Monday, March 3, 2008

Configure NAT Using Port Address Translation in 4 Steps on a Cisco Router

Network Address Translation, better known simply as NAT, allows an outside address to represent a single or many inside addresses. There are several forms of NAT, but one of the most common is called NAT overloading, Port Address Translation, or simply PAT. PAT provides a many-to-one mapping with many inside private addresses mapped to one outside public address. We often see PAT used in home firewalls and routers to allow several home computers and perhaps a gaming console to use private addresses such as 192.168.1.1-100 and share a single registered public address on the Internet. The process is made possible by appending different port numbers to the source and destination addresses to create a unique connection. Given that there are more than 65,000 port numbers, you'll likely run out of bandwidth or system resources long before running out of translation slots!

Here are the four steps to configuring Port Address Translation (Note: Each step starts in configuration mode ("config t".):
1.ᅠ Configure nat on your inside interface:
ᅠᅠᅠᅠ int e0/0
ᅠᅠᅠᅠ ip nat inside
2.ᅠ Configure nat on your outside interface:
ᅠᅠᅠᅠ int e0/1
ᅠᅠᅠᅠ ip nat outside
3.ᅠ Configure an access control list to allow the inside traffic to use NAT:
ᅠᅠᅠ access-list 101 permit ip any any
4.ᅠ Enable NAT overloading (PAT) on the outside interface:
ᅠᅠᅠ ip nat inside source list 101 interface e0/1 overload

In this example, the "ip nat inside" and "ip nat outside" statements are used to tell the router which interface is considered inside and which interface is considered outside for the purpose of NAT. Interface Ethernet 0/0 is inside and Interface Ethernet 0/1 is outside. Your interfaces will probably different, for example your router might have f0/0 or gigabit 0/1.

The access control list statement tells the router to permit all IP traffic to flow from any source to any destination. The number (101) is simply an ID that must match the number used in the "ip nat" statement. (Note that, in this case, the number must fall between 100 and 199 inclusive.)

The "ip nat insisde source list" statement tells the router which access control list to use to know the traffic to permit (access-list 101), the interface on which NAT will be performed (interface ethernet 0/1) and the form of NAT to perform (overload).

This configuration will allow any host on the inside subnet to share the outside interface for the purpose of going on the Internet. There is no restriction as to the type of traffic, nor are there any restricted hosts. Obviously, this configuration would only be acceptable in a small office or home type of network. Even then, you might want to limit hosts' access to the Internet by creating a more restrictive access control list.

No comments: