Basic NAT reminders

Below, there are some simple examples of NAT configurations on a Cisco router. 

STATIC NAT:

interface fa0/0

 ip address 10.1.1.2 255.255.255.0

 ip nat outside

!

interface fa0/1

 ip address 10.1.3.2 255.255.255.0

 ip nat inside

!

ip nat inside source static 10.1.3.1 10.1.1.10

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 10.1.1.10          10.1.3.1           ---                ---

host1#ping 10.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 10.1.1.10:5       10.1.3.1:5         10.1.1.1:5         10.1.1.1:5

--- 10.1.1.10          10.1.3.1           ---                ---

PAT:

interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip access-list extended NET_INSIDE
 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat inside source list NET_INSIDE interface fa0/1 overload
!


R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.3.2:6        10.1.1.1:6         10.1.3.1:6         10.1.3.1:6

NAT SRC & DST:

interface fa0/0

 ip address 10.1.1.2 255.255.255.0

 ip nat inside

!

interface fa0/1

 ip address 10.1.3.2 255.255.255.0

 ip nat outside

!

ip nat inside source static 10.1.1.1 10.1.3.10

ip nat outside source static 10.1.3.1 10.1.1.10

!

ip route 10.1.1.10 255.255.255.255 10.1.3.1

!

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                10.1.1.10          10.1.3.1

--- 10.1.3.10          10.1.1.1           ---                ---

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                10.1.1.10          10.1.3.1

icmp 10.1.3.10:10      10.1.1.1:10        10.1.1.10:10       10.1.3.1:10

icmp 10.1.3.10:18      10.1.1.1:18        10.1.1.10:18       10.1.3.1:18

--- 10.1.3.10          10.1.1.1           ---                ---

Dynamic NAT:

interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip access-list extended NET_INSIDE
 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat pool NAT_OUTSIDE 10.1.3.1 10.1.3.254 prefix-length 24 type match-host
!!!!!!!!!!!!!!!!!!!!!!
! Alternative:
!ip nat pool NAT_OUTSIDE 10.1.3.9 10.1.3.254 prefix-length 24 type rotary
!!!!!!!!!!!!!!!!!!!!!!!!
!
ip nat inside source list NET_INSIDE pool NAT_OUTSIDE

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.3.10:27      10.1.1.10:27       10.1.4.1:27        10.1.4.1:27
--- 10.1.3.10          10.1.1.10          ---                ---

VPN connexion and Internet Access

When you are connected to a VPN session, normally you can access to the corporate LAN.
However, it's also possible to have access (in the same time) to Internet.

To do this on ASA, you have to configure some NAT rule.
All traffic that will go to Internet have to use the Internet facing interface like source IP address.

The configuration below is an example that can be applied:

ip local pool Pool_VPN 192.168.40.10-192.168.40.250 mask 255.255.255.0

!

interface GigabitEthernet0/1

 description Outside Facing Interface

 nameif INTERNET

 security-level 0

 ip address 199.199.199.199 255.255.255.240

!

object network NAT-VPN-POOL

 subnet 192.168.40.0 255.255.255.0

 description Pool VPN

!

object network NAT-VPN-POOL

 nat (any,INTERNET) dynamic interface

All traffic with VPN IP Pool source address and with Internet destination will match this NAT rule.
Source address will be modified with the outside interface.