Cisco Router NAT Tutorial

How to Configure NAT on a Cisco Router

By Eric S. Severson President / Sr. Network Consultant Key IT Consulting, Inc. Eric S. Severson and Key IT Consulting, Inc.
You do not have resell rights or giveaway rights to this eBook. Only customers that have purchased this material are authorized to view it. This eBook contains material protected under International and Federal Copyright Laws and Treaties. No part of this publication may be transmitted or reproduced in any way without the prior written permission of the author. Violations of this copyright will be enforced to the full extent of the law. LEGAL NOTICE: The information services and resources provided in this eBook are based upon the current Internet environment as well as the authors experience. The techniques presented have been proven to be successful. Because technologies are constantly changing, the services and examples presented in this eBook may change, cease or expand with time. We hope that the skills and knowledge acquired from this manual will provide you with the ability to adapt to inevitable evolution of technological services. However, we cannot be held responsible for changes that may affect the applicability of these techniques. All product names, logos and artwork are copyrights of their respective owners. None of the owners have sponsored or endorsed this publication. While all attempts have been made to verify information provided, the author assumes no responsibility for errors, omissions, or contrary interpretation of the subject matter herein. Any perceived slights of peoples or organizations are unintentional. The purchaser or reader of this publication assumes responsibility for the use of these materials and information. No guarantees of income are made. The author reserves the right to make changes and assumes no responsibility or liability whatsoever on behalf of any purchaser or reader of these materials.

T ableof Contents
INTRODUCTION................................................................................................................................................ 3 COMMON FORMS OF NAT ON A CISCO ROUTER ....................................................................................... 5 STATIC NAT CONFIGURATION DETAILS...................................................................................................... 9 STATIC NAT IN AN HSRP ENVIRONMENT .................................................................................................. 12 DYNAMIC NAT CONFIGURATION DETAILS ................................................................................................ 15 NAT OVERLOADING CONFIGURATION DETAILS...................................................................................... 22 NAT OVERLOADING IN AN HSRP ENVIRONMENT .................................................................................... 26 VERIFYING NAT IS OPERATING AS EXPECTED........................................................................................ 32 CONCLUSION ................................................................................................................................................. 33

Introduction If you are reading this document chances are pretty good that you have a general idea of what Network Address Translation (or NAT) is so I will be brief in explaining the basics so we can get right to the configurations and howtos.

Network Address Translation (NAT) is designed as essentially a way of conserving IP addressing. In its most common usage, it allows an IP network that utilizes RFC 1918 private address space to be translated to publicly registered and routable address space for communication on the public internet.

What you will probably see most commonly happening is NAT being configured to advertise only one address for the entire inside private network to the public outside world. This is certainly the most common usage.

There are two benefits to using NAT in this way; one is that utilizing NAT allows one to conserve the rapidly diminishing supply of registered public addresses. The other benefit is that a layer of security is added by shielding the entire inside internal network behind that single private address.

Most routers or firewalls on the market today do some form of NAT. If you have read my ebook titled PIX/ASA Firewall Keys (http://www.firewallkeys.com) you should be well aware of how NAT operates on a PIX/ASA Firewall.
3

The objective of this document is to clearly lay out how to configure NAT on a Cisco Router platform.

We will be looking at the most common implementations and get specific in regards to the exact Cisco Router IOS commands you will need to know, where to enter them, and how and why they work the way they do.

While there may be variations on how these designs and configurations are used based on your specific network topology, if you develop a solid grasp of the concepts laid out here, you will be well on your way to being able to configure NAT in your own environment.

I personally consider this essential and crucial information any Network Engineer working on Cisco Routers simply MUST KNOW. NAT on a Cisco Router is up there with having general knowledge of something like subnetting.

In my career I have had a chance to take part in interviewing many Network Engineer candidates for various jobs. One of the common areas I generally want to get a quick reading on is their knowledge of NAT on a Cisco Router.

So in an interview Ill ask them to walk me through the general steps they would need to talk to implement a specific NAT method on a Cisco Router. What I have found is that a pretty small percentage know this stuff well enough to be able to answer my questions with any clarity and certainty! This should not be the case. This is basic stuff that every Network Engineer working on Cisco Routers simply must know! So, lets get started

Common Forms of NAT on a Cisco Router Before we get into the actual configurations lets briefly look at the different options you have when configuring NAT on a Cisco Router.

NAT has some different general forms and can work in different ways, so lets look at each of these at a high level.

Static NAT

Static NAT is essentially a one-to-one mapping of IP addressing. As you might guess, this is usually for cases where you would want to map a private internal unregistered IP to a registered public external IP on a one-to-one basis.

Now I should note here that this concept of going from unregistered to registered IP addressing is the most common way of using NAT, but in reality you may want one of your internal unregistered IP addresses to map to another unregistered IP address to connect to another partner network or something of that nature.

So, static NAT is always based on a one-to-one mapping. The router gets configured with a command that tells it to always translate a particular inside IP to another particular outside IP as it meets specific criteria. We will be looking at this in more detail shortly.

Dynamic NAT

Dynamic NAT maps unregistered IP address to a registered IP address from a group of registered IP addresses.

In this case, the actual address mapping is still on a one-to-one mapping, similar to Static NAT, however the difference is the mapping could change based on how many addresses are in the pool, which devices are actually using them, and at which time.

So if there were a pool of 10 registered addresses and 10 inside private addresses needing to be mapped, in the morning you could potentially be mapped to 1 public IP, then after disconnecting and reconnecting in the afternoon be mapped to another public IP. It is all based on what is available in the pool at that time.

The addresses are assigned per the general state and availability of what is in the pool. The mapping will take the first available address in the pool and map it accordingly.

Overloading

Overloading is a form of Dynamic NAT that maps unregistered IP addresses to a single registered IP address. This could be considered a many-to-one mapping.

This is also what is known as PAT (or Port Address Translation) because this works by using actual TCP ports to provide the Address Translation.

So even though all of the devices configured with unregistered private addresses on an internal network are being mapped to the same registered public address, they even will have unique TCP port designations on the Router.

Cisco uses the following name designations for IP addresses to determine whether they are on the private network (generally Local Area Network LAN) or on the public network (Internet) and the general direction of the traffic:

Inside Local Inside Global Outside Local Outside Global

Inside local addresses are those IP addresses that are assigned to a host on the inside network. This would generally be a private IP address assigned by DHCP or the local network administrator. These are generally unregistered private IP addresses.

Inside global addresses are those addresses which are a legitimate registered IP address assigned by the ISP that represent one or more inside local IP addresses.

The outside local address is an IP address of an outside host as it appears to the inside network. In other words, an address residing on the outside that
7

the inside network knows about. This address may not be the real address of the outside host.

The outside global address is the IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space. This would be the real address of the host on the outside network.

The following definitions of local and global addresses help to keep all of this in perspective:

Local address A local address is any address that appears on the inside portion of the network

Global address A global address is any address that appears on the outside portion of the network.

These inside and outside classifications are NAT definitions. Specific interfaces on a Cisco router are configured for NAT as inside and outside using the ip nat inside and ip nat outside commands. We will go more into that as we look at the configurations.

Static NAT Configuration Details Lets say we have a network of only 1 person and we want this person to always be statically translated from a private unregistered IP address to a public registered IP address.

This is probably the most basic way of doing NAT. It is also very simple to configure.

In this case the private IP of this user is 10.10.10.10. The public IP we want to map to this user is 200.200.200.200.

Here is a diagram of the general design and what we are setting out to accomplish:

Okay, so lets look at what we need to do on the Cisco Router to make this happen. This will be one of the more simple NAT configurations.

Step 1

Define which interface is inside and which is outside. We do this with the ip nat inside and ip nat outside commands.

In this case we know that Ethernet1 is the inside since that is what our user is directly connected to. And the outside interface, Serial1/0 is the one connecting out to the internet, so there we have it!

10

Here is all we have to do to make Ethernet1 the nat inside interface:

Router(config)# Interface ethernet1 Router(config-if)# ip address 10.10.10.1 255.255.255.0 Router(config-if)# ip nat inside

Now, lets define the nat ouside interface:

Router(config)# Interface serial1/0 Router(config-if)# ip address 200.200.200.2 255.255.255.0 Router(config-if)# ip nat outside

Step 2

Configure the source static entry on the Router.

This is done with the ip nat inside source static command

Router(config)# ip nat inside source static 10.10.10.10 200.200.200.200

Step 3

Done! That is literally all there is to it for a basic static mapping. You could also do this based on an access-list so that the translation only occurred if the specific criteria laid out in the access list was met, and we will be looking at how to do that shortly, but in this first example I just wanted to show how easy this is. Pretty simple, huh?

11

Static NAT in an HSRP Environment

Lets say we had an environment where Hot Standby Router Protocol (HSRP) was used. We would want our static NAT functionality to work in the event that our primary HSRP router failed. This is pretty easy to accomplish, lets go through the steps necessary

Ok, lets look at the diagram of how this looks and then well walk through the steps:

Internet

ISP Router
.1

200.200.200.0/24
.2 Interface Serial1/0 .3 Interface Serial1/0

NAT Routers (running HSRP)

Interface Eth1 .2 HSRP .1 Interface Eth1 .3

Static NAT Map 10.10.10.10 to 200.200.200.200

Local Area Network

10.10.10.0/24

10.10.10.10

12

As you can see, the 10.10.10.10 client uses 10.10.10.1 as his default gateway, and this gateway address is an HSRP shared address between the 2 NAT routers.

Lets walk through the steps necessary to make this happen.

Step 1

Set up our Ethernet interface configurations, including IP Address, NAT inside, HSRP and set up an HSRP group name.

Router1(config)# Interface ethernet1 Router1(config-if)# ip address 10.10.10.2 255.255.255.0 Router1(config-if)# ip nat inside Router1(config-if)# standby 1 IP 10.10.10.1 Router1(config-if)# standby 1 HSRP

In this example well name our HSRP group simply HSRP. We need to do the same on the other router:

Router2(config)# Interface ethernet1 Router2(config-if)# ip address 10.10.10.3 255.255.255.0 Router2(config-if)# ip nat inside Router2(config-if)# standby 1 IP 10.10.10.1 Router2(config-if)# standby 1 HSRP

13

Step 2

Set up our Serial interface configurations for each router. All that is needed here is the NAT outside configuration:

Router1(config)# Interface serial1/0 Router1(config-if)# ip address 200.200.200.2 255.255.255.0 Router1(config-if)# ip nat outside

And secondary router:

Router2(config)# Interface serial1/0 Router2(config-if)# ip address 200.200.200.3 255.255.255.0 Router2(config-if)# ip nat outside

Okay, so now our HSRP config is set up and our NAT config is set up on each router. Next, we need to make the static NAT configuration redundant on each router. Here is how we do it:

Router1(config)# ip nat inside source static 10.10.10.10 200.200.200.200 redundancy HSRP And the same on Router2: Router2(config)# ip nat inside source static 10.10.10.10 200.200.200.200 redundancy HSRP

Now in the event that Router1 failed, we would still have our static NAT functionality happening through Router2.

14

Dynamic NAT Configuration Details

In this next example I want to walk you through how to configure Dynamic NAT on the Cisco Router. The steps are pretty similar to the above, with a few changes.

In this scenario, we have the same office and network topology as before, but the office has grown and now we need to dynamically NAT 4 users on the inside to a pool of 4 registered addresses.

The clients on the inside network have private IP addresses 10.10.10.10-13 and they need to be mapped to 200.200.200.200-204

See the following diagram for the general topology:

15

Okay, so lets look at the steps we need to take to make this happen.

16

Step 1

Just like last time we define which interface is inside and which is outside with the ip nat inside and ip nat outside commands.

Router(config)# Interface ethernet1 Router(config-if)# ip address 10.10.10.1 255.255.255.0 Router(config-if)# ip nat inside

Router(config)# Interface serial1/0 Router(config-if)# ip address 200.200.200.2 255.255.255.0 Router(config-if)# ip nat outside

Step 2

This is where things are a bit different.

We need to set up our pool of addressed to be used to NAT with. We do this with the ip nat pool command.

Router(config)# ip nat pool public 200.200.200.200 200.200.200.203 netmask 255.255.255.0

In the last step we created a nat pool called public which contains the IP addresses we want to be in the nat pool, four addresses - 200.200.200.200 to 200.200.200.203. You can either indicate the subnet mask with the
17

netmask command as above, or with newer versions of code with the prefix command which in this case would be prefix 24 because of the mask we have here of 255.255.255.0.

Step 3

Now we need to create an access-list on the Router to indicate what source addresses can be translated. In our case, we want all of the devices on our inside 10.10.10.0/24 network, so we can create the ACL based on the entire network:

Router(config)# access-list 7 permit 10.10.10.0 0.0.0.255

Alternatively, we could create this ACL just based on our four hosts, either way would work fine:

Router(config)# access-list 7 permit host 10.10.10.10 Router(config)# access-list 7 permit host 10.10.10.11 Router(config)# access-list 7 permit host 10.10.10.12 Router(config)# access-list 7 permit host 10.10.10.13

As long as whatever devices we want to be translated are in the ACL we are good and ready to move on to the next step.

18

Step 4

Next, we create our nat inside source list based on the new ACL we just created. We do this with the ip nat inside source list command, as follows:

Router(config)# ip nat inside source list 7 pool public

This command says to NAT anything matching access-list number 7 and use the pool named public. That is basically all there is to it for dynamic NAT. You can obviously name your pool whatever you like and number your ACL whatever you like (all it needs to be is a standard access-list).

Taking the example one step further, lets say this company decided to grow even more and ended up needing to put another network in place, so now hanging off this same router was a new Ethernet interface with some new hosts and these new hosts also need to partake in this dynamic NAT setup. Lets look at what we would have to do to modify this existing configuration.

19

First, the updated diagram showing the new addition to the topology:

Internet

ISP Router
.1

200.200.200.0/24
Interface Serial1/0 .2

NAT Router
Interface Eth1 .1 Interface Eth2 .1

Dynamic NAT Map 10.10.10.10-13 and 10.20.20.10-13 200.200.200.200-206

e 10.10.10.0/24

e 10.20.20.0/24

10.10.10.x Clients .13 .12 .11 .10 .13

10.20.20.x Clients

.12 .11 .10

So now we have some new hosts, on a new network, Ethernet2 on our router which has an IP of 10.20.20.1.
20

Step 1

The first thing we would need to do is add our new interface as a nat inside interface:

Router(config)# Interface ethernet2 Router(config-if)# ip address 10.20.20.1 255.255.255.0 Router(config-if)# ip nat inside

Step 2

Increase the number of registered IP addresses in our NAT pool from 200203 to 200-206

Router(config)# ip nat pool public 200.200.200.200 200.200.200.206 netmask 255.255.255.0

Step 3

Update access-list 7 to include the new network:

Router(config)# access-list 7 permit 10.20.20.0 0.0.0.255

And that would be it. The new network would now be able to be dynamically NATd just like the original network.
21

NAT Overloading Configuration Details The configuration involved with NAT overloading is not much different than our previous example. There is just a slight difference with an introduction of a new keyword in the config. Lets check it out.

In this scenario, the company we have been working on previously has decided that they dont want to do static or dynamic NAT, instead they want everyone, including those users on network 10.10.10.0 and 10.20.20.0 to all get Port Address Translated to a single IP address, which is 200.200.200.200. We do this with overloading.

We talked a bit about overloading also known as PAT before but the general way this works is that TCP ports are assigned to the single public IP and this is how the router differentiates which data flow actually belongs to which source IP.

This I would say is by far the most common configuration you will use with NAT on the Cisco, for one reason because it is a very efficient way to conserve public address space.

So lets get busy with the configuration.

22

Have a look at the diagram:

Lets go through the steps:

Step 1

Add ip nat inside and ip nat outside to appropriate interfaces.

23

Done previously!

Step 2

Create access-list that will associate specific networks or hosts to what needs to be translated

Done previously! (Access-list 7)

Step 3

Create pool.

The pool was created previously but since the company only wants to use one particular IP address to overload all unregistered private IP addresses to the one registered IP, we need to modify the pool. Lets do that now.

Router(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0

Step 4

Create the IP NAT inside source list

This was done previously, but we need to modify that command now that we want to overload:

Router(config)# ip nat inside source list 7 pool public overload

24

Notice that now we only have the the overload command applied to the end of the ip nat inside source list command. What this does is tells the router to begin overloading all connections to this single IP. This changes the configuration from NAT to PAT, as we discussed before.

That is basically all there is to it.

One item that is also worth noting is that you can use an interface IP to PAT connections to as well, as long as that interface has a valid registered public IP address assigned to it.

Looking at our example, we said that serial1/0 on the router in this design has an IP address of 200.200.200.2. If we did not have any other IP addresses to use and wanted to use this address to overload with we could do it with the following config:

Router(config)# ip nat inside source list 7 interface serial1/0 overload

25

NAT Overloading In An HSRP Environment Now we want to look at how we can set up NAT Overloading to work in an HSRP environment.

This is very useful because if you have two routers and they are running HSRP and assuming the primary failed, the secondary would pick up handling the general connectivity and that might be fine for the general traffic. But what would happen to the NAT connections? They would all break!

So what we need to do in this case is use what is called SNAT or Stateful NAT to preserve the connections in the event of an HSRP Failover. You might hear other vendors or people say that SNAT stands for Secure NAT, or Source NAT, but in Cisco-ese, SNAT means Stateful NAT. Just wanted to make that note.

Essentially the SNAT configuration allows the two routers to function as a group. Since they are both on the same page by being in the same group, they actually exchange all of the NAT information between each other. So the NAT translations that are active on the primary router get immediately passed over to the secondary router.

This goes for all new sessions, and sessions that eventually get terminated; the bottom line is that the NAT tables on each router are identical including not only just IP addresses, but also the actual TCP state information. This is
26

why it is called Stateful NAT. If you show the NAT translations on either router, assuming you configured everything properly, they will look exactly the same.

This is a very cool thing!

So lets check out the diagram and then Ill show you how to configure SNAT:

27

Step 1

As before, we first up our Ethernet interface configurations, including IP Address, NAT inside, HSRP and set up an HSRP group name.

Router1(config)# Interface ethernet1 Router1(config-if)# ip address 10.10.10.2 255.255.255.0 Router1(config-if)# ip nat inside Router1(config-if)# standby 1 IP 10.10.10.1 Router1(config-if)# standby 1 SNATHSRP

In this example well name our HSRP group SNATHSRP.

