[Cisco] How to configure NAT [Full commentary]

Operating environment

• C891FJ-K9 Version 15.8(3)M9

Basic knowledge of NAT

Inside and outside interfaces

When configuring NAT, set the inside or outside setting to the interface through which the NATed traffic passes.

Which interface is inside and which is outside is important in designing your NAT configuration.

Inside source NAT and outside source NAT

There are two types of NAT: inside source NAT and outside source NAT.

Inside source NAT translates the source address of traffic from inside to outside. For static NAT, at the same time, it also translates the destination address for outside-to-inside traffic.

Outside source NAT translates the source address of traffic from outside to inside. For static NAT, at the same time, it also translates the destination address for traffic from inside to outside.

NAT table

Configuring static NAT creates translation entries in the NAT table. The router translates addresses according to the entries in the NAT table. For dynamic NAT, an entry is registered in the NAT table when NAT target traffic occurs.

How to configure static NAT

Set static NAT when you want to have one-to-one correspondence between addresses before and after translation.

Configuration Examples for Inside Source Static NAT

Consider the network structure in the image below with the following requirements:

• Convert Client A’s source address from 10.10.10.100 to 192.168.100.3 when communicating from Client A to Client B
• When communicating from Client B to 192.168.100.3, convert the destination from 192.168.100.3 to 10.10.10.100

First, set ip nat inside for the inside interface, and ip nat outside for the outside interface.

interface FastEthernet0
 ip nat inside

interface GigabitEthernet8
 ip nat outside

Next, configure the inside source statice NAT settings.

ip nat inside source static 10.10.10.100 192.168.100.3

The setting syntax is below.

• ip nat inside source static <inside local> <inside global>
  • <inside local>: IP address of Client A as seen on the inside side
  • <inside global>: IP address of Client A seen on the outside side

The contents of the NAT table after configuration are as follows.

Router#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.100.3      10.10.10.100       ---                ---

This setup accomplishes two requirements:

• Convert Client A’s source address from 10.10.10.100 to 192.168.100.3 when communicating from Client A to Client B
• When communicating from Client B to 192.168.100.3, convert the destination from 192.168.100.3 to 10.10.10.100

Configuration Examples for Outide Source Static NAT

Consider the network structure in the image below with the following requirements:

• Convert Client B’s source address from 192.168.100.100 to 10.10.10.3 when communicating from Client B to Client A
• When communicating from Client A to 10.10.10.3, convert the destination from 10.10.10.3 to 192.168.100.100

First, set ip nat inside for the inside interface, and ip nat outside for the outside interface.

interface FastEthernet0
 ip nat inside

interface GigabitEthernet8
 ip nat outside

Next, configure the inside source statice NAT settings.

ip nat outside source static 192.168.100.100 10.10.10.3

The setting syntax is below.

• ip nat outside source static <outside global> <outside local>
  • <outside global>: IP address of Client B as seen on the outside side
  • <outside local>: IP address of Client B seen on the inside side

The contents of the NAT table after configuration are as follows.

Router#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.10.10.3         192.168.100.100

This setup accomplishes two requirements:

• Convert Client B’s source address from 192.168.100.100 to 10.10.10.3 when communicating from Client B to Client A
• When communicating from Client A to 10.10.10.3, convert the destination from 10.10.10.3 to 192.168.100.100

add-route option in outside source NAT

When you configure outside source NAT, the router takes care of routing ahead of destination NAT for traffic from inside to outside.

Therefore, it is necessary to set a static route to route the destination IP address before translation to the destination IP address after translation.

At this time, in addition to manually setting a static route, there is a method of adding the add-route option to the outside source NAT setting.

The add-route option automatically installs the required static routes into the routing table.

ip nat outside source static 192.168.100.100 10.10.10.3 add-route

With the above settings, static routes are installed in the routing table as follows.

S        10.10.10.3/32 [1/0] via 192.168.100.100

How to configure PAT

PAT is a method of converting multiple IP addresses to the same IP address by converting tcp/udp port numbers.

In the network structure below, consider converting the source address to 192.168.100.10 when communicating from the inside client to the outside client B.

The configuration to be done on the router for PAT is below.

• inside/outside interface configuration
• Address pool settings
• Source ACL settings
• NAT settings

First, set ip nat inside for the inside interface, and ip nat outside for the outside interface.

interface FastEthernet0
 ip nat inside

interface GigabitEthernet8
 ip nat outside

Next, configure the address pool. In this example, we want the address after PAT conversion to be 192.168.100.10, so the settings are as follows.

ip nat pool POOL 192.168.100.10 192.168.100.10 netmask 255.255.255.0

The setting syntax is either:

• ip nat pool <pool name> <starting address> <end address> netmask <subnetmask>
• ip nat pool <pool name> <starting address> <end address> prefix <prefix length>

Next, configure an access list that defines the communications to which NAT (PAT) is applied. In this example, we want to convert if the source address is contained in 192.168.100.0/24, so:

access-list 10 permit 10.10.10.0 0.0.0.255

Finally, configure NAT(PAT) settings.

ip nat inside source list 10 pool POOL overload

The setting syntax is below.

• ip nat inside source list <ACL name/number> pool <pool name> overload
  • PAT configuration by adding overload option

PAT is classified as dynamic NAT, where entries are not added to the NAT table while no communication is occurring.

After client A communicates with client B, an entry is added to the NAT table as shown below.

Router#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.100.10:1  10.10.10.100:1     192.168.100.100:1  192.168.100.100:1

Furthermore, if a terminal on the inside with an IP address of 192.168.100.120 communicates with client B, the NAT table will be displayed as follows.

Router#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.100.10:1  10.10.10.100:1     192.168.100.100:1  192.168.100.100:1
icmp 192.168.100.10:0  10.10.10.120:1     192.168.100.100:1  192.168.100.100:0

We can see that both clients have their source addresses translated to 192.168.100.10.

Cisco Device Configuration Information Summary

IOS How to check the ios version recommended by Cisco C9300 Series Switch IOS Version Upgrade Procedure Wh...

network-knowledge.work

2021.11.01