You must then define which interfaces are inside and which are outside using the commands ip nat inside on the LAN interface and ip nat outside on the WAN interface. Without this interface assignment, the router does not know where to apply the NAT rules. Beginners often forget this step, resulting in no translation occurring.

For Linux systems, Static NAT is accomplished using iptables or nftables. For example, to create a DNAT (Destination NAT) rule for inbound traffic, you might use: iptables -t nat -A PREROUTING -d 203.0.113.50 -j DNAT --to-destination 192.168.1.10. You need to enable IP forwarding with sysctl net.ipv4.ip_forward=1. Without IP forwarding, the kernel will not route packets between interfaces after translation, and connectivity will fail.

In cloud environments, Static NAT is often abstracted. On AWS, when you attach an Elastic IP address to an EC2 instance, the underlying AWS infrastructure performs a form of Static NAT at the hypervisor level. However, from the instance's perspective, it sees its private IP only. The traffic arrives translated by the AWS networking fabric. This is why in AWS, you never see the public IP configured directly on the instance's OS; it is always a NAT function.

One common practical challenge is ensuring that return traffic follows the same routing path as the inbound traffic. If you have multiple internet connections or asymmetric routing, a return packet might hit a different gateway that does not have the Static NAT mapping, causing the connection to be broken. Professionals often solve this by using a single NAT gateway or by implementing policy-based routing to force traffic symmetry.

Another real-world consideration is logging and auditing. Static NAT entries should be documented and reviewed regularly. If a public IP is reassigned to a different internal server without updating DNS and firewall rules, you can inadvertently expose sensitive services. Change management processes typically require a review of all Static NAT rules whenever a server is decommissioned or moved.

Professionals also use Static NAT in conjunction with Access Control Lists (ACLs) to restrict which external hosts can reach the internal server. For example, you might create a Static NAT mapping for a management server but only allow traffic from a specific remote office's public IP. This minimizes the attack surface. Testing Static NAT can be done using tools like telnet, curl, or nmap from outside the network to verify that the correct port responses come back.

## Commands

```
ip nat inside source static 192.168.1.10 203.0.113.50
```
Creates a static one-to-one mapping on a Cisco IOS router. The inside local address 192.168.1.10 is translated to the inside global address 203.0.113.50 for both inbound and outbound traffic. This is used when a server behind the router must be reachable from the internet with a fixed public IP.

*Exam note: CCNA and Network+ exams test the exact syntax and the concept that this command is applied globally, not per interface. Also note that you must have 'ip nat inside' on the LAN interface and 'ip nat outside' on the WAN interface.*

```
ip nat inside source static tcp 10.0.0.5 80 198.51.100.10 80 extendable
```
Configures static NAT for a specific TCP port and IP combination on a Cisco router. The 'extendable' keyword allows multiple static mappings to the same public IP as long as the ports differ. This is used to host multiple internal servers on different ports using the same public IP.

*Exam note: The 'extendable' keyword is a frequently tested nuance. Without it, you cannot map two different private IPs to the same public IP even with different ports. Expect questions on CCNA and CCNP that require this option for overlapping addresses.*

```
show ip nat translations
```
Displays the current active NAT translation table on a Cisco device. For static NAT mappings, the entry appears as permanent and shows the inside local, inside global, outside local, and outside global addresses. Use this to verify that the static mapping is active and to troubleshoot translation issues.

*Exam note: This command is essential for exam troubleshooting scenarios. Look for the '---' in the outside columns for static NAT, indicating that the outside mapping is not fixed. It tests your ability to interpret the output and spot missing or incorrect entries.*

```
clear ip nat translation *
```
Clears all dynamic NAT translations from the translation table. Note that this does not remove static NAT entries because they are permanent. This command is used to reset sessions after changing NAT configuration or to clear stuck translations.

*Exam note: Exam questions often ask whether this command affects static NAT. The correct answer is no, it only clears dynamic translations. This tests your understanding of the difference between static and dynamic NAT behavior.*

```
aws ec2 associate-address --instance-id i-1234567890abcdef0 --allocation-id eipalloc-0a1b2c3d4e5f67890
```
Associates an Elastic IP address (a static public IPv4 address) with an EC2 instance in AWS. This is the cloud equivalent of static NAT. The allocation-id refers to the Elastic IP that was previously allocated to the account. Once associated, the instance retains the public IP until disassociated.

*Exam note: AWS SAA and Developer exams test that an Elastic IP is a static public IP used for fixed endpoints. You must also remember that unused Elastic IPs incur charges. Scenarios involving NAT gateway vs. Elastic IP on an instance are common.*

```
New-AzPublicIpAddress -Name MyPublicIP -ResourceGroupName MyRG -Location eastus -Sku Standard -AllocationMethod Static
```
Creates a static public IP address in Azure using PowerShell. The Standard SKU provides static allocation and supports availability zones. This is used to assign a static IP to a VM's NIC for direct inbound access.

*Exam note: AZ-104 exams test the difference between Basic and Standard SKU public IPs. Standard SKU is static by default and is required for load balancers. Knowing that static allocation is chosen at creation time and cannot be changed later is a key exam point.*

```
gcloud compute addresses create my-static-ip --region=us-central1 --address-type=EXTERNAL --description='Static IP for web server'
```
Reserves a static external IP address in Google Cloud. The address remains attached to your project until you release it. You can then assign it to a VM instance or a forwarding rule. This is analogous to static NAT for cloud resources.

*Exam note: Google ACE exam questions often test that static external IPs are regional resources and that you must specify the region. Also, they test the difference between ephemeral and static IPs, particularly for cost and persistence.*

## Troubleshooting clues

- **No Translation Entry Found for Static NAT** — symptom: The 'show ip nat translations' command shows no entry for the configured static mapping, even though the command was applied. Traffic does not reach the internal server.. Static NAT entries should appear immediately after configuration without any traffic. If they do not appear, the most likely cause is that the NAT interfaces are not correctly labeled. The 'ip nat inside' and 'ip nat outside' commands must be applied to the correct interfaces. If the inside interface is not defined, the router does not know which traffic to translate. Another possibility is that the IP address used in the static mapping does not exist in the routing table or on any interface, causing the router to reject the configuration. (Exam clue: CCNA exam questions frequently present a scenario where static NAT is not working, and the candidate must check interface configuration first. The correct answer often involves 'ip nat inside' on the LAN interface.)
- **Intermittent Connectivity with Static NAT** — symptom: Internal server behind static NAT is reachable sometimes but not always. Pings and web requests hang for no apparent reason, then work again.. This is a classic symptom of asymmetric routing. The forward path goes through the NAT device, but the return path takes a different router that does not have the same translation. This can happen when two routers are connected to the same broadcast domain and one is default for outbound traffic. The static NAT translation is on the first router, but the server's default gateway points to the second router. As a result, the server sends responses out the wrong interface, bypassing the NAT translation. The client receives packets from a private IP or a different public IP and drops them. (Exam clue: Network+ and Security+ exams test asymmetric routing as a cause of one-way or intermittent traffic. Look for hints like 'two routers' or 'dual homed' in the question.)
- **Static NAT Causes No Internet Access for Other Hosts** — symptom: After configuring static NAT for a server, other hosts on the same subnet lose internet access. They can communicate locally but cannot reach external websites.. This often occurs because the static NAT mapping consumes the only public IP address available. If the router has only one public IP and it is used for static NAT, dynamic NAT or PAT cannot be used for other hosts unless additional public IPs are available or the router supports overload. The other hosts need to have either PAT configured with a different public IP or they must use the same public IP with port translation. Without PAT, the router has no address to translate them to. (Exam clue: This tests CCNA and Network+ understanding of address exhaustion. The solution is to configure PAT using the same interface IP with 'ip nat inside source list 1 interface gi0/0 overload'. The exam will present the problem and ask what command to add.)
- **FTP Connection Fails Through Static NAT** — symptom: Users outside the network can initiate an FTP connection to the internal server, but the data transfer times out or fails. Control connection works fine.. FTP uses two separate connections: a control channel (port 21) and a data channel (port 20). In active FTP mode, the server initiates the data connection from port 20 to a random high port on the client. The client's IP address is embedded in the FTP control stream. Static NAT only translates the IP header, not the payload. The FTP client behind NAT sends its private IP address in the PORT command, but the server tries to connect to that private IP, which is not reachable from the external network. The solution is either to use passive FTP mode or to enable an FTP ALG on the NAT device that rewrites the IP addresses in the FTP control messages. (Exam clue: Security+ and CCNA exams test the need for application layer gateways. If the question mentions FTP and NAT, the answer is often 'use passive FTP' or 'configure the FTP ALG'.)
- **DNSSEC Validation Fails Behind Static NAT** — symptom: DNS queries that require DNSSEC validation fail for clients behind a static NAT device. The DNS resolver returns SERVFAIL responses.. Static NAT does not modify the DNS payload, which is correct for most cases. However, DNSSEC uses signatures in the DNS response to ensure authenticity. If the NAT device performs DNS inspection or IDS, it might drop or alter the large DNSSEC data packets. Some NAT devices reassemble DNS responses and recalculate checksums, which invalidates the DNSSEC signatures. The solution is to bypass the NAT device for DNS traffic or disable DNS inspection on the firewall. (Exam clue: This is an advanced topic for the CCNP Security and CISSP exams. The exam clue is often about 'downstream signature validation failure' and the need to exclude DNS from inspection.)
- **Duplicate IP Address Error on NAT Device** — symptom: When applying the static NAT command, the router returns an error such as 'Duplicate address' or 'Address already in use'. The mapping fails to install.. This occurs when the inside global address (the public IP) is already used elsewhere in the network. For example, it might be the IP address of the router's outside interface itself, or it might be assigned to another device. Static NAT requires that the inside global address be unique on the outside network. If the router's outside interface already has that IP, you cannot map it to a private address. You must use a different public IP, often from a range provided by the ISP. (Exam clue: CCNA and Network+ exams test this as a configuration error. The solution is to either change the outside interface IP or use a different global IP.)
- **ICMP Fragmentation Needed Not Working Through Static NAT** — symptom: Large packets sent from a host behind static NAT to the internet time out. The host does not receive ICMP type 3 code 4 messages, and connections to certain websites fail.. Path MTU Discovery relies on ICMP messages from routers along the path. When a packet with the DF bit set is too large, a router sends an ICMP Fragmentation Needed message back to the source. However, if the source is behind static NAT, the ICMP message is sent to the public IP of the source. The NAT device must translate that ICMP message back to the private IP. Some NAT implementations do not translate ICMP error messages properly, especially if they do not track ICMP sessions. Some firewalls block all ICMP, which breaks PMTUD. (Exam clue: Security+ and Network+ exams present symptoms of 'slow web downloads' or 'timeouts for large files'. The solution is to allow ICMP type 3 code 4 inbound and ensure the NAT device forwards it to the internal host.)

## Memory tip

Think of Static NAT like a permanent name badge: internal IP is your real name, public IP is your stage name, and it never changes until management decides.

## FAQ

**What is the main difference between Static NAT and Dynamic NAT?**

Static NAT uses a fixed one-to-one mapping between a private IP and a public IP, while Dynamic NAT pulls a public IP from a pool temporarily. With Static NAT, the mapping never changes; with Dynamic NAT, it changes after the session ends.

**Does Static NAT consume a public IP address for each internal device?**

Yes, each Static NAT rule uses one public IP address. If you have 10 servers that each need a static public IP, you need 10 public IP addresses. This is why Static NAT is used sparingly, typically only for servers that need inbound access.

**Can I use Static NAT for IPv6?**

Yes, but it is less common because IPv6 provides enough public addresses for every device. In IPv6, you can assign a global unicast address directly to the device instead of using NAT. However, Static NAT for IPv6 (NAT66) is sometimes used for legacy compatibility or specific security policies.

**How does Static NAT affect firewall rules?**

Firewall rules must be written to allow traffic to the public IP, not the private IP, because the traffic arrives at the firewall destined for the public IP. After translation, the firewall forwards to the private IP. If rules are written only for the private IP, the traffic will be blocked before translation.

**Is Static NAT considered a security feature?**

Static NAT provides a degree of security by hiding internal IP addresses from external users, but it is not a substitute for a firewall. You should always combine Static NAT with proper firewall rules and other security measures like intrusion detection and VPNs.

**What happens if I have two Static NAT rules with the same public IP?**

Most NAT devices will not allow a duplicate public IP in a Static NAT mapping. Only one internal device can be mapped to a given public IP. If you need two servers to share the same public IP, you must use port forwarding or PAT-based rules with different port numbers.

**Do I need to restart the router after configuring Static NAT?**

No, Static NAT rules take effect immediately after they are entered. No reboot is required. However, existing sessions that started before the rule was added will not be translated, so you may need to close and reopen connections.

## Summary

Static NAT is a foundational networking technique that establishes a permanent, one-to-one mapping between a private IP address and a public IP address. It is the method of choice when you need to make an internal server consistently accessible from the internet. Unlike Dynamic NAT or PAT, Static NAT provides a fixed identity that does not change, which is critical for DNS resolution, SSL certificates, and reliable remote access.

In terms of exam relevance, Static NAT appears across a wide range of IT certifications including CCNA, Network+, Security+, AWS SAA, Azure AZ-104, and Google ACE. Each exam tests your ability to distinguish it from other NAT types, configure it on appropriate platforms, and troubleshoot common problems. The most common mistakes involve confusing Static NAT with port forwarding, failing to configure interface roles, and neglecting to update dependent resources like DNS and firewall rules after a change.

For IT professionals, understanding Static NAT is essential for designing secure, reliable networks. It allows you to expose services while keeping internal IP structures hidden, and it forms the building block for more advanced networking solutions like load balancers, VPNs, and cloud architectures. Mastery of Static NAT not only helps you pass certification exams but also equips you to solve real-world connectivity challenges in enterprise and cloud environments.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/static-nat
