Courseiva
Exam ScenariosCCNA 200-301

NAT Overload vs Static NAT — When to Use Which

Presenting Symptom

Users in a branch office can access the internet but cannot reach a specific internal server using its public IP address, while external users can reach the server.

Network Context

A small branch office with a Cisco 4321 ISR router running IOS XE 16.9 connects to the internet via a single public IP (203.0.113.1). Inside, there is a web server (192.168.1.10) that must be accessible from the internet. The router is configured with NAT overload (PAT) for all internal users to share the public IP, and a static NAT entry for the web server. The issue is that internal users cannot access the server via its public IP, but external users can.

Diagnostic Steps

1

Check NAT translations

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.1:1024  192.168.1.10:80    203.0.113.1:80     203.0.113.1:80
--- 203.0.113.1:1025  192.168.1.20:80    203.0.113.1:80     203.0.113.1:80

Look for the static NAT entry for the server. If the static entry is missing or shows incorrect mapping, that indicates a problem. Also check if the inside local IP matches the server's actual IP.

2

Verify NAT configuration

show running-config | include ip nat
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.1 80 extendable

Ensure the static NAT entry is present and uses the 'extendable' keyword. Without 'extendable', the router may not allow internal users to reach the server via the public IP (hairpinning).

3

Check if NAT hairpinning is supported

show ip nat statistics
Total active translations: 5 (1 static, 4 dynamic)
Outside interfaces:
  GigabitEthernet0/0/0
Inside interfaces:
  GigabitEthernet0/0/1
Hits: 1234  Misses: 5
CEF Translated packets: 1200, CEF Punted packets: 34
Expired translations: 10
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 interface GigabitEthernet0/0/0 refcount 4

Look for 'Hits' and 'Misses'. If misses are high, packets are not being translated. Also check if the inside interface is correctly defined.

4

Test connectivity from inside host

ping 203.0.113.1 source 192.168.1.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

If ping succeeds, the issue is specific to TCP port 80. If it fails, there may be a routing or ACL issue. For the scenario, ping should succeed but HTTP fails.

Root Cause

The static NAT entry for the web server is missing the 'extendable' keyword. Without 'extendable', the router does not perform NAT hairpinning, so internal hosts cannot reach the server using its public IP address. The router sees the destination as its own outside interface IP and does not translate it back to the inside server.

Resolution

Add the 'extendable' keyword to the static NAT entry. Commands: configure terminal no ip nat inside source static tcp 192.168.1.10 80 203.0.113.1 80 ip nat inside source static tcp 192.168.1.10 80 203.0.113.1 80 extendable end write memory

Verification

Run 'show ip nat translations' to confirm the static entry now includes 'extendable'. Then from an internal host, access http://203.0.113.1. The web page should load. Also verify with 'show ip nat statistics' that hits increase.

Prevention

1. Always include the 'extendable' keyword when configuring static NAT for servers that internal users need to access via public IP. 2. Use 'ip nat inside source static ... extendable' as a standard practice. 3. Test hairpinning scenarios during initial deployment to ensure internal access works.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests knowledge of NAT hairpinning and the 'extendable' keyword. Questions may present a troubleshooting scenario where internal users cannot access a server via its public IP, and the candidate must identify the missing 'extendable' keyword. The exam expects candidates to know that NAT overload (PAT) and static NAT can coexist, but hairpinning requires explicit configuration.

Exam Tips

1.

Remember that 'extendable' is required for NAT hairpinning; without it, internal hosts cannot reach inside servers via public IP.

2.

The exam may show a configuration with 'ip nat inside source static tcp ...' without 'extendable' and ask why internal access fails.

3.

Know that 'show ip nat translations' and 'show ip nat statistics' are key troubleshooting commands for NAT issues.

Commands Used in This Scenario

debug ip nat

Use debug ip nat to monitor and troubleshoot NAT translations in real time on a Cisco router, displaying each packet's translation details as they occur.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions