Static NAT is to manually configure the mapping relationship between internal local address and internal global address on the router, and an internal local address corresponds to an internal global address. After setting, even if the internal local address is not converted, the internal global address is not allowed to be used by other hosts, which wastes address resources to a certain extent, while dynamic NAT technology can solve this problem very well.

What is Dynamic NAT?

Dynamic translation (also known as NAT pool) means that instead of establishing a fixed one-to-one correspondence between internal and global addresses, NAT mapping relationships are dynamically established by sharing IP addresses in the NAT address pool. When an intranet host requires NAT address translation, the router selects a free global address in the NAT address pool for mapping. Each mapping record is created dynamically and is also retrieved when the connection is terminated.

To avoid address wastage, Dynamic NAT proposes address pools with all available public addresses in the pool.

After dynamic NAT is configured, the enterprise’s edge router generates a pool of public IP addresses based on available public IP addresses. When an enterprise PC goes online, the packets pass through the router. The router replaces the PC’s private IP address with a free public IP address and then accesses the Internet.

However, when PC1, PC2 and PC3 are online, there are no free public IP addresses in the company’s public IP address pool. In this case, PC4 cannot access the Internet.

With dynamic NAT, the public and private addresses still correspond one-to-one, which does not improve the utilisation of the public address.

Please note that the one-to-one mapping between public and private addresses is established on an ad hoc basis. The public IP address translated by the PC through the router is a temporarily free public IP address in the public address pool. Therefore, Dynamic NAT only supports one-way access, only from the intranet to the public network.

Dynamic NAT Workflow

Step 1: The host sends a packet to the router.

Step 2: When the router receives the first packet with as the source address, the router queries the address pool for an available internal global address (, creates a NAT translation table mapping record, and proceeds to step 3 to perform the address translation.

Step 3: The global address ( in the NAT translation record corresponding to of the router, replacing the source address of the packet.

Step 4: After the translation, the source address of the packet changes to and the packet is then forwarded.

Step 5: After receiving the packet, host will send a response packet to

Step 6: When the router receives a packet with the internal global address, it will query the NAT record table with the internal global address as the keyword and convert the destination address of the packet to

Step 7: receives the reply packet and continues to hold the session, steps 1 to 6 will be repeated until the session ends.

How to configure dynamic NAT?

Dynamic NAT is configured to define internal ports, define external ports, define address pools, define access control lists, and initiate NAT conversion, where access lists are defined to restrict the network segments that implement address translation, and only traffic allowed within the access control lists can initiate the NAT conversion function.

1. Define Port Type

The Define Dynamic NAT Port Type command is the same as the Static NAT Port Type command.

2. Define the address pool

Since the global IP addresses applied for by Dynamic NAT are stored in a address pool in advance and are extracted from the pool in turn when used, it is necessary to define the address pool in advance to specify the range of global addresses it contains. The command format for defining the address pool is as follows:

  • router(config)# ip nat pool pool-name start-ip end-ip netmask netmask

Where pool-ame is the NAT address pool name; start-ip is the start address of the NAT address pool; end-ip is the end IP address of the NAT address pool; and netmask is the address network mask of the NAT address pool.

Tip: Use the no ip nat pool pool-name command to delete the address pool. For example, to delete the defined address pool with the name pool200 use the command router(config)#no ip nat pool pool200.

3. Define Access Control List (ACL)

The router controls which addresses are subject to address translation (NAT) operations via the access control list (ACL), and only addresses matching this access control list are translated.

The command format for defining an Access Control List (ACL) is as follows:

  • router(config)# access-list access-list-number { permit ︱deny } source source-mask

Tip: The range of access control list number is 1~99. “1” in the wildcard character means no bit is detected, “0” means must be detected as. Use the no access-list number command to delete the specified access list, for example, to delete the defined ACL 10, use the command router(config)#no access-list 10.

4. Define the translation policy

After defining the address pool and access control list, the two need to be associated. In this way, the target IP address in packets that satisfy the ACL can go to the specified address pool to extract a specific global address and complete the NAT conversion. When the access is over, the global address that is no longer in use needs to be returned to the address pool again for use by other hosts. The command format for associating an address pool with an ACL is as follows:

  • router(config)# ip nat inside source list access-list-number pool pool-name [ overload ]

Where access-list-number is the local address access control list number. Only traffic whose source address matches this access control list will have a NAT conversion record created. pool-name is the name of the address pool, and packets that match the ACL conditions use the global addresses in this pool for NAT. overload (optional) is every global address in the pool can be multiplexed for translation, that is, for NAPT. If this parameter is not configured, the global addresses in the pool can only do one-to-one translation with local addresses, also called simple NAT. Using the no form of this command can cancel the NAT association, as in router(config)#no ip nat inside source list 10.

5. Display NAT conversion records

To confirm whether the router NAT is working properly, you can view the translation records by using the command. The format of the command to view the NAT conversion records is as follows:

  • router# show ip nat translations [ verbose ]

Where verbose indicates that more detailed NAT conversion record information is displayed.