CCNA: NAT

2 minute read

Rules

The configuration and verification of Network Address Translation with Cisco IOS software is a straightforward task. When configuring NAT, perform the following:

  1. Designate one or more interfaces as the internal (inside) interface(s) using the ip nat inside interface configuration command.

  2. Designate an interface as the external (outside) interface using the ip nat outside interface configuration command.

  3. Configure an access control list (ACL) that will match all traffic for translation. This can be a standard or an extended named or numbered ACL.

  4. Optionally, configure a pool of global addresses using the ip nat pool (name start-ip end-ip) [netmask mask prefix-length (length)] global configuration command. This defines a pool of inside global addresses to which inside local addresses will be translated.
  5. Configure NAT globally using the ip nat inside source list (ACL) [interface pool] (name) [overload] global configuration command.

Example Config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

   Router(config)#Interface fa0/0
   Router(config-if)#Description 'Connected to the internal LAN'
   Router(config-if)#Ip address 10.5.5.1 255.255.255.0
   Router(config-if)#ip nat inside
   Router(config)#Exit
   Interface serial0/0
   Router(config-if)#ip address 150.0.0.1 255.255.255.0
   Router(config-if)#Description 'connected to isp'
   Router(config-if)#ip nat outside
   Router(config)#Exit
   Router(config)#Access-list 100 remark 'translate Internal addresses only'
   Router(config)#Access-list 100 permit ip 10.5.5.0 0.0.0.7 any
   Router(config)#Ip nat pool OUTSIDE-POOL 150.1.1.3 150.1.1.6 netmask 255.255.255.0 # could also use prefix-length 24 as the last two. Didn't work in packet tracer.
   Router(config)#Ip nat inside source list 100 pool OUTSIDE-POOL overload # the overload keyword tells it to use PAT when its full, this is standard
   Router(config)#Exit
   Router#show ip nat translations

Static NAT:

1
2
3
4
5
6
7
8
9
10
11
12

   # You would want to use this if you host a web server for example. It would always be on the same external ip.
   Router(config)#interface f0/0
   Router(config-if)#ip address 192.168.1.1 255.255.255.0
   Router(config-if)#ip nat inside
   Router(config)#interface f0/1
   Router(config-if)#ip address 192.168.2.1 255.255.255.0
   Router(config-if)#ip nat inside
   Router(config)#interface s0/0
   Router(config-if)#ip nat outside
   Router(config-if)#exit
   Router(config)#ip nat inside source static 192.168.1.1 200.1.1.1
   Router(config)#ip nat inside source static 192.168.2.1 200.1.1.2

Dynamic NAT / NAT Pool:

1
2
3
4
5
6
7
8
9
10

   Router(config)#interface f0/0
   Router(config-if)#ip nat inside
   Router(config)#interface s0/1
   Router(config-if)#ip nat outside
   Router(config)#ip nat pool poolname 200.1.1.1 200.1.1.16 netmask 255.255.255.0
   Router(config)#ip nat inside source list 1 pool poolname
   Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
   # The ACL is used to tell what it can/cannot translate. 
   # The subnet mask is actually a reversed address and is called a wildcard mask.
   # All NAT pools need a name, we called this one 'natpool'. The source list refers to the ACL.

NAT overload/PAT/One-Way NAT:

  • To configure, you use the same setup as dynamic NAT, except you add in ‘overload’
1
2
3
4
5
6
7
8
9
10

   Router(config)#interface f0/0
   Router(config-if)#ip nat inside
   Router(config)#interface s0/1
   Router(config-if)#ip nat outside
   Router(config)#ip nat pool poolname 200.1.1.1 200.1.1.1 netmask 255.255.255.0
   Router(config)#ip nat inside source list 1 pool poolname overload
   Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
   # Using PAT with more than one IP is a waste of address space because the router 
   # will use the first IP and increment port numbers for each subsequent connection. 
   # This is why PAT is typically configured to overload to the interface.

Show Commands:

1

   show ip nat translations

Bigger Picture:

  1. Define inside/ outside port on router.
  2. Create a nat pool of public IPs - ip nat pool (poolname startIP endIP netmask mask)
  3. Create ACL that covers all internal IPs
  4. Use ACL that coorellates to the NAT Pool - ip nat inside source list (acl name/number) pool (poolname) (overload)

Suggested Training Opportunities

  1. Free Resources
  2. Instructor led:

Comments

You May Also Enjoy