Cisco IOS cheat sheet for NAT (Network Address Translation) and DHCP. Covers static NAT, dynamic NAT, PAT (overload), NVI NAT, DHCP server setup, and DHCP relay.
NAT โ Network Address Translation
Static NAT
One-to-one permanent mapping. Used to expose an internal server to the outside.
Static NAT
| Command | Description |
|---|---|
| int fa0/0 | Internal interface (LAN side) |
| ip nat inside | Mark as inside NAT interface |
| int fa0/1 | External interface (Internet side) |
| ip nat outside | Mark as outside NAT interface |
| ip nat inside source static 192.168.1.2 215.215.215.20 | Map private 192.168.1.2 permanently to public 215.215.215.20 |
| ip nat inside source static tcp 192.168.1.3 80 172.20.20.15 80 | Port forward: external port 80 โ internal 192.168.1.3:80 |
| ip nat inside source static tcp 192.168.1.3 80 interface Ethernet0/0 80 | Port forward using interface IP instead of hardcoded public IP |
| ip nat inside source static 192.168.1.5 interface fa0/0 | DMZ-style: forward ALL ports to 192.168.1.5 |
Dynamic NAT
Pool of public IPs โ each private IP gets a different public IP from the pool.
Dynamic NAT
| Command | Description |
|---|---|
| access-list 1 permit 192.168.1.0 0.0.0.255 | Define which private addresses are eligible for NAT |
| ip nat pool TRANS 215.215.215.20 215.215.215.30 netmask 255.255.255.0 | Define public IP pool (range .20โ.30) |
| ip nat inside source list 1 pool TRANS | Enable dynamic NAT: ACL 1 โ pool TRANS |
PAT โ Port Address Translation (NAT Overload)
Many private IPs share one public IP, differentiated by port numbers. Most common in home/office routers.
PAT with Pool
| Command | Description |
|---|---|
| ip nat pool OVRLD 172.16.10.1 172.16.10.1 netmask 255.255.255.0 | Pool with a single public IP |
| access-list 7 permit 192.168.1.0 0.0.0.255 | Private IP range eligible for PAT |
| ip nat inside source list 7 pool OVRLD overload | Enable PAT (overload) |
PAT Using Interface IP (Recommended)
| Command | Description |
|---|---|
| ip nat inside source list 7 interface e0/1 overload | Translate to the IP of the outbound interface โ no hardcoded public IP needed |
Prefer the interface-based form โ it follows the interface IP automatically if the ISP reassigns it.
NVI NAT (NAT Virtual Interface)
Alternative to inside/outside model โ mark interfaces with ip nat enable on both sides.
NVI NAT โ PAT Example
| Command | Description |
|---|---|
| ip nat enable | Enable NAT on interface (both LAN and WAN side) |
| ip nat source list 7 interface fa0/1 overload | Enable PAT โ note: no `inside` keyword |
NAT Diagnostics
NAT show / debug
| Command | Description |
|---|---|
| show ip nat translation | Current NAT translation table |
| show ip nat statistics | NAT hit counters and stats |
| show ip nat nvi translation | Translation table for NVI NAT |
| clear ip nat translation * | Clear dynamic translation table (settings unchanged) |
| debug ip nat | Real-time NAT translation log |
DHCP Server
DHCP Pool Configuration
| Command | Description |
|---|---|
| ip dhcp excluded-address 192.168.10.50 | Exclude IP from DHCP assignment (static servers, gateways) |
| ip dhcp pool VLAN2POOL | Create DHCP pool named VLAN2POOL |
| network 192.168.2.0 255.255.255.0 | Address range to hand out |
| default-router 192.168.2.50 | Default gateway to advertise |
| dns-server 217.217.217.2 | DNS server to advertise |
| netbios-name-server 192.168.1.2 | WINS server address |
| bootfile FILENAME | PXE boot filename |
| option 33 ip 156.42.45.0 192.168.1.1 | Option 33: send static route to client |
| lease 2 | Lease time of 2 days |
Sub-interface for Inter-VLAN DHCP
| Command | Description |
|---|---|
| interface fa0/0.2 | Create sub-interface for VLAN 2 |
| encapsulation dot1Q 2 | Tag sub-interface for VLAN 2 |
| ip address 192.168.2.2 255.255.255.0 | Assign IP (this becomes the DHCP gateway) |
Static IPโMAC Binding
| Command | Description |
|---|---|
| ip dhcp pool CLIENT | Create a dedicated pool for one client |
| host 192.168.50.5 255.255.255.255 | Always assign this IP |
| client-identifier 0001.976B.291D | Match by MAC address (client-identifier) |
Windows clients: prefix MAC with
01(e.g.,0100.0476.106c.bc).
UNIX clients: prefix with00(e.g.,0000.0476.106c.bc).
DHCP Relay and Advanced Settings
| Command | Description |
|---|---|
| ip helper-address 10.0.1.4 | DHCP Relay Agent โ forward requests to DHCP server at 10.0.1.4 |
| ip dhcp ping packets 0 | Disable ping check before assigning IP (0 = off) |
| ip dhcp ping timeout 200 | Timeout between ping attempts (ms) |
| clear ip dhcp binding * | Clear all DHCP lease bindings |
| clear ip dhcp binding 192.168.2.4 | Clear binding for specific IP |
| clear ip dhcp conflict * | Clear IP conflict database |
| ip dhcp database ftp://user:pass@192.168.1.5/router-dhcp timeout 80 | Store DHCP bindings on external FTP server |
DHCP Diagnostics
| Command | Description |
|---|---|
| show ip dhcp pool | Available and used addresses per pool |
| show ip dhcp binding | All assigned leases |
| show ip dhcp binding 192.168.10.1 | Details for a specific IP (includes MAC) |
| show ip dhcp conflict | IP address conflict log |
| show ip dhcp server statistics | DHCP server stats (requests, acks, declines) |
| debug ip dhcp server packet | Real-time DHCP packet debug |
Cisco IOS Command Reference | NAT & DHCP