Previous section   Next section

Recipe 21.1 Configuring Basic NAT Functionality

21.1.1 Problem

You want to set up Network Address Translation on your router.

21.1.2 Solution

In the simplest NAT configuration, all of your internal devices use the same external global address as the router's external interface:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat inside source list 15 interface Ethernet0/0 overload
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#end
Router#

21.1.3 Discussion

In this example, the router will rewrite the addresses of all of the internal devices whose IP addresses are in the range 192.168.0.0/16. When these internal devices connect to devices on the outside of the network, they will all appear to have the same source address as the external interface of the router, 172.16.1.5.

This example actually includes two internal interfaces and one external interface. You designate the internal interfaces with the ip nat inside command. You can have as many inside interfaces as you like:

Router(config)#interface FastEthernet0/1
Router(config-if)#ip nat inside

You also need to designate at least one outside interface using the ip nat outside command:

Router(config-if)#interface Ethernet0/0
Router(config-if)#ip nat outside

You can also use several outside interfaces, but this configuration can be very difficult to control, so we don't recommend it. Next, configure the actual translation action with the line:

Router(config)#ip nat inside source list 15 interface Ethernet0/0 overload

This tells the router to translate the source addresses of any internal devices that match access list number 15. The router will translate the source addresses of all of these devices to the address that is configured on the interface Ethernet0/0, which is the outside interface.

The overload keyword is actually assumed here—if you leave it off, the router will put it in automatically. This option tells the router that many internal devices can use the same global address simultaneously. We explain this option in more detail in Recipe 21.2.

To help explain what the access list in this command does, we change it to include every address in the range except one:

Router(config)#access-list 15 deny 192.168.1.101
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

If you make a connection from the excluded address (192.168.1.101) after issuing this command, the router will not rewrite its internal address. Instead, this address will appear unchanged on the outside.

NAT can be quite confusing because people usually think that there are firewall functions associated with it. There are none. If you exclude one device from your NAT access list as we just discussed, anybody on the outside of the network will be able to connect to this internal device by using its real address. Further, there is nothing to prevent an inbound packet from reaching a particular internal device if the person on the outside knows the real internal address and can route to it.


  Previous section   Next section
Top