Courseiva
NATCCNA 200-301

NAT inside/outside Applied to Wrong Interfaces

Presenting Symptom

Internal hosts can reach the internet, but external hosts cannot reach internal servers through the public IP address.

Network Context

A small branch office with a Cisco 4321 router running IOS XE 16.9 connects the internal LAN (192.168.1.0/24) to the internet via a single public IP (203.0.113.1/30). A web server at 192.168.1.10 needs to be accessible from the internet using static NAT. The router has two interfaces: GigabitEthernet0/0/0 (inside, 192.168.1.1) and GigabitEthernet0/0/1 (outside, 203.0.113.2).

Diagnostic Steps

1

Check NAT translations

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       ---                ---

If the static NAT entry appears but no active translations for outside-initiated traffic, the NAT might be misconfigured. If the entry is missing, NAT is not configured.

2

Verify NAT interface assignments

show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic, 0 extended)
Outside interfaces:
  GigabitEthernet0/0/1
Inside interfaces:
  GigabitEthernet0/0/0
Hits: 0  Misses: 0

Check that the inside and outside interfaces are correctly assigned. If inside is on the wrong interface (e.g., outside interface listed as inside), NAT will not work for inbound traffic.

3

Inspect running configuration for NAT statements

show running-config | include ip nat
ip nat inside source static 192.168.1.10 203.0.113.10
interface GigabitEthernet0/0/0
 ip nat inside
interface GigabitEthernet0/0/1
 ip nat outside

Look for the 'ip nat inside' and 'ip nat outside' commands under the interfaces. If they are reversed (inside on the WAN interface, outside on the LAN interface), NAT will fail for inbound traffic.

4

Check ACL for dynamic NAT (if applicable)

show access-lists
Standard IP access list NAT_ACL
    10 permit 192.168.1.0 0.0.0.255

If dynamic NAT is used, ensure the ACL matches the correct source network. Misplaced ACL can also cause issues, but the primary problem here is interface direction.

Root Cause

The 'ip nat inside' and 'ip nat outside' commands are applied to the wrong interfaces. Specifically, 'ip nat inside' is on the WAN interface (GigabitEthernet0/0/1) and 'ip nat outside' is on the LAN interface (GigabitEthernet0/0/0). This reverses the NAT direction, causing the router to attempt NAT on traffic entering the WAN interface as inside traffic, which breaks inbound static NAT.

Resolution

Remove the incorrect NAT interface commands and apply them correctly: interface GigabitEthernet0/0/0 no ip nat inside ip nat inside ! interface GigabitEthernet0/0/1 no ip nat outside ip nat outside ! Alternatively, if the configuration is reversed, simply swap the commands: on the LAN interface use 'ip nat inside', on the WAN interface use 'ip nat outside'.

Verification

1. 'show ip nat statistics' should show: Outside interfaces: GigabitEthernet0/0/1 Inside interfaces: GigabitEthernet0/0/0 Hits: >0 (for inbound traffic) 2. 'show ip nat translations' should show active translations when an external host accesses the public IP. 3. Test connectivity: from an external host, ping or access the server's public IP (203.0.113.10) and confirm success.

Prevention

1. Always document and label interfaces clearly (inside vs outside) before configuring NAT. 2. Use a consistent naming convention for interface descriptions (e.g., 'description LAN Inside'). 3. Verify NAT interface assignments immediately after configuration using 'show ip nat statistics'.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where NAT is not working. The exam tests the understanding that NAT requires correct inside/outside interface designation. A typical multiple-choice question might present a configuration with reversed interfaces and ask why external users cannot access internal servers. The key fact is that 'ip nat inside' must be on the internal-facing interface and 'ip nat outside' on the external-facing interface.

Exam Tips

1.

Remember: Inside = closer to internal network, Outside = closer to internet. Always check interface NAT assignments first when NAT fails.

2.

The exam may show a configuration with 'ip nat inside' on the WAN interface; this is a common trick. Look for the interface IP addresses to determine which is inside/outside.

3.

Know the command 'show ip nat statistics' — it clearly lists inside and outside interfaces and translation hits.

Commands Used in This Scenario

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions