ip nat outside on cisco router
Overlapping IP address ranges in your own LAN and the local area network of the organization you’re partnering with is a common issue that network administrators are faced with in their daily jobs. The textbook solution for this issue is NAT.
Let us skip the explanations of how to do basic configurations for dynamic and static NAT scenarios that you use when you need to hide your internal IP address behind a public IP address in order to get access to outside resources (dynamic NAT), or allow internal resources to be available from the outside world (static NAT). You can find tutorials for these types of configurations in the “Basic Configuration of Cisco Router” and “Basic Configuration of Cisco ASA” articles, as well as the “Using NAT” article.
Destination address substitution
Let us look at an example, in which we need to create a special fictional dummy IP address, that is used to impersonate the real IP address that overlaps with something in your network, and redirects the traffic towards the real destination.
10.0.0.5 – the actual IP address of the server that you need to gain access to
220.127.116.11 – dummy IP address, that will redirect the user’s traffic to 10.0.0.5
In order to implement this scenario, you need to configure the router’s interfaces to be recognized as either inside or outside network using the following commands:
interface FastEthernet X
ip nat inside
interface FastEthernet Y
ip nat outside
After you’ve done that, enter the command:
ip nat outside source static 10.0.0.5 18.104.22.168
After creating that NAT rule, you must add a static route for the dummy IP address, directing traffic towards the real server.
A) If the server is located on a network directly connected to one of the router’s interfaces, then use the server’s real IP address as the next hop:
ip route 22.214.171.124 255.255.255.255 10.0.0.5
B) If the server is located farther in the network behind some other router, use that devices IP address as the next hop (x.x.x.x):
ip route 126.96.36.199 255.255.255.255 x.x.x.x
Use the command sh ip nat translations in order to check the active translation rules for your IP addresses. Your output should look similar to this:
R-DELTACONFIG-1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 188.8.131.52 10.0.0.5
--- --- --- 184.108.40.206 10.0.0.6
icmp 192.168.10.10:19662 192.168.10.10:19662 220.127.116.11:19662 10.0.0.5:19662
Substituting source and destination IP addresses at the same time
The scenario described above does not limit you from using “regular” NAT along with it. If you need to hide the real IP address of your workstation behind some “outside” IP, you will have to create the regular translation rules, like you use for dynamic NAT, for example.
Let’s say the real IP address of our workstation is 192.168.10.5 (source IP), and it needs to be hidden behind a dummy IP address of 18.104.22.168
Add the configuration lines for dynamic source address translation:
ip access-list extended ACL_NAT
permit ip host 192.168.10.5 any
ip nat pool NAT 22.214.171.124 126.96.36.199 netmask 255.255.255.0
ip nat inside source list ACL_NAT pool NAT
As a result of this configuration, the original packet from source IP 192.168.10.5 of our workstation destined for 188.8.131.52 will be converted into a packet with source 184.108.40.206 and destination 10.0.0.5 as it traverses our router.
Don’t forget to check the routes on all your network devices if you encounter problems with this configuration. All of your devices need to “know” not only the routes to your real IP addresses, but to the dummy ones, as well.
Don’t forget to save your configuration changes on all your devices with the command write or copy run start. Otherwise you will lose all your changes after the next reload.
This article was written by Alexey Yurchenko