Configuring Dynamic NAT on a Cisco Router
(Also Known as Port Address Translation)In this post, I’ll show you how to configure Port Address Translation in which all internal hosts will share one external interface and IP address on the external network.
Port Address Translation (PAT) is a many-to-one form of Network Address Translation (NAT). It is commonly found in home networks and small businesses where many internal nodes, using an RFC 1918 address space such as 192.168.0.0/24, share a single public IP address.
Use the following diagram for this tutorial.
Here is an accompanying video for this blog post:
Prepare Your Router and Management Workstation
- Ensure that your workstation is configured according to the network diagram.
- On your router, identify which interface will be external and which will be internal. In a real-world setting, the inside interface would normally be an Ethernet connection to a LAN and the outside might be a T1 interface connected to a WAN such as the Internet. For the purpose of this exercise, the internal (inside) interface will be the Gigabit Ethernet 0/0 interface and the external (outside) interface will be the router’s Gigabit Ethernet 0/1 interface.
Configure Port Address Translation with the following steps:
|Configuring Router Interfaces for NAT|
(NVI0 is the NAT Virtual Interface which is created automatically, but not used in this exercise.)
- Identify the inside interface:
Router(config-if)#ip nat inside
- Identify the outside interface:
Router(config-if)#ip nat outside
Configuring an Access Control List to Specify Who Can Use NAT (PAT)
(This access-control list permits all IP traffic from any source address to any destination address. For more information about access-control lists, see chapter 11 in my book The Accidental Administrator: Cisco Router Step-by-Step Configuration Guide.)
- Create an access-control list to identify the traffic permitted to use NAT:
Router(config)#access-list 100 permit ip any any
- Apply the access-control list to the outside interface:
Router(config-if)#ip nat inside source list 100 int g0/1 overload
|Turning on Port Address Translation (NAT overloading)|
(This statement tells the router to apply the just-created list 100 to interface g0/1 and to implment NAT overloading on the interface.)
|The output of show ip nat translations following a ping to a website.|
|Pro||The IP protocol in use|
|Inside global||The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network. (In the example above, it's an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)|
|Inside local||The actual IP address of an inside host. This is often an RFC 1918 address that is not routable on the public Internet.|
|Outside local||The IP address of an outside host as it appears to hosts on the inside network. This is how the inside host(s) see the outside host.|
|Outside global||The actual IP address of an outside host, usually assigned by its owner.|
You can use the command show ip nat statistics to view various information about NAT's performance on your router.
|The output of show ip nat statistics|
|The output of the debug ip nat commands.|
The intermediate IP address is the Inside Global address. The number in square brackets at the end of each line is the IP packet number which could be helpful in identifying the same packet in a protocol analyzer’s packet stream.
The asterisk indicates the packet is going through the fast path. (The first packet always goes through the slow path, which means it is process switched.)
For more information about configuring the Cisco router, please see my book The Accidental Administrator: Cisco Router Step-by-Step Configuration Guide, available through Amazon and other resellers or through the soundtraining.net bookstore. Also, consider attending my Cisco Router 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group. More information is available here.
You have permission to reprint this article in your newsletter, blog, website, or publication if you include the following paragraph:
Don R. Crawley is a longtime geek and President/Chief Technologist of soundtraining.net with more than 35 years in workplace technology. He holds multiple technical certifications and is the author of numerous books on information systems and technology, including The Accidental Administrator: Cisco Router Configuration Guide. He has spoken to audiences worldwide on both technical topics and IT customer service. To view this Seattle IT pro's upcoming events or to receive free Cisco tutorials, Linux tutorials, IT customer service tips, and other guides, visit www.soundtraining.net or contact him at email@example.com or 206-988-5858.