How to configure a Cisco router for access to the Internet using dynamic and static PAT.

This is a quick article on how to setup NAT and routing on a Cisco router providing access to the Internet. It does not cover the security aspects of the device.

It will show how to setup dynamic PAT translating all the LAN IPs to the WAN IP address of the router and also how to setup static port translation for an internet web server.

LAN subnet =
WAN subnet =

( – int fa0/0) R1 (int fa0/1 – -> ( ISP

Dynamic PAT

int fa0/0
ip nat inside

int fa0/1
ip nat outside

access-list 101 permit ip any
ip nat inside source list 101 interface fa0/1 overload

Note you can use a standard acl instead but whichever you use you should not use “any” as the source IP addresses as this can cause problems with NAT.

Static PAT
Dynamic NAT connections have to be initiated from inside to outside (using the above example) so if you wanted to host a webserver for example on your LAN you would need a static NAT entry to allow connections from the outside. Note in a secure environment you would host any servers accessible from the Internet on a DMZ.

Carrying on from previous example –
Web server =
ip nat inside source static tcp 80 interface fa0/1 80


The routing for a setup like this is very simple. You just need a default route pointing to the next hop IP of your ISP. Because you are translating all your internal 192.168.3.x IPs to the WAN interface your ISP does not need to have any routes for your internet subnets.
ip route