We need to do the same on the other router:

Router2(config)# Interface ethernet1 Router2(config-if)# ip address 10.10.10.3 255.255.255.0 Router2(config-if)# ip nat inside Router2(config-if)# standby 1 IP 10.10.10.1 Router2(config-if)# standby 1 HSRP

Step 2

Next of course we need to set up our Serial interface configurations for each router. All that is needed here is the NAT outside configuration:
28

Router1(config)# Interface serial1/0 Router1(config-if)# ip address 200.200.200.2 255.255.255.0 Router1(config-if)# ip nat outside

And secondary router:

Router2(config)# Interface serial1/0 Router2(config-if)# ip address 200.200.200.3 255.255.255.0 Router2(config-if)# ip nat outside

Step 3

Create our ACL on both routers. We did this before, but just as a reminder:

Router1(config)# access-list 7 permit 10.10.10.0 0.0.0.255 Router2(config)# access-list 7 permit 10.10.10.0 0.0.0.255

Step 4

Here is where we add the Stateful NAT configurations to each router.

Router1(config)# ip nat Stateful id 1 Router1(config)# redundancy SNATHSRP Router1(config)# mapping-id 10

29

And same on Router 2

Router2(config)# ip nat Stateful id 1 Router2(config)# redundancy SNATHSRP Router2(config)# mapping-id 10

Step 5

Now we enter the pool information, and our ip nat inside source command. You will notice the ip nat inside source is using a route map now to reference the access list we created. This is essentially another way of doing the same thing.

Router1(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Router1(config)#ip nat inside source route-map rm-snat1 pool public mapping-id 10 overload Router1(config)#route-map rm-snat1 permit 10 Router1(config-map)#match ip address 7

And the same on router 2:

Router2(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Router2(config)#ip nat inside source route-map rm-snat1 pool public mapping-id 10 overload Router2(config)#route-map rm-snat1 permit 10 Router2(config-map)#match ip address 7
30

Pretty cool huh? I have found this configuration very helpful when working with dynamic NAT on routers utilizing HSRP.

There have been many times on a specific project I was working on where we had two routers configured with HSRP and SNAT set up in the way mentioned above and these two routers would failover from one to another via HSRP.

In every case, because the NAT translations were always synchronized between the two devices, these HSRP failovers were completely transparent and all business continued as usual.

Had it not been for these configurations all existing data flows would have been completely broken.

Congratulations, you now know what it takes to implement various flavors of NAT on a Cisco Router!

Now lets take a quick look at verifying NAT is operating as it should be and a few tools to see what is really going on in regards to NAT from the routers perspective.

31

Verifying NAT is Operating as Expected

There is a specific NAT command you will come to be very familiar with when you are troubleshooting and/or verifying NAT operations:

show ip nat translations

This command will give you pretty much all of the information you will be needing to find out, specifically whether or not your NAT is functioning as it should be.

As you configure your NAT, try to attempt a connection to where you believe NAT should be working, then check your NAT translations with the above command.

Another command you will need to know is

show ip nat statistics

This will tell you all of the valid info about your NAT configuration such as which interfaces you have set up as inside and outside, whether or not these interfaces have any NAT hits, how the mapping is occurring, via which access list, etc.

Very useful commands - know them well!

32

Conclusion If you have faithfully followed the concepts and examples I have laid out in this tutorial I trust that you now understand the basic principles of NAT on the Cisco Router. These foundational principles will guide you and help you in whatever specific types of requirements and configurations you will face. The access lists and IP addresses will change but you will bring to the table a knowing and understanding of what it takes to configure the Router for the client or employer you are working for.

It is up to you know to take this information and run with it. There are plenty of opportunities out there in your sphere of influence to take these foundational principles of NAT on the Cisco Router and put them into practice. You have been given keys to success, now it is up to you to take those keys and do something with them! If you came into this tutorial with some Cisco NAT experience behind you, I hope that it was able to reinforce and confirm what you already knew and potentially clarify some of those things you werent too sure of.

Be sure to get on my free email list where I give tips and tricks for both the PIX/ASA Firewall and Cisco Router topics.

To do so send a blank email to: fwkeysnews@firewallkeys.com It has been a pleasure serving you this information. Until next time!

Eric S. Severson www.firewallkeys.com www.routerkeys.com

33