Cisco Router NAT Configuration

By | July 6, 2013

Configuring NAT Overload:

These configurations will take place on your internet router since this is where NAT needs to happen.  The steps to configure NAT Overload are as follows:

  1. Label Interfaces
  2. Identify internal IP addresses to be translated
  3. Enable NAT overload

1:

conf t
int e0/0 – our inside interface
ip nat inside – tells NAT this is the insdie interface
int e0/1 – our outside interface
ip nat outside – tells NAT this is the outside interface

2:

ip access-list standard NAT-ADDRESSES
deny 192.168.3.0 0.0.0.255 – denying a range from being NAT’d
permit 192.168.0.0 0.0.255.255 – permit everyone else on our network since auto deny will take effect.

3:

ip nat inside source list NAT-ADDRESSES interface ethernet 0/1 overload – Tells our router to the NAT the inside source addresses based off of our access list NAT-ADDRESSES through interface ethernet 0/1 by overloading the IP assigned to it.

From this point on, NAT should be working for any computers trying to reach the internet through your router as long as they were permitted in the ACL we created.

show ip nat translations – shows your NAT table and shows the clients being NAT through the router.  The Inside local is your clients actual address, the inside global is the public address you are NAT’ing them to.  The outside local and outside global will be the same for NAT overload and reflect the IPs of the devices you are hitting on the outside.

Note that by denying hosts on the NAT ACL it prevents them from being NAT’d which will also prevent them from reaching or being reached from the internet.  This is a good way to secure clients that should not reach the internet.

Static NAT:

Now lets do some static one to one NAT translations.  We will need to tie them to different IPs other than the one we are overloading on our internet router.  This means you will have to purchase multiple public IPs from your ISP.

conf t
ip nat inside source static 192.168.10.50 69.63.129.25 – This command says NAT our inside IP 192.168.10.50 statically to 69.63.129.25.  This also allows clients on the outside hitting 69.63.129.25 to translate to the actual internal address.  Now if you do:

show ip nat translation – you will see the static NAT table show entries related to this.

If your ISP has only given you one or two addresses to statically NAT multiple servers to/from, you can NAT like so:

no ip nat inside source static 192.168.10.50 69.63.129.25 – remove the static NAT mapping we created.

ip nat inside source static tcp 192.168.10.50 80 interface ethernet 0/1 80 – This says that anytime your outside interface gets a request on port 80 it will translate it to the internal IP specified 192.168.10.50.  This is great for conserving your public IPs.  You can do this to split up email (SMTP port 25), web (port 80/443), and even name servers (DNS UDP 53) to be accessible via the outside by sharing one public IP and even overload that IP at the same time!

Dynamic NAT:

Dynamic NAT works by creating a pool.  Lets get rid of our NAT overload and our static NAT for now (just put no in front of the configurations by doing show run | inc ip nat and copying/pasting with a no in front.

Now lets create an ip nat pool so multiple private IPs will be overloaded/NAT to multiple public IPs.  This will occur when one public IP is full with all the ports it can use:

ip nat pool PUBLIC-ADDRESSES 69.63.129.20 69.63.129.30 prefix-length 24 – This creates a NAT pool with 10 addresses and a prefix or subnet mask of /24.

ip nat inside source list NAT-ADDRESSES pool PUBLIC-ADDRESSES overload – This tells our router to allow the IPs specified in our ACL NAT-ADDRESSES to overload to the IP pool PUBLIC-ADDRESSES.