Skip to content

Static NAT

    Static NAT

    According to the definitions outlined in the NAT Terminology article, a Static NAT implies a translation of just the IP address, where the post-translation IP addresses are explicitly defined.

    Making Internal Resources Accessible

    The typical use case for a Static NAT is for a Server on a Private IPv4 network to be reached externally from the Internet.

    Static NAT - Server cannot be accessed by Private IP

    In this example, the Internet host needs to connect to the web server on the Inside network. The web server is on an internal network and is therefore configured with the Private IP address of

    If the Internet host attempts to send a packet to the IP address of the server (, the packet will be dropped when it reaches the Internet. Recall, Private IP addresses are not routable on the Internet.

    For a host on the Internet to reach the server, a Static NAT must be configured on the NAT device. In our example, the Router in front of the network will be the NAT device, and we will configure it to translate the private IP address to the Public IP address

    Static NAT - Server accessible with Public IP

    Now, the Internet host can send a packet to the correlating Public IP address ( which will be routed through the Internet to the NAT device. The Router (acting as our NAT device) will then translate the packet to the Server’s private IP address ( When the web server responds, the router will un-translate the packet back to the original IP address of

    The Static NAT allowed the internal host with the private IP address to be accessed by an external host.

    With that in mind, there are three additional points that must be made regarding Static NAT.

    Source or Destination

    Whether the Source or Destination of the packet is translated is dependent on the direction the packet is traveling. The inbound packet has its Destination IP translated (from the Internet to the server). The outbound packet has its Source IP translated (from the server to the Internet).

    Either way, the one IP address always maps to the one IP address This is why a Static NAT is also sometimes called a one-to-one NAT.

    Conserving IP Addresses

    If you had 30 servers on the Inside network, each with their own Private IP address, and you wanted to use Static NAT, then you would need 30 unique Public IP addresses for the translations.

    We discussed earlier that the original intent of Network Address Translation was to conserve Public IPv4 addresses. However, as you can see, a Static NAT does not actually conserve any Public IPv4 addresses. Instead, the primary purpose of a Static NAT is to expose a server with a Private IP address to the public Internet.


    Finally, in the example above, the initial packet was sent from the Internet host. But it could have easily been sent from the server on the Inside network. Regardless of who initiated the connection, the Static NAT would cause the Source of the outbound packets or the Destination of the inbound packets to be translated.

    The key point is that a Static NAT translation is bidirectional. Whether the internal host or the external host sent the first packet, it would “pass through” the Static NAT. There are variations of NAT which we will discuss later in this article series where the translation will not be bidirectional.

    Prefer video content to text? The majority of this article has been recorded and can be viewed on Youtube:

    Series NavigationNAT Terminology >>Static PAT >>
    5 4 votes
    Article Rating
    Notify of

    Newest Most Voted
    Inline Feedbacks
    View all comments

    Love the learning lesson. Thanks for posting this

    I’ve never read anything explained so well – great job, it makes me read more and more.

    Excellent explanation

    Very well explained…Thank

    Thanks a lot. This article is very useful.

    Will you please explain NAT take place in Checkpoint

    Thank you!
    You are really the best in teaching the networking.

    Information provided in this article is crystal clear.

    How would one test the NATing? is it possible to do it with a ping?
    the host on the internet will then send a ping request to and that will get translated to and will the returned Ping reply come back correctly? I have tried this on industrial routers (non-cisco) and I experience there are problems with ARP requests. Or is there any other way to test it? perhaps trying to see if telnet request works etc.