Configuring Cisco

Using NAT on Cisco router

27.10.2016

The hardest thing about NAT in Cisco routers and ASA firewalls is understanding how to use the technology in real life. Tons of guide papers have been written, the Internet is full of gigabytes of information on the topic, yet the subject remains relevant. Truth is, 95% of absolute majority of people will only need to use just one of the two types of connections.

1) PAT (Port Address Translation)

A bunch of internal IP addresses are translated into a single external IP address when connecting to the outside world. While each packet destined to outside networks is being processed by a router or a Cisco ASA, the correlation of the actual internal IP address and port number of the source of the TCP connection is being remembered, which allows to correctly perform the reverse translation and transfer return packets.
This kind of NAT is used when you need to allow access FROM an internal network to external resources (such as the Internet).

Using NAT on Cisco router

2) Static NAT

This is translating addresses one-to-one. A specific public IP address is put together with an internal IP address. This kind of NAT translation is used when you need access FROM the outside world to a server or resource within the internal network or a DMZ.

Using NAT on Cisco router

Summary:

If you need access from the internal LAN to the outside world, it is most likely that you will have to configure PAT.
If you need access from the outside world to a certain internal resource, then you will have to configure static NAT.

deltaconfig cisco outsourcing

NAT configuration examples for the above cases

Cisco ASA (IOS below 8.3)

PAT
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0

Static NAT
static (dmz,outside) interface 10.0.0.20 netmask 255.255.255.255

Important!
The keyword interface in this code specifies the devices own IP address that is assigned to the external interface (1.1.1.1). If the translation is being made into another IP address from the pool of IP addresses belonging to the external interface, then that address is specifically mentioned.

Cisco ASA (IOS above 8.3)

PAT
object-group network NET_LAN
network-object 192.168.10.0 255.255.255.0
nat (inside,outside) source dynamic NET_LAN interface

Static NAT
object network NAT_OUTSIDE_1.1.1.1
host 10.0.0.20
nat (dmz,outside) static interface

Cisco IOS Router

PAT
interface Ethernet X
ip address 192.168.10.1 255.255.255.0
ip nat inside
interface Ethernet Y
ip address 1.1.1.1 255.255.255.252
ip nat outside

ip nat pool POOL_PAT 1.1.1.1 1.1.1.1 //No mistakes here. An external address is mentioned twice.
ip access-list standard ACL_PAT
permit ip 192.168.10.0 0.0.0.255
ip nat inside source list ACL_PAT pool POOL_PAT overload

Static NAT
interface Ethernet Z
ip address 10.0.0.1 255.255.255.0
ip nat inside
interface Ethernet Y
ip address 1.1.1.1 255.255.255.252
ip nat outside

ip nat inside source static 10.0.0.20 interface Ethernet Y

Important!
This article includes only the simplest configuration examples for NAT translations, on purpose. More complex examples are covered in articles about basic Cisco router and Cisco ASA configurations.
Also there is a full explanation of port forwarding (static NAT) on Cisco ASA with configuration examples in this article.

This article was written by Alexey Yurchenko

Back to Table of contents

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Wisam Recent comment authors
newest oldest most voted
Wisam
Guest
Wisam

Thanks Alex, I enjoyed your lesson very much… Great site.
looking forward to see a WLC basic configuration.

×

How can I help you?