Tuesday, February 26, 2013

NAT Configuration on a Cisco Router (Port Address Translation or Dynamic NAT)

Configuring Dynamic NAT on a Cisco Router

(Also Known as Port Address Translation)

In this post, I’ll show you how to configure Port Address Translation in which all internal hosts will share one external interface and IP address on the external network.

Port Address Translation (PAT) is a many-to-one form of Network Address Translation (NAT). It is commonly found in home networks and small businesses where many internal nodes, using an RFC 1918 address space such as, share a single public IP address.

Use the following diagram for this tutorial.

Here is an accompanying video for this blog post:

Prepare Your Router and Management Workstation

  1. Ensure that your workstation is configured according to the network diagram.
  2. On your router, identify which interface will be external and which will be internal.  In a real-world setting, the inside interface would normally be an Ethernet connection to a LAN and the outside might be a T1 interface connected to a WAN such as the Internet.  For the purpose of this exercise, the internal (inside) interface will be the Gigabit Ethernet 0/0 interface and the external (outside) interface will be the router’s Gigabit Ethernet 0/1 interface.

Configure Port Address Translation with the following steps:

Configuring Router Interfaces for NAT
(NVI0 is the NAT Virtual Interface which is created automatically, but not used in this exercise.)
  1. Identify the inside interface:
    Router(config)#int g0/0
    Router(config-if)#ip nat inside
  2. Identify the outside interface:
    Router(config-if)#int g0/1
    Router(config-if)#ip nat outside
    Configuring an Access Control List to Specify Who Can Use NAT (PAT)
    (This access-control list permits all IP traffic from any source address to any destination address. For more information about access-control lists, see chapter 11 in my book The Accidental Administrator: Cisco Router Step-by-Step Configuration Guide.)
  3. Create an access-control list to identify the traffic permitted to use NAT:
    Router(config)#access-list 100 permit ip any any
  4. Turning on Port Address Translation (NAT overloading)
    (This statement tells the router to apply the just-created list 100 to interface g0/1 and to implment NAT overloading on the interface.)
  5. Apply the access-control list to the outside interface:
    Router(config-if)#ip nat inside source list 100 int g0/1 overload
  6. Router(config)#exit
You can also use sho ip nat translations and show ip nat statistics to view your NAT configuration.
The output of show ip nat translations following a ping to a website.
The following table describes each of the fields in the output of the show ip nat translations command.  (The number following each of the above IP addresses, just after the colon, is the port number.  The combination of the four IP addresses and port numbers is what creates a unique connection.)The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network (In the example above, it’s an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)

Field Title Explanation
Pro The IP protocol in use
Inside global The actual IP on the outside interface that represents one or more inside local IP address to the outside world or network. (In the example above, it's an RFC 1918 address, but in the real world, it will usually be an Internet-routable address.)
Inside local The actual IP address of an inside host. This is often an RFC 1918 address that is not routable on the public Internet.
Outside local The IP address of an outside host as it appears to hosts on the inside network. This is how the inside host(s) see the outside host.
Outside global The actual IP address of an outside host, usually assigned by its owner.

You can use the command show ip nat statistics to view various information about NAT's performance on your router.
The output of show ip nat statistics
You can watch the address translation taking place with the following command:  debug ip nat.  To turn off debugging, issue the following command:  undebug all
The output of the debug ip nat commands.
In the above screen capture, you can see the time of the NAT translation, the source (s) and the destination (d).

The intermediate IP address is the Inside Global address.  The number in square brackets at the end of each line is the IP packet number which could be helpful in identifying the same packet in a protocol analyzer’s packet stream.

The asterisk indicates the packet is going through the fast path.  (The first packet always goes through the slow path, which means it is process switched.)

For more information about configuring the Cisco router, please see my book The Accidental Administrator:  Cisco Router Step-by-Step Configuration Guideavailable through Amazon and other resellers or through the soundtraining.net bookstore.  Also, consider attending my Cisco Router 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group.  More information is available here.

You have permission to reprint this article in your newsletter, blog, website, or publication if you include the following paragraph:

Don R. Crawley is a longtime geek and President/Chief Technologist of soundtraining.net with more than 35 years in workplace technology. He holds multiple technical certifications and is the author of numerous books on information systems and technology, including The Accidental Administrator: Cisco Router Configuration Guide. He has spoken to audiences worldwide on both technical topics and IT customer service. To view this Seattle IT pro's upcoming events or to receive free Cisco tutorials, Linux tutorials, IT customer service tips, and other guides, visit www.soundtraining.net or contact him at don@soundtraining.net or 206-988-5858.

Friday, February 15, 2013

Configuring Cisco ASA Transparent Mode (Version 8.4 and Later)

The following post is based on ASA software version 8.4 and later.

With the release of ASA software version 8.4, Cisco added bridge-groups to the ASA which changed the way that transparent mode is configured. Now, you must assign VLAN interfaces to bridge-groups. Bridge-groups provide a means of isolating network traffic. Traffic from one bridge-group is not shared with other bridge-groups. Instead of just assigning a global IP address to the device for management, you now assign a management IP address to the Bridge Virtual Interface (BVI). This address is used not only for management, but as the source address for packets originating from the ASA such as AAA communications or syslog messages. Although I'm not going to cover IPv6 in this document, the ASA does support IPv6 in transparent mode.

The following video is based on this blog post:

Here is the configuration on an ASA 5505 (it will be similar for other models in the ASA family):

You must first enable transparent mode on the firewall. Before executing this command, ensure that you have a good backup of the existing configuration. This command will obliterate the existing configuration.

In configuration mode, execute the command firewall transparent:

ciscoasa# conf t
ciscoasa(config)# firewall transparent

Next, assign physical interfaces to VLANs using the switchport access command and enable the physical interfaces with the no shutdown command:

ciscoasa(config)# interface Ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface Ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

After configuring the physical interfaces, you must configure the VLAN interfaces by giving them names and assigning them to the same bridge-group:

ciscoasa(config-if)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# bridge-group 1

(Notice that the ASA automatically assigns security levels based on the names inside and outside. If you choose to give the VLAN interfaces different names than inside and outside, you will have to manually assign a security-level of 100 to the inside interface and 0 to the outside interface.)

Now, you'll configure the management IP address through the Bridge Virtual Interface (BVI):

ciscoasa(config-if)# interface bvi 1
ciscoasa(config-if)# ip address

(Notice that I didn't explicitly assign a subnet mask to the BVI's IP address. The ASA can assign a default mask based on the class of the IP address. Since is a Class C address, the ASA automatically assigns a 24-bit mask of If you're using something other than a default subnet mask, you can specify it in dotted-decimal notation following the IP address.)

The transparent mode configuration is now complete and the ASA will pass traffic. If you want to use the graphical ASDM (Adaptive Security Device Manager) to manage the device, you must enable the HTTP server and specify which hosts are permitted to access the ASDM with the following commands:

ciscoasa(config-if)# http server enable
ciscoasa(config)# http inside

The first command does what the syntax implies, it enables the server. The second command permits any host connected to the inside interface, regardless of its IP address, to use the HTTP server. You might want to narrow the address range by specifying either your network address (in this example, it would be or the host address of your management workstation.

Here is a screen capture of the complete configuration:

Here is the configuration in a copy and paste format. Make sure you have a backup of your ASA's existing configuration, because these commands will clear and replace the existing config.  You've been warned!

conf t
firewall transparent
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface vlan 2
nameif outside
bridge-group 1
interface vlan 1
nameif inside
bridge-group 1
interface bvi 1
ip address
http server enable
http inside

One thing to note about this configuration: Your inside hosts will have no means of obtaining an IP address from a DHCP server on the outside of the ASA. You have three options.

  • You can configure your inside hosts with static IP address
  • You can configure a DHCP server on the inside network
  • You can configure access-control lists on the ASA to allow DHCP requests and responses to be exchanged between DHCP clients on the inside network and a DHCP server on the outside network.

My general recommendation is that you configure a DHCP server on the inside network. It could be the ASA, which can function as a DHCP server in transparent mode, or a standalone server such as a computer running Windows or Linux.