When working with Cisco routers, whether in a lab or production environment, there are may ways that NAT will come into play. This article will discuss the three most common reasons you would need to use NAT and why. Some of the reasons you would need NAT on a Cisco router would be:
- Inside to Outside
- Static NAT translating inside private IP to outside public IP
- example: assigning outside, public IP to internal web server
- Outside to Inside
- Translating outside public IP to inside private IP
- example: port-forwarding specific port to inside host from the outside interface IP
- NAT Overload
- Allow all (or some) inside hosts to share either a single or pool of public IP addresses for WAN access
First off, you should be aware that you need to specify your NAT interfaces. For instance, you need to enter the commands “ip nat inside” or “ip nat outside” based on what part of the network the interface connects to. Inside to LAN, outside to WAN. NAT will not work without these commands.
Inside to Outside
For inside to outside NAT, imagine you have an internal web server you want to NAT to an outside, public IP. Here are what those commands would look like:
ip nat inside source static 192.168.1.5 188.8.131.52
With that command, the internal device @ 192.168.1.5 would be NAT’ed to the public IP 184.108.40.206. This is referred to as static NAT
Outside to Inside
Outside to inside NAT involves translating a public IP back to a private, inside IP address. This is commonly done with a specific port involved as well. It’s all dependant on your situation, not required by any means. First off, your configuration would look like this:
ip nat outside source static tcp 220.127.116.11 22 192.168.1.5 22
What you are seeing is that all tcp/22 traffic sourcing in the outside interface from the IP 18.104.22.168 will be translated to 192.168.1.5. That way, the destination device will reply to 192.168.1.5, not the public IP 22.214.171.124. This is useful in cases where devices may not have a default route, etc.
This is the most common NAT usage I would say, especially in smaller environments, will all inside devices sharing a single outside IP address. In this case you are “overloading” this outside IP by allowing many inside hosts to share it for their WAN connections. This can be done with either a single outside IP address, such as the one assigned to your outside interface, or a pool of Public IP addresses.
First you need to create an access-list outlining the IP addresses to be NAT’ed, then you configure the actual NAT commands, making sure to include the overload option. The whole set of commands looks a bit like this:
access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.3.0 0.0.0.255 ! ip nat inside source list 1 interface gigabitethernet0/0 overload !
That will NAT overload the inside hosts on the three specified subnets to share the public IP of interface Gi0/0. Say you had 5 IP addresses that you wanted to spread the connections across. That would be called a NAT pool and the configuration is similar, but still a bit different. Here is what that would look like:
access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.3.0 0.0.0.255 ! ip nat pool INTERNET 126.96.36.199 188.8.131.52 netmask 255.255.255.240 ! p nat inside source list 1 pool INTERNET overload !
Now instead of all of the inside hosts sharing a single outside IP, they will be spread across .1 – .8 of the public subnet. This is especially useful in enterprise environments with a significant number of users.
Overall, all of these examples of how to NAT on a Cisco router have specific scenarios where they would each be used. You can use a combination of these to configure the needed NAT in your network. Commend below with any questions!