Loading learning content...
When an internal server must be consistently reachable from the public Internet—a web server, mail server, or VPN gateway—how do you expose it while keeping it physically on your private network? You need a permanent, predictable mapping between its private address and a public address that external clients can rely upon.
Static NAT provides exactly this capability: a fixed, administrative one-to-one mapping between an internal (private) IP address and an external (public) IP address. Unlike dynamic NAT types that create and destroy mappings based on traffic, Static NAT mappings persist indefinitely, ensuring your internal servers maintain constant external accessibility.
This page examines Static NAT in comprehensive depth: its operational mechanics, configuration approaches, use cases, security implications, and comparisons with other NAT types.
By the end of this page, you will understand how Static NAT creates one-to-one address mappings, when and why to use Static NAT, the translation process for both inbound and outbound traffic, configuration examples across different platforms, security considerations, and how Static NAT compares with Dynamic NAT and PAT.
Static NAT (also called one-to-one NAT or basic NAT) creates a permanent, administratively-configured mapping between a single inside local address and a single inside global address. This mapping remains in the NAT table indefinitely, regardless of traffic activity.
Key characteristics:
Permanent mapping: The translation entry exists as long as the configuration remains, not based on active connections
Bidirectional by nature: Traffic can be initiated from either direction—inside hosts can reach the Internet, and Internet hosts can initiate connections to the inside host
One-to-one relationship: Each internal address maps to exactly one external address; no address sharing occurs
Full protocol support: All IP protocols work because the entire IP address is translated, not specific ports
Public IP consumption: Requires one public IP address for each internal host needing static mapping
Static NAT vs. Static Entry:
It's important to distinguish between Static NAT (one-to-one address mapping) and a static entry in a NAT table:
While both are "static" in that they're administratively configured and permanent, Static NAT translates the complete IP address, while port forwarding translates specific port mappings within Dynamic NAT or PAT scenarios.
Different vendors use various terms for Static NAT: • Cisco: "ip nat inside source static" • Juniper: "static NAT" or "destination NAT" • Linux iptables: DNAT + SNAT rules (bidirectional) • Palo Alto: "Static NAT" policy • AWS: Elastic IP association (conceptually similar)
The underlying concept is identical: permanent one-to-one address mapping.
Static NAT operates by maintaining a permanent entry in the NAT translation table. This entry enables bidirectional translation without requiring traffic-initiated entry creation.
Static NAT Table Entry:
Static NAT Configuration Entry:┌────────────────────────────────────────────────────────────────────────────┐│ Inside Local │ Inside Global │ Type │ Timeout │ State │├────────────────────────────────────────────────────────────────────────────┤│ 192.168.1.10 │ 203.0.113.10 │ STATIC │ NEVER │ PERMANENT ││ 192.168.1.20 │ 203.0.113.20 │ STATIC │ NEVER │ PERMANENT │└────────────────────────────────────────────────────────────────────────────┘ Note: Static entries don't have timeouts and remain until administratively removed.Outbound Traffic Flow (Inside → Outside):
When the internal web server (192.168.1.10) initiates a connection to an external host:
Step 1: Web server sends packet:
Source IP: 192.168.1.10
Destination IP: 198.51.100.50 (external server)
Step 2: NAT router receives packet, consults static NAT table:
Lookup: 192.168.1.10 → Found static mapping → 203.0.113.10
Step 3: NAT translates and forwards:
Source IP: 203.0.113.10 (translated)
Destination IP: 198.51.100.50 (unchanged)
Step 4: Response returns to NAT router:
Source IP: 198.51.100.50
Destination IP: 203.0.113.10
Step 5: NAT reverse-translates and delivers:
Source IP: 198.51.100.50 (unchanged)
Destination IP: 192.168.1.10 (translated back)
Inbound Traffic Flow (Outside → Inside):
This is the critical capability of Static NAT—allowing external hosts to initiate connections to internal servers:
Step 1: External client sends request:
Source IP: 198.51.100.99 (client)
Destination IP: 203.0.113.10 (web server's public IP)
Step 2: NAT router receives packet, consults static NAT table:
Lookup: 203.0.113.10 → Found static mapping → 192.168.1.10
Step 3: NAT translates and delivers:
Source IP: 198.51.100.99 (unchanged)
Destination IP: 192.168.1.10 (translated)
Step 4: Web server responds:
Source IP: 192.168.1.10
Destination IP: 198.51.100.99
Step 5: NAT translates outbound response:
Source IP: 203.0.113.10 (translated)
Destination IP: 198.51.100.99 (unchanged)
Key insight: Because the static NAT entry exists permanently, the NAT router knows how to handle inbound traffic to 203.0.113.10 even before any outbound connection existed. This is fundamentally different from dynamic NAT, where entries are only created by outbound traffic.
