← Cisco Examples // Lab Guide · Cisco IOS 15.x

Cisco 1921 NAT
Configuration

A complete guide to configuring Network Address Translation on the Cisco 1921 ISR. Covers PAT (overload) for internet sharing, static NAT for servers, port forwarding, verification, and troubleshooting common NAT problems.

~ 20–30 min
7 steps
CLI
IOS 15.x

NAT Traffic Flow

LAN Client
192.168.10.50
───► ip nat inside
Cisco 1921
Translates src IP
───► ip nat outside
Internet
Sees WAN IP only
Progress 0 / 7 complete
01

How NAT Works on the 1921

Cisco 1921

NAT (Network Address Translation) lets your entire private LAN share one public IP address. The 1921 sits between your LAN and WAN, rewriting source/destination IPs as packets cross.

TypeWhat it doesUse case
PAT / OverloadMany private IPs → one public IP, differentiated by portInternet access for all LAN clients
Static NATOne private IP ↔ one public IP, permanentlyHosting a server (web, mail)
Port ForwardingSpecific port on public IP → private hostExpose one service behind PAT
i
Two interfaces required: NAT needs an inside interface (LAN side) and an outside interface (WAN side). Every NAT config starts by marking these two roles.
02

Mark Inside & Outside Interfaces

Cisco 1921

Tell the router which interface faces the LAN (inside) and which faces the WAN (outside). Every NAT rule you create is processed on traffic crossing this boundary.

R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# exit R1(config)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside R1(config-if)# exit
!
Router-on-a-stick: If you use VLAN sub-interfaces, apply ip nat inside to each sub-interface (Gi0/1.10, Gi0/1.20, etc.), not the physical interface.
03

Configure PAT (Overload) — Internet for All Clients

Cisco 1921

PAT is what most people mean when they say "NAT." Every device on your LAN shares the WAN IP, with ports used to track which connection belongs to which client. This is a two-part config: an ACL to define which hosts are allowed to NAT, and the NAT rule itself.

! Step 1: Define which hosts can NAT R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 ! Step 2: Link the ACL to the WAN interface (overload = PAT) R1(config)# ip nat inside source list 10 interface GigabitEthernet0/0 overload
!
Multiple subnets: Add more access-list 10 permit lines for each subnet. All lines in the same ACL are ORed — matching any one permits NAT.
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255 R1(config)# access-list 10 permit 192.168.30.0 0.0.0.255 R1(config)# ip nat inside source list 10 interface GigabitEthernet0/0 overload
04

Configure Static NAT — Expose a Server

Cisco 1921

Static NAT permanently maps one private IP to one public IP. Traffic arriving at the public IP is always forwarded to the same internal host — useful if your ISP gives you a block of public IPs.

! Map internal server to a dedicated public IP R1(config)# ip nat inside source static 192.168.10.50 203.0.113.50

This bidirectional — traffic originating from 192.168.10.50 exits as 203.0.113.50, and inbound traffic to 203.0.113.50 is delivered to 192.168.10.50.

Most ISPs only give one public IP. If you only have one public IP and it is already used by PAT, skip static NAT and use port forwarding (Step 5) instead.
05

Port Forwarding — Expose One Service Behind PAT

Cisco 1921

If you only have one public IP (covered by PAT), you can still expose individual services by forwarding specific ports to an internal host. The router matches inbound traffic by destination port and rewrites it to the private host.

! Forward inbound TCP 80 and 443 to an internal web server R1(config)# ip nat inside source static tcp 192.168.10.50 80 interface GigabitEthernet0/0 80 R1(config)# ip nat inside source static tcp 192.168.10.50 443 interface GigabitEthernet0/0 443 ! Forward SSH on a non-standard port (port 2222 → internal :22) R1(config)# ip nat inside source static tcp 192.168.10.50 22 interface GigabitEthernet0/0 2222 ! Forward RDP (3389) to an internal Windows machine R1(config)# ip nat inside source static tcp 192.168.10.60 3389 interface GigabitEthernet0/0 3389
!
Syntax: ip nat inside source static tcp <inside-ip> <inside-port> interface <wan-if> <outside-port>. Use udp instead of tcp for protocols like DNS or SIP.
06

Verify NAT Is Working

Cisco 1921

After a client generates some traffic (browse to a site, ping 8.8.8.8), the NAT table should populate.

! Show active NAT translations R1# show ip nat translations ! Show NAT hit/miss counters and pool usage R1# show ip nat statistics ! Confirm interfaces are tagged correctly R1# show ip interface GigabitEthernet0/0 R1# show ip interface GigabitEthernet0/1

The show ip nat translations output will look like this when PAT is active:

Pro Inside global Inside local Outside local Outside global tcp 203.0.113.10:1025 192.168.10.20:1025 8.8.8.8:53 8.8.8.8:53 tcp 203.0.113.10:1026 192.168.10.30:49152 93.184.216.34:80 93.184.216.34:80
  • Inside local = private IP of the LAN client
  • Inside global = public WAN IP (with port for PAT)
  • Translations appear when clients generate traffic
  • show ip nat statistics shows "Hits" incrementing
07

Troubleshoot NAT Problems

Cisco 1921

When NAT is not translating, work through these checks in order.

SymptomLikely causeFix
No translations in tableACL doesn't match traffic, or interfaces not taggedCheck ACL, check ip nat inside/outside
Misses incrementing, no hitsACL mismatch — traffic doesn't match permit ruleUse debug ip nat to see what's being checked
Traffic reaches internet but return failsDefault route missingAdd ip route 0.0.0.0 0.0.0.0 <ISP-gateway>
Port forward not workingACL blocking inbound, or wrong portCheck ACLs on WAN interface; verify port numbers
! Real-time NAT debug — watch what is/isn't translating R1# debug ip nat ! Stop debug (always do this when done) R1# undebug all ! Clear the NAT table and start fresh R1# clear ip nat translation * ! Save config once everything is working R1# write memory
Production warning: debug ip nat on a busy router generates enormous output and can impact performance. Use it briefly and always run undebug all when done.
Done! Your 1921 is translating LAN traffic to the internet. Next steps: configure VLANs with router-on-a-stick, or add ACLs to restrict which hosts can reach which destinations.