Cisco Router Nat Tutorial

1

Cisco Router NAT Tutorial How to Configure NAT on a Cisco Router

By Eric S. Severson President / Sr. Network Consultant

Key IT Consulting, Inc. © Eric S. Severson and Key IT Consulting, Inc.

You do not have resell rights or giveaway rights to this eBook. Only customers that have purchased this material are authorized to view it.

This eBook contains material protected under International and Federal Copyright Laws and Treaties. No part of this publication may be transmitted or reproduced in any way without the prior written permission of the author. Violations of this copyright will be enforced to the full extent of the law. LEGAL NOTICE: The information services and resources provided in this eBook are based upon the current Internet environment as well as the author’s experience. The techniques presented have been proven to be successful. Because technologies are constantly changing, the services and examples presented in this eBook may change, cease or expand with time. We hope that the skills and knowledge acquired from this manual will provide you with the ability to adapt to inevitable evolution of technological services. However, we cannot be held responsible for changes that may affect the applicability of these techniques. All product names, logos and artwork are copyrights of their respective owners. None of the owners have sponsored or endorsed this publication. While all attempts have been made to verify information provided, the author assumes no responsibility for errors, omissions, or contrary interpretation of the subject matter herein. Any perceived slights of peoples or organizations are unintentional. The purchaser or reader of this publication assumes responsibility for the use of these materials and information. No guarantees of income are made. The author reserves the right to make changes and assumes no responsibility or liability whatsoever on behalf of any purchaser or reader of these materials.

2

Table of Contents

INTRODUCTION................................................................................................................................................ 3

COMMON FORMS OF NAT ON A CISCO ROUTER ....................................................................................... 5

STATIC NAT CONFIGURATION DETAILS...................................................................................................... 9

STATIC NAT IN AN HSRP ENVIRONMENT .................................................................................................. 12

DYNAMIC NAT CONFIGURATION DETAILS................................................................................................ 15

NAT OVERLOADING CONFIGURATION DETAILS...................................................................................... 22

NAT OVERLOADING IN AN HSRP ENVIRONMENT .................................................................................... 26

VERIFYING NAT IS OPERATING AS EXPECTED........................................................................................ 32

CONCLUSION ................................................................................................................................................. 33

3

Introduction

If you are reading this document chances are pretty good that you have a

general idea of what Network Address Translation (or NAT) is so I will be brief

in explaining the basics so we can get right to the configurations and how-

to’s.

Network Address Translation (NAT) is designed as essentially a way of

conserving IP addressing. In its most common usage, it allows an IP network

that utilizes RFC 1918 private address space to be translated to publicly

registered and routable address space for communication on the public

internet.

What you will probably see most commonly happening is NAT being

configured to advertise only one address for the entire inside private network

to the public outside world. This is certainly the most common usage.

There are two benefits to using NAT in this way; one is that utilizing NAT

allows one to conserve the rapidly diminishing supply of registered public

addresses. The other benefit is that a layer of security is added by “shielding”

the entire inside internal network behind that single private address.

Most routers or firewalls on the market today do some form of NAT. If you

have read my ebook titled “PIX/ASA Firewall Keys”

(http://www.firewallkeys.com) you should be well aware of how NAT operates

on a PIX/ASA Firewall.

4

The objective of this document is to clearly lay out how to configure NAT on a

Cisco Router platform.

We will be looking at the most common implementations and get specific in

regards to the exact Cisco Router IOS commands you will need to know,

where to enter them, and how and why they work the way they do.

While there may be variations on how these designs and configurations are

used based on your specific network topology, if you develop a solid grasp of

the concepts laid out here, you will be well on your way to being able to

configure NAT in your own environment.

I personally consider this essential and crucial information any Network

Engineer working on Cisco Routers simply MUST KNOW. NAT on a Cisco

Router is up there with having general knowledge of something like

subnetting.

