CCNA 51

We will now configure NAT overload on R1 so that all inside devices are NATted out. To do this, we will need to identify the inside and outside interfaces. To do this, go into f0/0 and type:ip nat outside

Next, go into any other interfaces (and sub-interfaces) and type:
ip nat inside

Right now we'll have to create access-lists to identify the networks that are allowed out. In this example, I'm going to deny Host C's network from being NATted, and allow everything else. I'll do this with a standard access-list:
ip access-l standard INSIDE
deny 192.169.3.0 0.0.0.255
permit any

Finally, we'll activate the NAT process to translate the addresses specified in the list into the interface address with overload:
ip nat inside source list INSIDE int f0/0 overload

Now let's say I want Host A to be permanently assigned to 192.168.1.3, and allow it to be accessed from the outside. To do this, simply do a static NAT mapping:
ip nat inside source static 192.169.10.20 192.168.1.3

Right now I'll be able to ping 192.169.10.20 by pinging 192.168.1.3 from outside. To specify a port, simply put the "tcp" keyword after static. For example, if I have a web server on Host A, and an email server on Host B, and I want to use the interface IP, then I can use:
ip nat inside source static tcp 192.169.10.20 80 int f0/0 80
ip nat inside source static tcp 192.169.20.20 80 int f0/0 25

This is actually what happens when you do port-forwarding on a home router like one from Linksys.

Finally, we'll set up dynamic NAT with overload. Suppose you are given a public IP pool of 192.168.1.10 to 192.168.1.20. We'll first create the pool like this:
ip nat pool OUTSIDE 192.168.1.10 192.168.1.20 prefix-length 24

Next, we will turn the NAT on like this:
ip nat inside source list INSIDE pool OUTSIDE overload

In this case, the first address is used till a port conflict occurs before it fails over to the second address.