Network Address Translation Configuration

This article is the second in a series about Network Address Translation (NAT). In the first article, Introduction to Network Address Translation, I went over the basics of the purpose of NAT along with some of the different methods of implementation. This article takes a look at how to put these different methods into practice, including several examples.

Static NAT

In the “Introduction to Network Address Translation” article, the first thing that was discussed was static NAT. With static NAT there is a one-to-one relationship configured between an inside and an outside address. The image below lays out the scenario as shown in the initial article.

Network Address Translation Configuration

 Figure 1

There are three main commands that are required to configure this. An overview of these commands and the steps to follow to utilize them  are shown below in Table 1.

 

1 Enter privileged EXEC mode router>enable
2 Enter device configuration mode router#configure terminal
3 Enter interface configuration mode for the inside interfaceNote: The inside interface faces into the internal network router(config)#interface interface
4 Configure the interface as the inside NAT interface router(config-if)#ip nat inside
5 Enter interface configuration mode for the outside interfaceNote: the outside interface faces towards an external network router(config-if)#interface interface
6 Configure the interface as the outside NAT interface router(config-if)#ip nat outside
7 Exit into global configuration mode (optional) router(config-if)#exit
8 Configure a static NAT mapping router(config)#ip nat inside source static inside-local-address inside-global-address

Table 1 – Static NAT Configuration Commands

Taking from the steps shown in Table 1, the commands shown in Table 2 can be planned to configure NAT based on the scenario shown in Figure 1.

 

1 Enter privileged EXEC mode router>enable
2 Enter device configuration mode router#configure terminal
3 Enter interface configuration mode for the inside interface router(config)#interface f0/0
4 Configure the interface as the inside NAT interface router(config-if)#ip nat inside
5 Enter interface configuration mode for the outside interface router(config-if)#interface f0/1
6 Configure the interface as the outside NAT interface router(config-if)#ip nat outside
7 Exit into global configuration mode (optional) router(config-if)#exit
8 Configure a static NAT mapping router(config)#ip nat inside source static 192.168.1.10 203.0.113.10

Table 2 – Static NAT Example Configuration

Dynamic NAT

The second thing that was discussed was dynamic NAT. With dynamic NAT a pool of addresses is defined that can be used by any number of inside hosts; once this pool is exhausted, however, the next host attempting to send traffic outbound will be denied. Below, the image shows the scenario as referenced in the initial article.

Network Address Translation Configuration

 

Figure 2

There are a few differences between the commands to configure static and dynamic NAT. The commands and the steps to follow to utilize them are shown in Table 3.

 

1 Enter privileged EXEC mode router>enable
2 Enter device configuration mode router#configure terminal
3 Enter interface configuration mode for the inside interfaceNote: The inside interface faces into the internal network router(config)#interface interface
4 Configure the interface as the inside NAT interface router(config-if)#ip nat inside
5 Enter interface configuration mode for the outside interfaceNote: the outside interface faces towards an external network router(config-if)#interface interface
6 Configure the interface as the outside NAT interface router(config-if)#ip nat outside
7 Exit into global configuration mode (optional) router(config-if)#exit
8 Configure an interesting traffic ACLNote: interesting traffic  is a term that is used to describe the addresses that are subject to translation. router(config)#access-list acl-number {permit | deny} source-network source-inverse-mask
9 Configure a NAT pool router(config)#ip nat pool pool-name start-ip-address ending-ip-address netmask netmask
10 Configure dynamic NAT router(config)#ip nat inside source list acl-number pool pool-name

Table 3 – Dynamic NAT Configuration Commands

Following the commands shown in Table 3, the configuration to match the contents of Figure 2 can be developed. These are shown in Table 4.

 

1 Enter privileged EXEC mode router>enable
2 Enter device configuration mode router#configure terminal
3 Enter interface configuration mode for the inside interface router(config)#interface f0/0
4 Configure the interface as the inside NAT interface router(config-if)#ip nat inside
5 Enter interface configuration mode for the outside interface router(config-if)#interface f0/1
6 Configure the interface as the outside NAT interface router(config-if)#ip nat outside
7 Exit into global configuration mode (optional) router(config-if)#exit
8 Configure an interesting traffic ACL router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
9 Configure a NAT pool router(config)#ip nat pool example-pool 203.0.113.10 203.0.113.14 netmask 255.255.255.0
10 Configure dynamic NAT router(config)#ip nat inside source list 1 pool example-pool

Table 4 – Dynamic NAT Example Configuration

Overloaded NAT

The final thing that was covered was overloaded NAT, which is also referred to as Port Address Translation (PAT). Overloaded NAT works similarly to dynamic NAT except instead of assigning a one-to-one IP address translation from a static IP address pool, overloaded NAT uses different port numbers along with pool IP addresses to allow a much larger number group of source hosts to be translated. There are over 65,000 ports that are available with each pool IP address, and overloaded NAT assigns one of these ports for each connection coming through the NAT router (matching the ACL). Most people don’t realize this, but the majority of broadband connected homes use overloaded NAT on their small home router/gateways (think Linksys and Dlink).

There is one difference between the configuration of dynamic NAT and overloaded NAT, which includes the addition of the overload parameter to the ip nat command. Figure 3 shows the scenario that was displayed in the in initial article.

Network Address Translation Configuration

 Figure 3

Following the commands shown in Table 3 and adding the Overload command, the configuration to match the contents of Figure 3 can be developed – these are shown below in Table 5.

 

1 Enter privileged EXEC mode router>enable
2 Enter device configuration mode router#configure terminal
3 Enter interface configuration mode for the inside interface router(config)#interface f0/0
4 Configure the interface as the inside NAT interface router(config-if)#ip nat inside
5 Enter interface configuration mode for the outside interface router(config-if)#interface f0/1
6 Configure the interface as the outside NAT interface router(config-if)#ip nat outside
7 Exit into global configuration mode (optional) router(config-if)#exit
8 Configure an interesting traffic ACL router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
9 Configure a NAT pool router(config)#ip nat pool example-pool 203.0.113.10 203.0.113.14 netmask 255.255.255.0
10 Configure dynamic NAT router(config)#ip nat inside source list 1 pool example-pool overload

Table 5 – Overloaded NAT Example Configuration

The problem that many people have is not the configuration of NAT but a good understanding of how it works in the first place. Once the basic concepts are understood, the configuration is not overly complex. Hopefully the content of this article will make the configuration of NAT clear and enable the reader to set up NAT in their own environment.