In my career I have had a chance to take part in interviewing many Network

Engineer candidates for various jobs. One of the common areas I generally

want to get a quick reading on is their knowledge of NAT on a Cisco Router.

So in an interview I’ll ask them to walk me through the general steps they

would need to talk to implement a specific NAT method on a Cisco Router.

What I have found is that a pretty small percentage know this stuff well

enough to be able to answer my questions with any clarity and certainty! This

should not be the case. This is basic stuff that every Network Engineer

working on Cisco Routers simply must know! So, let’s get started…

5

Common Forms of NAT on a Cisco Router

Before we get into the actual configurations let’s briefly look at the different

options you have when configuring NAT on a Cisco Router.

NAT has some different general forms and can work in different ways, so let’s

look at each of these at a high level.

Static NAT

Static NAT is essentially a one-to-one mapping of IP addressing. As you

might guess, this is usually for cases where you would want to map a private

internal unregistered IP to a registered public external IP on a one-to-one

basis.

Now I should note here that this concept of going from unregistered to

registered IP addressing is the most common way of using NAT, but in reality

you may want one of your internal unregistered IP addresses to map to

another unregistered IP address to connect to another partner network or

something of that nature.

So, static NAT is always based on a one-to-one mapping. The router gets

configured with a command that tells it to always translate a particular inside

IP to another particular outside IP as it meets specific criteria. We will be

looking at this in more detail shortly.

6

Dynamic NAT

Dynamic NAT maps unregistered IP address to a registered IP address from a group of registered IP addresses.

In this case, the actual address mapping is still on a one-to-one mapping,

similar to Static NAT, however the difference is the mapping could change

based on how many addresses are in the pool, which devices are actually

using them, and at which time.

So if there were a pool of 10 registered addresses and 10 inside private

addresses needing to be mapped, in the morning you could potentially be

mapped to 1 public IP, then after disconnecting and reconnecting in the

afternoon be mapped to another public IP. It is all based on what is available

in the pool at that time.

The addresses are assigned per the general state and availability of what is

in the pool. The mapping will take the first available address in the pool and

map it accordingly.

Overloading

Overloading is a form of Dynamic NAT that maps unregistered IP addresses

to a single registered IP address. This could be considered a many-to-one

mapping.

7

This is also what is known as PAT (or Port Address Translation) because this

works by using actual TCP ports to provide the Address Translation.

So even though all of the devices configured with unregistered private

addresses on an internal network are being mapped to the same registered

public address, they even will have unique TCP port designations on the

Router.

Cisco uses the following name designations for IP addresses to determine

whether they are on the private network (generally Local Area Network –LAN)

or on the public network (Internet) and the general direction of the traffic:

Inside Local

Inside Global

Outside Local

Outside Global

Inside local addresses are those IP addresses that are assigned to a host

on the inside network. This would generally be a private IP address assigned

by DHCP or the local network administrator. These are generally

unregistered private IP addresses.

Inside global addresses are those addresses which are a legitimate

registered IP address assigned by the ISP that represent one or more inside

local IP addresses.

The outside local address is an IP address of an outside host as it appears

to the inside network. In other words, an address residing on the outside that

8

the inside network knows about. This address may not be the “real” address

of the outside host.

The outside global address is the IP address assigned to a host on the

outside network by the host owner. The address is allocated from a globally

routable address or network space. This would be the “real” address of the

host on the outside network.

The following definitions of local and global addresses help to keep all of this

in perspective:

Local address – A local address is any address that appears on the inside

portion of the network

Global address – A global address is any address that appears on the outside

portion of the network.

These “inside and outside” classifications are NAT definitions. Specific

interfaces on a Cisco router are configured for NAT as “inside” and “outside”

using the “ip nat inside” and “ip nat outside” commands. We will go more into

that as we look at the configurations.

9

Static NAT Configuration Details

Let’s say we have a network of only 1 person and we want this person to

always be statically translated from a private unregistered IP address to a

public registered IP address.

This is probably the most basic way of doing NAT. It is also very simple to

configure.