Static NAT makes internal hosts directly reachable from the Internet. While this is necessary for servers, it means the host is exposed to the same threats as any public Internet server. Always combine Static NAT with proper firewall rules that restrict inbound connections to only necessary ports and source networks.
Understanding Static NAT configuration across different platforms builds practical skills. While syntax varies, the underlying concept remains constant: map an internal address to an external address permanently.
12345678910111213141516171819202122232425262728293031323334353637
! Cisco IOS Static NAT Configuration! ===================================== ! Step 1: Define inside and outside interfacesinterface GigabitEthernet0/0 description Inside Interface - LAN ip address 192.168.1.1 255.255.255.0 ip nat inside!interface GigabitEthernet0/1 description Outside Interface - Internet ip address 203.0.113.1 255.255.255.248 ip nat outside! ! Step 2: Configure Static NAT mappings! Syntax: ip nat inside source static <inside-local> <inside-global> ! Web server mappingip nat inside source static 192.168.1.10 203.0.113.10 ! Mail server mappingip nat inside source static 192.168.1.20 203.0.113.20 ! FTP server mappingip nat inside source static 192.168.1.30 203.0.113.30 ! Step 3: Verify Static NAT! show ip nat translations!! Pro --- Inside global Inside local Outside local Outside global! --- --- 203.0.113.10 192.168.1.10 --- ---! --- --- 203.0.113.20 192.168.1.20 --- ---! --- --- 203.0.113.30 192.168.1.30 --- --- ! show ip nat statistics! Total active translations: 3 (3 static, 0 dynamic; 0 extended)On Linux, Static NAT requires configuring BOTH directions: • DNAT (Destination NAT): Handles incoming traffic, translating the destination from public to private • SNAT (Source NAT): Handles outgoing traffic, translating the source from private to public
Forgetting one direction results in asymmetric translations—traffic flows one way but responses fail.
Static NAT is the appropriate choice when specific internal hosts require consistent, predictable public IP addresses. Understanding these scenarios guides proper NAT type selection.
| Scenario | Static NAT? | Alternative | Rationale |
|---|---|---|---|
| Web server hosting customer-facing site | Yes | — | Needs consistent IP for DNS, SSL certificates |
| User workstation browsing Internet | No | PAT | No inbound; PAT conserves addresses |
| Mail server (SMTP) | Yes | — | Requires PTR record, consistent IP for reputation |
| Internal database | No | No NAT or PAT | Should never be Internet-accessible |
| IoT devices calling home | No | PAT | Outbound only; many devices share one IP |
| SIP/VoIP gateway | Often Yes | SIP ALG + PAT | Simplifies VoIP NAT traversal challenges |
Real-World Architecture Example:
Consider a company with the following requirements:
Plan your public IP allocation carefully. If your ISP provides a /28 (16 addresses), you have: • 1 address for network ID (unusable) • 1 address for broadcast (unusable) • 1 address for the router outside interface • 13 addresses for NAT (static and/or PAT pool)
With 3 servers needing static NAT, you'd use 3 of those 13 for static mappings, leaving 10 for PAT and/or future static allocations.
Static NAT fundamentally changes the security posture of internal hosts. Understanding these implications is critical for secure deployment.
The Exposure Reality:
With Static NAT, the internal host is effectively "moved" to the Internet. Any packet sent to the public IP address reaches the internal server. This means:
Correct Static NAT Architecture:
Secure Static NAT Firewall Rule Example========================================= Static NAT Mapping: 192.168.1.10 ↔ 203.0.113.10 (Web Server) Firewall Rules (applied to inbound traffic to 203.0.113.10): | # | Action | Source | Dst Port | Protocol | Description ||---|--------|-------------|----------|----------|--------------------------|| 1 | PERMIT | Any | 80 | TCP | Allow HTTP || 2 | PERMIT | Any | 443 | TCP | Allow HTTPS || 3 | PERMIT | 10.0.0.0/8 | 22 | TCP | SSH from mgmt network || 4 | DENY | Any | Any | Any | Block all other inbound | Without rules 1-4: Every port on 192.168.1.10 would be accessible! Best Practice Checklist:✓ Firewall rules should be as restrictive as possible✓ Allow only ports that the server actually needs to serve✓ Restrict management access (SSH/RDP) to internal IPs✓ Log denied traffic for security monitoring✓ Consider geo-blocking if your service is regionalStatic NAT alone provides ZERO security. Without firewall rules, every TCP and UDP port on your internal server is accessible from the entire Internet. This is equivalent to placing the server directly on the Internet with a public IP. Always combine Static NAT with restrictive firewall policies.
A common point of confusion is the distinction between full Static NAT and port forwarding (static port mapping). While both are "static" configurations, they differ significantly in scope and use case.
Full Static NAT (1:1 NAT):
Port Forwarding (Static Port Mapping):
| Characteristic | Static NAT (1:1) | Port Forwarding |
|---|---|---|
| Public IPs Required | One per internal host | One shared by many hosts |
| Ports Translated | All ports automatically | Only configured ports |
| Internal Host Visibility | Complete IP ownership | Only through specific ports |
| Protocol Scope | All IP protocols (TCP, UDP, ICMP, etc.) | Specific protocol:port combinations |
| Use Case | Servers needing full presence | Exposing specific services |
| IP Conservation | Consumes public IPs | Conserves public IPs |
Example Comparison:
Static NAT Configuration:
Internal: 192.168.1.10 ↔ External: 203.0.113.10
Result: ANY traffic to 203.0.113.10 reaches 192.168.1.10
- HTTP (80) → 192.168.1.10:80
- HTTPS (443) → 192.168.1.10:443
- SSH (22) → 192.168.1.10:22
- ICMP ping → 192.168.1.10
- Random port 12345 → 192.168.1.10:12345
Port Forwarding Configuration:
External: 203.0.113.1:80 → Internal: 192.168.1.10:80
External: 203.0.113.1:443 → Internal: 192.168.1.10:443
External: 203.0.113.1:8080 → Internal: 192.168.1.20:80 (different server)
Result: ONLY configured ports reach internal hosts
- HTTP (80) → 192.168.1.10:80 ✓
- HTTPS (443) → 192.168.1.10:443 ✓
- SSH (22) → BLOCKED (no rule)
- Port 8080 → 192.168.1.20:80 ✓ (second server)
Use Static NAT when: • You have public IPs available and the server truly needs full Internet presence • Complex protocols requiring many ports (some VoIP systems, certain games) • You need the server to appear with its own distinct public IP
Use Port Forwarding when: • Limited public IPs (most home/small business scenarios) • You want to limit exposure to only necessary ports • Multiple servers need to share a single public IP
When Static NAT isn't working as expected, systematic troubleshooting identifies the root cause. Here are common issues and diagnostic approaches.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354
# Static NAT Troubleshooting Commands# ==================================== # ---- Cisco IOS ---- # Verify NAT configurationshow running-config | include ip nat # View all NAT translations (static and dynamic)show ip nat translations # View NAT statistics and hit countersshow ip nat statistics # Debug NAT operations (caution: high CPU on busy routers)debug ip nat # Clear NAT translations (use carefully!)clear ip nat translation * # ---- Linux iptables ---- # View NAT rulesiptables -t nat -L -v -n # View connection tracking entriesconntrack -L # Monitor NAT in real-timewatch -n1 'conntrack -L | grep <target-ip>' # Check IP forwarding is enabledcat /proc/sys/net/ipv4/ip_forward# Should be: 1 # Trace packet through iptablesiptables -t nat -L PREROUTING -v -n --line-numbersiptables -t nat -L POSTROUTING -v -n --line-numbers # ---- General Diagnostics ---- # Verify external IP is reachableping <external-public-ip> # From Internettraceroute <external-public-ip> # Trace path # Verify internal server is responding locallyping <internal-private-ip> # From NAT routernc -zv <internal-ip> <port> # TCP port check # Packet capture for detailed analysistcpdump -i <outside-interface> host <public-ip> -ntcpdump -i <inside-interface> host <private-ip> -nA subtle but common problem: when using Static NAT with public IPs from your subnet, the NAT router must respond to ARP requests for those public IPs. On Cisco, this is automatic when Static NAT is configured. On Linux, you may need to configure proxy ARP or add the IP to the interface. If the upstream router ARPs for the public IP and gets no response, traffic never reaches your NAT device.
We've thoroughly examined Static NAT, the simplest and most direct form of Network Address Translation. Let's consolidate the essential knowledge.
What's Next:
Static NAT works well for servers but doesn't conserve addresses—each internal host needs its own public IP. For organizations with many internal hosts but limited public IPs, Dynamic NAT offers a solution: a pool of public addresses shared among internal hosts as needed. We'll explore how Dynamic NAT creates temporary translations from a shared pool in the next page.
You now have comprehensive understanding of Static NAT: its one-to-one mapping nature, bidirectional operation, configuration across platforms, appropriate use cases, security implications, and troubleshooting approaches. You can confidently deploy Static NAT for servers requiring consistent public Internet presence.