Documentation

Back to Home
June 29, 2025

Types of NAT

Types of NAT

  1. Static NAT (One-to-One Mapping)
  2. Dynamic NAT (Many-to-Many Mapping)
  3. PAT (Port Address Translation, or Masquerading)
  4. Hairpin NAT (NAT Loopback)

1. MikroTik

Static NAT:

Maps one private IP to one public IP.

# Inbound (External to Internal)

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.2 dst-address=203.0.113.5 protocol=tcp dst-port=80

# Outbound (Internal to External - Optional but recommended for full 1:1 NAT)

/ip firewall nat add chain=srcnat action=src-nat to-addresses=203.0.113.5 src-address=192.168.1.2

Dynamic NAT:

Maps a pool of public IPs to a private IP range.

/ip pool add name=public-pool ranges=203.0.113.10-203.0.113.20 
/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.1.0/24 to-addresses=public-pool

PAT (Masquerading):

Allows multiple private devices to use a single public IP.

/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=wan_int

Hairpin NAT:

Allows internal users to access an internal server using the public IP.

# DST-NAT (translate public IP to private)

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp to-ports=80 to-addresses=192.168.1.2 dst-address=203.0.113.5

# SRC-NAT (masquerade internal traffic going back)

/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=203.0.113.5

2. Cisco

Don't forget to always configure the inside and outside interfaces.

Static NAT:

Maps one private IP to one public IP.

ip nat inside source static 192.168.1.2 203.0.113.5

Dynamic NAT:

Maps a private IP range to a public IP pool.

ip nat pool NAT_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 
access-list 1 permit 192.168.1.0 0.0.0.255 
ip nat inside source list 1 pool NAT_POOL

PAT (Port Address Translation):

Maps multiple private IP addresses to a single public IP address.

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/2 overload

Hairpin NAT:

Allows internal devices to access the public IP and reach an internal server.

ip nat inside source static 192.168.1.2 203.0.113.5 80 extendable
ip nat inside source list NAT-Hairpin interface FastEthernet0/2 overload

3. FortiGate

Static NAT:

Maps a private IP to a specific public IP.

config firewall vip 
    edit "Static-NAT-Example" 
        set extip 203.0.113.5 
        set mappedip 192.168.1.2
        end

Dynamic NAT:

Uses a pool of public IPs to map to private IP addresses.

config firewall ippool 
    edit "pool1" 
        set startip 203.0.113.10 
        set endip 203.0.113.20 
        set netmask 255.255.255.0
        set overload disable
        end 

config firewall policy 
    config firewall policy 
    edit 1 
        set srcintf "lan1" 
        set dstintf "wan1" 
        set srcaddr "all" 
        set dstaddr "all" 
        set schedule "always" 
        set service "ALL" 
        set nat enable 
        set action accept 
        set ippool enable 
        set poolname "pool1" 
        end

PAT (Masquerading):

Maps many private IPs to a single public IP.

config firewall policy 
    edit 1 
        set srcintf "lan1" 
        set dstintf "wan1" 
        set srcaddr "all" 
        set dstaddr "all" 
        set schedule "always" 
        set service "ALL" 
        set nat enable 
        set action accept 
    end

Hairpin NAT:

Allows internal clients to access an internal resource using the external IP.

config firewall vip
    edit "Hairpin-NAT"
            set extip 203.0.113.5
        set mappedip 192.168.1.2 
        set portforward enable
        set extport 80
        set mappedport 80
        end

config firewall policy 
    edit 1 
        set name "Hairpin-NAT-Policy"
        set srcintf "lan1"
        set dstintf "lan1"
        set srcaddr "all"
        set dstaddr "Hairpin-NAT"
        set schedule "always"
        set service "HTTP" (you can adjust)
        set nat disable
        set action accept
        end

Conclusion:

  • MikroTik: Configurations are relatively simple with masquerade for dynamic NAT and PAT, and it supports Hairpin NAT with a few straightforward commands.
  • Cisco: Offers powerful flexibility but requires more detailed configuration, including access lists for Hairpin NAT.
  • FortiGate: Easy to manage through the GUI or CLI with structured configuration for both static and dynamic NAT, as well as Hairpin NAT