In this case the private IP of this user is 10.10.10.10. The public IP we want

to map to this user is 200.200.200.200.

Here is a diagram of the general design and what we are setting out to

accomplish:

10

Okay, so let’s look at what we need to do on the Cisco Router to make this

happen. This will be one of the more simple NAT configurations.

Step 1

Define which interface is inside and which is outside. We do this with the “ip

nat inside” and “ip nat outside” commands.

In this case we know that Ethernet1 is the inside since that is what our user is

directly connected to. And the outside interface, Serial1/0 is the one

connecting out to the internet, so there we have it!

11

Here is all we have to do to make Ethernet1 the nat inside interface:

Router(config)# Interface ethernet1 Router(config-if)# ip address 10.10.10.1 255.255.255.0 Router(config-if)# ip nat inside

Now, let’s define the nat ouside interface:

Router(config)# Interface serial1/0 Router(config-if)# ip address 200.200.200.2 255.255.255.0 Router(config-if)# ip nat outside

Step 2

Configure the source static entry on the Router.

This is done with the “ip nat inside source static command”

Router(config)# ip nat inside source static 10.10.10.10 200.200.200.200

Step 3

Done! That is literally all there is to it for a basic static mapping. You could

also do this based on an access-list so that the translation only occurred if the

specific criteria laid out in the access list was met, and we will be looking at

how to do that shortly, but in this first example I just wanted to show how easy

this is. Pretty simple, huh?

12

Static NAT in an HSRP Environment

Let’s say we had an environment where Hot Standby Router Protocol (HSRP)

was used. We would want our static NAT functionality to work in the event

that our primary HSRP router failed. This is pretty easy to accomplish, let’s

go through the steps necessary…

Ok, let’s look at the diagram of how this looks and then we’ll walk through the

steps:

Internet

200.200.200.0/24.2

Local Area Network

10.10.10.0/24

ISP Router

10.10.10.10

.1

.1

NAT Routers (running HSRP)Interface Eth1

Interface Serial1/0

Static NAT

Map 10.10.10.10 to 200.200.200.200

HSRP

.3Interface Serial1/0

Interface Eth1.2 .3

13

As you can see, the 10.10.10.10 client uses 10.10.10.1 as his default

gateway, and this gateway address is an HSRP shared address between the

2 NAT routers.

Let’s walk through the steps necessary to make this happen.

Step 1

Set up our Ethernet interface configurations, including IP Address, NAT

inside, HSRP and set up an HSRP group name.

Router1(config)# Interface ethernet1 Router1(config-if)# ip address 10.10.10.2 255.255.255.0 Router1(config-if)# ip nat inside Router1(config-if)# standby 1 IP 10.10.10.1 Router1(config-if)# standby 1 HSRP In this example we’ll name our HSRP group simply “HSRP”. We need to do

the same on the other router:

Router2(config)# Interface ethernet1 Router2(config-if)# ip address 10.10.10.3 255.255.255.0 Router2(config-if)# ip nat inside Router2(config-if)# standby 1 IP 10.10.10.1 Router2(config-if)# standby 1 HSRP

14

Step 2

Set up our Serial interface configurations for each router. All that is needed

here is the NAT outside configuration:

Router1(config)# Interface serial1/0 Router1(config-if)# ip address 200.200.200.2 255.255.255.0 Router1(config-if)# ip nat outside

And secondary router:


Okay, so now our HSRP config is set up and our NAT config is set up on

each router. Next, we need to make the static NAT configuration redundant

on each router. Here is how we do it:

Router1(config)# ip nat inside source static 10.10.10.10 200.200.200.200 redundancy HSRP And the same on Router2:

Router2(config)# ip nat inside source static 10.10.10.10 200.200.200.200 redundancy HSRP

Now in the event that Router1 failed, we would still have our static NAT

functionality happening through Router2.

15

Dynamic NAT Configuration Details

In this next example I want to walk you through how to configure Dynamic

NAT on the Cisco Router. The steps are pretty similar to the above, with a

few changes.

In this scenario, we have the same office and network topology as before, but

the office has grown and now we need to dynamically NAT 4 users on the

inside to a pool of 4 registered addresses.

The clients on the inside network have private IP addresses 10.10.10.10-13

and they need to be mapped to 200.200.200.200-204

See the following diagram for the general topology:

16

Okay, so let’s look at the steps we need to take to make this happen.

17

Step 1

Just like last time we define which interface is inside and which is outside with

the “ip nat inside” and “ip nat outside” commands.


Router(config)# Interface serial1/0 Router(config-if)# ip address 200.200.200.2 255.255.255.0 Router(config-if)# ip nat outside

Step 2

This is where things are a bit different.

We need to set up our pool of addressed to be used to NAT with. We do this

with the “ip nat pool” command.

Router(config)# ip nat pool public 200.200.200.200 200.200.200.203 netmask 255.255.255.0

In the last step we created a nat pool called “public” which contains the IP

addresses we want to be in the nat pool, four addresses - 200.200.200.200 to

200.200.200.203. You can either indicate the subnet mask with the

18

“netmask” command as above, or with newer versions of code with the

“prefix” command which in this case would be “prefix 24” because of the

mask we have here of 255.255.255.0.

Step 3

Now we need to create an access-list on the Router to indicate what source

addresses can be translated. In our case, we want all of the devices on our

inside 10.10.10.0/24 network, so we can create the ACL based on the entire

network:

Router(config)# access-list 7 permit 10.10.10.0 0.0.0.255 Alternatively, we could create this ACL just based on our four hosts, either

way would work fine:

Router(config)# access-list 7 permit host 10.10.10.10 Router(config)# access-list 7 permit host 10.10.10.11 Router(config)# access-list 7 permit host 10.10.10.12 Router(config)# access-list 7 permit host 10.10.10.13 As long as whatever devices we want to be translated are in the ACL we are

good and ready to move on to the next step.

19

Step 4

Next, we create our nat inside source list based on the new ACL we just

created. We do this with the “ip nat inside source list” command, as follows:

Router(config)# ip nat inside source list 7 pool public This command says to NAT anything matching access-list number 7 and use

the pool named “public”. That is basically all there is to it for dynamic NAT.

You can obviously name your pool whatever you like and number your ACL

whatever you like (all it needs to be is a standard access-list).

Taking the example one step further, let’s say this company decided to grow

even more and ended up needing to put another network in place, so now

hanging off this same router was a new Ethernet interface with some new

hosts and these new hosts also need to partake in this dynamic NAT setup.

Let’s look at what we would have to do to modify this existing configuration.

20

First, the updated diagram showing the new addition to the topology:

Internet

200.200.200.0/24.2

e10.10.10.0/24

ISP Router

.10

.1

.1

NAT RouterInterface Eth1

Interface Serial1/0Dynamic NAT

Map 10.10.10.10-13and 10.20.20.10-13 200.200.200.200-206

10.10.10.xClients

.11.12

.13

e10.20.20.0/24

Interface Eth2

.10

10.20.20.xClients

.11.12

.13

.1

So now we have some new hosts, on a new network, Ethernet2 on our router

which has an IP of 10.20.20.1.

21

Step 1

The first thing we would need to do is add our new interface as a nat inside

interface:


Step 2

Increase the number of registered IP addresses in our NAT pool from 200-

203 to 200-206

Router(config)# ip nat pool public 200.200.200.200 200.200.200.206 netmask 255.255.255.0

Step 3

Update access-list 7 to include the new network:

Router(config)# access-list 7 permit 10.20.20.0 0.0.0.255

And that would be it. The new network would now be able to be dynamically

NAT’d just like the original network.

22

NAT Overloading Configuration Details

The configuration involved with NAT overloading is not much different than

our previous example. There is just a slight difference with an introduction of

a new keyword in the config. Let’s check it out.

In this scenario, the company we have been working on previously has

decided that they don’t want to do static or dynamic NAT, instead they want

everyone, including those users on network 10.10.10.0 and 10.20.20.0 to all

get Port Address Translated to a single IP address, which is

200.200.200.200. We do this with “overloading”.

We talked a bit about overloading also known as PAT before but the general

way this works is that TCP ports are assigned to the single public IP and this

is how the router differentiates which data flow actually belongs to which

source IP.

This I would say is by far the most common configuration you will use with

NAT on the Cisco, for one reason because it is a very efficient way to

conserve public address space.

So let’s get busy with the configuration.

23

Have a look at the diagram:

Let’s go through the steps:

Step 1

Add “ip nat inside” and “ip nat outside” to appropriate interfaces.

24

Done previously!

Step 2

Create access-list that will associate specific networks or hosts to what needs

to be translated

Done previously! (Access-list 7)

Step 3

Create pool.

The pool was created previously but since the company only wants to use

one particular IP address to overload all unregistered private IP addresses to

the one registered IP, we need to modify the pool. Let’s do that now.

Router(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Step 4

Create the IP NAT inside source list

This was done previously, but we need to modify that command now that we

want to overload:

Router(config)# ip nat inside source list 7 pool public overload

25

Notice that now we only have the the “overload” command applied to the end

of the ip nat inside source list command. What this does is tells the router to

begin overloading all connections to this single IP. This changes the

configuration from NAT to PAT, as we discussed before.

That is basically all there is to it.

One item that is also worth noting is that you can use an interface IP to PAT

connections to as well, as long as that interface has a valid registered public

IP address assigned to it.

Looking at our example, we said that serial1/0 on the router in this design has

an IP address of 200.200.200.2. If we did not have any other IP addresses to

use and wanted to use this address to overload with we could do it with the

following config:

Router(config)# ip nat inside source list 7 interface serial1/0 overload

26

NAT Overloading In An HSRP Environment Now we want to look at how we can set up NAT Overloading to work in an

HSRP environment.

This is very useful because if you have two routers and they are running

HSRP and assuming the primary failed, the secondary would pick up

handling the general connectivity and that might be fine for the general traffic.

But what would happen to the NAT connections? They would all break!

So what we need to do in this case is use what is called SNAT or Stateful

NAT to preserve the connections in the event of an HSRP Failover. You

might hear other vendors or people say that SNAT stands for Secure NAT, or

Source NAT, but in Cisco-ese, SNAT means Stateful NAT. Just wanted to

make that note.

Essentially the SNAT configuration allows the two routers to function as a

group. Since they are both “on the same page” by being in the same group,

they actually exchange all of the NAT information between each other. So

the NAT translations that are active on the primary router get immediately

passed over to the secondary router.

This goes for all new sessions, and sessions that eventually get terminated;

the bottom line is that the NAT tables on each router are identical including

not only just IP addresses, but also the actual TCP state information. This is

27

why it is called “Stateful NAT”. If you show the NAT translations on either

router, assuming you configured everything properly, they will look exactly the

same.

This is a very cool thing!

So let’s check out the diagram and then I’ll show you how to configure SNAT:

28

Step 1

As before, we first up our Ethernet interface configurations, including IP

Address, NAT inside, HSRP and set up an HSRP group name.

Router1(config)# Interface ethernet1 Router1(config-if)# ip address 10.10.10.2 255.255.255.0 Router1(config-if)# ip nat inside Router1(config-if)# standby 1 IP 10.10.10.1 Router1(config-if)# standby 1 SNATHSRP In this example we’ll name our HSRP group “SNATHSRP”.

We need to do the same on the other router:

Router2(config)# Interface ethernet1 Router2(config-if)# ip address 10.10.10.3 255.255.255.0 Router2(config-if)# ip nat inside Router2(config-if)# standby 1 IP 10.10.10.1 Router2(config-if)# standby 1 HSRP

Step 2

Next of course we need to set up our Serial interface configurations for each

router. All that is needed here is the NAT outside configuration:

29


And secondary router:


Step 3

Create our ACL on both routers. We did this before, but just as a reminder:

Router1(config)# access-list 7 permit 10.10.10.0 0.0.0.255 Router2(config)# access-list 7 permit 10.10.10.0 0.0.0.255

Step 4

Here is where we add the Stateful NAT configurations to each router.

Router1(config)# ip nat Stateful id 1 Router1(config)# redundancy SNATHSRP Router1(config)# mapping-id 10

30

And same on Router 2

Router2(config)# ip nat Stateful id 1 Router2(config)# redundancy SNATHSRP Router2(config)# mapping-id 10 Step 5

Now we enter the pool information, and our “ip nat inside source” command.

You will notice the “ip nat inside source” is using a route map now to

reference the access list we created. This is essentially another way of doing

the same thing.

Router1(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Router1(config)#ip nat inside source route-map rm-snat1 pool public mapping-id 10 overload Router1(config)#route-map rm-snat1 permit 10

Router1(config-map)#match ip address 7

And the same on router 2:

Router2(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Router2(config)#ip nat inside source route-map rm-snat1 pool public mapping-id 10 overload Router2(config)#route-map rm-snat1 permit 10

Router2(config-map)#match ip address 7

31

Pretty cool huh? I have found this configuration very helpful when working

with dynamic NAT on routers utilizing HSRP.

There have been many times on a specific project I was working on where we

had two routers configured with HSRP and SNAT set up in the way

mentioned above and these two routers would failover from one to another

via HSRP.

In every case, because the NAT translations were always synchronized

between the two devices, these HSRP failovers were completely transparent

and all business continued as usual.

Had it not been for these configurations all existing data flows would have

been completely broken.

Congratulations, you now know what it takes to implement various flavors of

NAT on a Cisco Router!

Now let’s take a quick look at verifying NAT is operating as it should be and a

few tools to see what is really going on in regards to NAT from the routers

perspective.

32

Verifying NAT is Operating as Expected

There is a specific NAT command you will come to be very familiar with when

you are troubleshooting and/or verifying NAT operations:

“show ip nat translations”

This command will give you pretty much all of the information you will be

needing to find out, specifically whether or not your NAT is functioning as it

should be.

As you configure your NAT, try to attempt a connection to where you believe

NAT should be working, then check your NAT translations with the above

command.

Another command you will need to know is

“show ip nat statistics”

This will tell you all of the valid info about your NAT configuration such as

which interfaces you have set up as inside and outside, whether or not these

interfaces have any NAT hits, how the mapping is occurring, via which access

list, etc.

Very useful commands - know them well!

33

Conclusion

If you have faithfully followed the concepts and examples I have laid out in

this tutorial I trust that you now understand the basic principles of NAT on the

Cisco Router. These “foundational principles” will guide you and help you in

whatever specific types of requirements and configurations you will face. The

access lists and IP addresses will change but you will bring to the table a

knowing and understanding of what it takes to configure the Router for the

client or employer you are working for.

It is up to you know to take this information and “run with it”. There are plenty

of opportunities out there in your sphere of influence to take these

foundational principles of NAT on the Cisco Router and put them into

practice. You have been given keys to success, now it is up to you to take

those keys and do something with them! If you came into this tutorial with

some Cisco NAT experience behind you, I hope that it was able to reinforce

and confirm what you already knew and potentially clarify some of those

things you weren’t too sure of.

Be sure to get on my free email list where I give tips and tricks for both the

PIX/ASA Firewall and Cisco Router topics.

To do so send a blank email to: [email protected]

It has been a pleasure serving you this information. Until next time!

Eric S. Severson

www.firewallkeys.com

www.routerkeys.com

Cisco Router Nat Tutorial

Documents

serial interface

registered

cisco routers

ethernet interface

including

network address

network engineer

ip nat inside