Tuesday, February 26, 2013

NAT Configuration on a Cisco Router (Port Address Translation or Dynamic NAT)


Configuring Dynamic NAT on a Cisco Router

(Also Known as Port Address Translation)

In this post, I’ll show you how to configure Port Address Translation in which all internal hosts will share one external interface and IP address on the external network.

Port Address Translation (PAT) is a many-to-one form of Network Address Translation (NAT). It is commonly found in home networks and small businesses where many internal nodes, using an RFC 1918 address space such as 192.168.0.0/24, share a single public IP address.

Use the following diagram for this tutorial.

Here is an accompanying video for this blog post:

Prepare Your Router and Management Workstation

  1. Ensure that your workstation is configured according to the network diagram.
  2. On your router, identify which interface will be external and which will be internal.  In a real-world setting, the inside interface would normally be an Ethernet connection to a LAN and the outside might be a T1 interface connected to a WAN such as the Internet.  For the purpose of this exercise, the internal (inside) interface will be the Gigabit Ethernet 0/0 interface and the external (outside) interface will be the router’s Gigabit Ethernet 0/1 interface.

Configure Port Address Translation with the following steps:

Configuring Router Interfaces for NAT
(NVI0 is the NAT Virtual Interface which is created automatically, but not used in this exercise.)
  1. Identify the inside interface:
    Router(config)#int g0/0
    Router(config-if)#ip nat inside
  2. Identify the outside interface:
    Router(config-if)#int g0/1
    Router(config-if)#ip nat outside
    Configuring an Access Control List to Specify Who Can Use NAT (PAT)
    (This access-control list permits all IP traffic from any source address to any destination address. For more information about access-control lists, see chapter 11 in my book The Accidental Administrator: Cisco Router Step-by-Step Configuration Guide.)
  3. Create an access-control list to identify the traffic permitted to use NAT:
    Router(config)#access-list 100 permit ip any any
  4. Turning on Port Address Translation (NAT overloading)
    (This statement tells the router to apply the just-created list 100 to interface g0/1 and to implment NAT overloading on the interface.)
  5. Apply the access-control list to the outside interface:
    Router(config-if)#ip nat inside source list 100 int g0/1 overload
  6. Router(config)#exit
You can also use sho ip nat translations and show ip nat statistics to view your NAT configuration.
The output of show ip nat translations following a ping to a website.
The following table describes each of the fields in the output of the show ip nat translations command.  (The number following each of the above IP addresses, just after the colon, is the port number.  The combination of the four IP addresses and port numbers is what creates a unique connection.)The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network (In the example above, it’s an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)

Field Title Explanation
Pro The IP protocol in use
Inside global The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network. (In the example above, it's an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)
Inside local The actual IP address of an inside host. This is often an RFC 1918 address that is not routable on the public Internet.
Outside local The IP address of an outside host as it appears to hosts on the inside network. This is how the inside host(s) see the outside host.
Outside global The actual IP address of an outside host, usually assigned by its owner.

You can use the command show ip nat statistics to view various information about NAT's performance on your router.
The output of show ip nat statistics
You can watch the address translation taking place with the following command:  debug ip nat.  To turn off debugging, issue the following command:  undebug all
The output of the debug ip nat commands.
In the above screen capture, you can see the time of the NAT translation, the source (s) and the destination (d).

The intermediate IP address is the Inside Global address.  The number in square brackets at the end of each line is the IP packet number which could be helpful in identifying the same packet in a protocol analyzer’s packet stream.

The asterisk indicates the packet is going through the fast path.  (The first packet always goes through the slow path, which means it is process switched.)

For more information about configuring the Cisco router, please see my book The Accidental Administrator:  Cisco Router Step-by-Step Configuration Guideavailable through Amazon and other resellers or through the soundtraining.net bookstore.  Also, consider attending my Cisco Router 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group.  More information is available here.

You have permission to reprint this article in your newsletter, blog, website, or publication if you include the following paragraph:

Don R. Crawley is a longtime geek and President/Chief Technologist of soundtraining.net with more than 35 years in workplace technology. He holds multiple technical certifications and is the author of numerous books on information systems and technology, including The Accidental Administrator: Cisco Router Configuration Guide. He has spoken to audiences worldwide on both technical topics and IT customer service. To view this Seattle IT pro's upcoming events or to receive free Cisco tutorials, Linux tutorials, IT customer service tips, and other guides, visit www.soundtraining.net or contact him at don@soundtraining.net or 206-988-5858.

No comments: