In this tutorial, we are going to illustrate how to configure two of the most common forms of Network Address Translation (NAT) on cisco routers.
Company XYZ and Company J have a problem. Both companies use the same private (RFC 1918) address space for their own campus network. Since they can't route to each other's identical network, due to duplicate addressing, they will have to present
each other with unique addresses by using network address translation.
In this example we need to configure router A to use static (1-to-1) NAT on the router for the e-commerce server's local address 192.168.1.200. This is required due to the fact that traffic from Company J will initiate the session into the server. This requires a dedicated IP address that's unique to both companies. Typically this is an ARIN registered public address. A public address is not required, however, but both companies must agree on the address if an RFC 1918 address is used.
The second requirement is Company J must NAT all clients off their internal 192.168.1.0/24 network. However, they will use Port Address Translation (PAT), which will basically allow all their clients to use one unique address to talk
to the remote ecommerce server at the XYZ company.
| Router A | |
| SYNTAX | DESCRIPTION |
| conf t | Enter Global Configuration mode |
| ip nat inside source static 192.168.1.200 40.1.1.1 | Configures static NAT for ecommerce server. This takes traffic coming into the router from Company J, which is destined for 40.1.1.1, and translates the destination address of the IP Packet to real server address 192.168.1.200. Also, the response back from the server will be translated in the opposite fashion. |
| interface fastethernet 0/0 | Enter interface-config mode |
| ip nat inside | enables NAT on the interface |
| interface serial 0/0 | Enter interface-config mode |
| ip nat outside | enables NAT on the interface |
| Router B | |
| conf t | Enter Global Configuration mode |
| interface loopback 1 | creates logical interface, to be used later by NAT |
| ip address 50.1.1.1 255.255.255.255 | configures unique address on loopback, which will be used to NAT all clients connecting outbound to the remote ecommerce server |
| exit | exit interface-config mode |
| access-list 10 permit ip 192.168.1.0 0.0.0.255 | creates access list which is used in the NAT config to identify the source address of traffic from the LAN that will be NATed. In this case, the ACL matches any traffic off the entire 192.168.1.0/24 network |
| ip nat inside source list 10 interface loopback1 overload | Configures port address translation (PAT), which in Cisco terms is considered "overload" NAT. In this config, all traffic identified in ACL 10 will have their source address translated to the loopback 1 address, which is 50.1.1.1. Note: this doesn't affect the destination address in the IP packet header |
| interface fastethernet 0/0 | Enter interface-config mode |
| ip nat inside | enables NAT on the interface |
| interface serial 0/0 | Enter interface-config mode |
| ip nat outside | enables NAT on the interface |
In both Router A and B config, we are doing source-based NAT. So we are translating only the source address field in the IP Packet header. This is so each site sees
each other coming from unique address space. Keep in mind the PAT or overload NAT only works with certain applications. Most commonly it is used for outbound TCP applications like http and ftp. It will not work when the session is initiated from the outside in. Also, keep in mind the NAT takes up resources like memory, and this can become an issue depending on the number of clients that are being translated. Lastly, keep in mind you still need to have either static or dynamically learned routes to the NAT addresses.
