Tuesday, September 3, 2013

Basic NAT reminders

Below, there are some simple examples of NAT configurations on a Cisco router. 

STATIC NAT:



interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat outside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat inside
!
ip nat inside source static 10.1.3.1 10.1.1.10

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 10.1.1.10          10.1.3.1           ---                ---
host1#ping 10.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.1.10:5       10.1.3.1:5         10.1.1.1:5         10.1.1.1:5
--- 10.1.1.10          10.1.3.1           ---                ---

PAT:




interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip access-list extended NET_INSIDE
 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat inside source list NET_INSIDE interface fa0/1 overload
!


R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.3.2:6        10.1.1.1:6         10.1.3.1:6         10.1.3.1:6



NAT SRC & DST:



interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip nat inside source static 10.1.1.1 10.1.3.10
ip nat outside source static 10.1.3.1 10.1.1.10
!
ip route 10.1.1.10 255.255.255.255 10.1.3.1
!

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.1.1.10          10.1.3.1
--- 10.1.3.10          10.1.1.1           ---                ---

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.1.1.10          10.1.3.1
icmp 10.1.3.10:10      10.1.1.1:10        10.1.1.10:10       10.1.3.1:10
icmp 10.1.3.10:18      10.1.1.1:18        10.1.1.10:18       10.1.3.1:18
--- 10.1.3.10          10.1.1.1           ---                ---



Dynamic NAT:



interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip access-list extended NET_INSIDE
 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat pool NAT_OUTSIDE 10.1.3.1 10.1.3.254 prefix-length 24 type match-host
!!!!!!!!!!!!!!!!!!!!!!
! Alternative:
!ip nat pool NAT_OUTSIDE 10.1.3.9 10.1.3.254 prefix-length 24 type rotary
!!!!!!!!!!!!!!!!!!!!!!!!
!
ip nat inside source list NET_INSIDE pool NAT_OUTSIDE

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.3.10:27      10.1.1.10:27       10.1.4.1:27        10.1.4.1:27
--- 10.1.3.10          10.1.1.10          ---                ---