Courseiva
NATCCNA 200-301

Static NAT Entry Not Translating Inbound Connections

Presenting Symptom

External hosts cannot reach internal servers via the configured static NAT public IP address.

Network Context

A small branch office uses a Cisco 4321 router (IOS XE 16.9) with a single public IP address on the outside interface (GigabitEthernet0/0/0) and a private subnet 192.168.1.0/24 on the inside interface (GigabitEthernet0/0/1). A static NAT entry maps public IP 203.0.113.10 to internal server 192.168.1.100 for inbound connections (e.g., HTTPS). The router has basic connectivity and other NAT rules (e.g., dynamic PAT) work correctly.

Diagnostic Steps

1

Verify the static NAT configuration

show running-config | include ip nat inside source static
ip nat inside source static 192.168.1.100 203.0.113.10

If the static NAT entry is missing or incorrect (e.g., wrong IPs or missing keyword), the translation will not occur. Ensure the command is present and uses the correct inside local and inside global addresses.

2

Check NAT translations for the static entry

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.100      ---                ---

If the static entry does not appear in the translation table, the NAT rule may not be active or there is a configuration issue. If it appears, the rule is recognized; if not, check for typos or missing 'ip nat inside'/'ip nat outside' interface assignments.

3

Verify NAT interface assignments

show running-config | include ip nat (inside|outside)
interface GigabitEthernet0/0/0
 ip nat outside
interface GigabitEthernet0/0/1
 ip nat inside

Both inside and outside interfaces must be correctly assigned. If an interface is missing the 'ip nat inside' or 'ip nat outside' command, NAT will not process traffic on that interface. Common mistake: forgetting to assign 'ip nat inside' on the LAN interface.

4

Check for ACLs blocking inbound traffic

show access-lists
Extended IP access list 100
   10 permit tcp any host 203.0.113.10 eq 443 (0 matches)

An inbound ACL on the outside interface can block traffic before NAT translation. Look for ACLs applied to the outside interface (e.g., 'ip access-group 100 in'). If the ACL denies the traffic, NAT never sees it. Check match counts to see if traffic is being permitted or denied.

5

Verify routing to the public IP

show ip route 203.0.113.10
Routing entry for 203.0.113.10/32
  Known via "connected", distance 0, metric 0 (connected)
  * directly connected via GigabitEthernet0/0/0

The router must have a route to the public IP (usually a connected route if it's on the outside interface subnet). If the route points elsewhere or is missing, inbound packets may not reach the router. Ensure the public IP is in the same subnet as the outside interface.

Root Cause

The static NAT entry was correctly configured, but the outside interface (GigabitEthernet0/0/0) was missing the 'ip nat outside' command. Without this assignment, the router does not perform NAT translation on inbound traffic arriving on that interface.

Resolution

On the outside interface, enter interface configuration mode and add the 'ip nat outside' command: conf t interface GigabitEthernet0/0/0 ip nat outside end This tells the router to apply NAT rules (including static NAT) to traffic entering or leaving this interface.

Verification

Run 'show ip nat translations' to confirm the static entry is active: Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.100 --- --- Then test inbound connectivity (e.g., from an external host telnet to 203.0.113.10 port 443). Use 'show ip nat statistics' to see translation hits increase.

Prevention

1. Always configure 'ip nat inside' and 'ip nat outside' on the correct interfaces immediately after defining NAT rules. 2. Use a configuration checklist or template for NAT deployments. 3. Verify NAT translations and interface assignments with 'show ip nat translations' and 'show running-config | section interface' after changes.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions (multiple choice or drag-and-drop) where you must identify why a static NAT is not working. The exam tests your ability to verify NAT interface assignments and translation entries. Key fact: Without 'ip nat inside' and 'ip nat outside' on the respective interfaces, NAT does not function.

Exam Tips

1.

Remember that both 'ip nat inside' and 'ip nat outside' must be configured on the correct interfaces; missing one is a common exam trap.

2.

Use 'show ip nat translations' to verify that the static entry appears; if not, check interface assignments first.

3.

Inbound ACLs on the outside interface can block traffic before NAT; always check ACLs if translations exist but traffic fails.

Commands Used in This Scenario

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions