Table of Contents
1. Introduction
2. Understanding Network Address Translation (NAT)
2.1 Static NAT
2.2 Dynamic NAT
2.3 NAT Overload (PAT)
3. Configuring NAT for IPv4
3.1 Designating Inside and Outside Interfaces
3.2 Configuring Static NAT
3.3 Configuring Dynamic NAT
3.4 Configuring NAT Overload
4. Monitoring and Verifying NAT Configurations
4.1 Viewing NAT Translations
4.2 Viewing NAT Statistics
5. Configuration Examples
5.1 Example: Static NAT Configuration
5.2 Example: Dynamic NAT Configuration with Pool
5.3 Example: Dynamic NAT Configuration with Overload
6. Best Practices for NAT Configuration
7. Troubleshooting NAT Issues
8. Conclusion
1. Introduction
Network Address Translation (NAT) allows multiple devices on a private network to access external networks using a single public IP address or a pool of public IP addresses. This guide covers the configuration of NAT for IPv4, including static, dynamic, and NAT overload (PAT) setups.
2. Understanding Network Address Translation (NAT)
2.1 Static NAT
Static NAT maps a private IP address to a public IP address, providing a one-to-one translation. This is useful for servers that need to be accessible from the internet.
2.2 Dynamic NAT
Dynamic NAT uses a pool of public IP addresses and assigns them to private IP addresses on a first-come, first-served basis. This is useful for internal devices that need to access the internet but do not require a permanent public IP address.
2.3 NAT Overload (PAT)
NAT Overload, also known as Port Address Translation (PAT), allows multiple devices to share a single public IP address by using different ports. This is the most common form of NAT used in home and small office networks.
3. Configuring NAT for IPv4
3.1 Designating Inside and Outside Interfaces
To configure NAT, interfaces must be designated as inside or outside.
R-1(config)# interface fa0/0
R-1(config-if)# ip nat inside
R-1(config)# interface serial 0/0/0
R-1(config-if)# ip nat outside
3.2 Configuring Static NAT
Static NAT requires a single statement to map the inside IP address to the outside IP address.
R-1(config)# ip nat inside source static 192.168.10.22 73.2.34.137
3.3 Configuring Dynamic NAT
Dynamic NAT uses a pool of public IP addresses and an access control list (ACL) to define which internal addresses can be translated.
Define the NAT pool:
R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 netmask 255.255.255.248
or
R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 prefix-length 29
Create an ACL to specify which internal addresses are eligible for NAT:
R-1(config)# ip access-list standard NAT-ELIGIBLE
R-1(config-std-nacl)# permit 192.168.10.0 0.0.0.255
R-1(config-std-nacl)# deny any
Link the NAT pool to the ACL:
R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME
3.4 Configuring NAT Overload
NAT Overload allows multiple internal addresses to share a single public IP address.
Link the NAT pool to the ACL with overload:
R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME overload
Alternatively, use the outside interface with overload:
R-1(config)# ip nat inside source list NAT-ELIGIBLE interface serial 0/0/0 overload
4. Monitoring and Verifying NAT Configurations
4.1 Viewing NAT Translations
To view current NAT translations, use:
R-1# show ip nat translations
4.2 Viewing NAT Statistics
To view NAT statistics, use:
R-1# show ip nat statistics
5. Configuration Examples
5.1 Example: Static NAT Configuration
Designate interfaces:
R-1(config)# interface fa0/0
R-1(config-if)# ip nat inside
R-1(config)# interface serial 0/0/0
R-1(config-if)# ip nat outside
Configure static NAT:
R-1(config)# ip nat inside source static 192.168.10.22 73.2.34.137
5.2 Example: Dynamic NAT Configuration with Pool
Designate interfaces:
R-1(config)# interface fa0/0
R-1(config-if)# ip nat inside
R-1(config)# interface serial 0/0/0
R-1(config-if)# ip nat outside
Define NAT pool and ACL:
R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 netmask 255.255.255.248
R-1(config)# ip access-list standard NAT-ELIGIBLE
R-1(config-std-nacl)# permit 192.168.10.0 0.0.0.255
R-1(config-std-nacl)# deny any
Link NAT pool to ACL:
R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME
5.3 Example: Dynamic NAT Configuration with Overload
Designate interfaces:
R-1(config)# interface fa0/0
R-1(config-if)# ip nat inside
R-1(config)# interface serial 0/0/0
R-1(config-if)# ip nat outside
Define NAT pool and ACL:
R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 netmask 255.255.255.248
R-1(config)# ip access-list standard NAT-ELIGIBLE
R-1(config-std-nacl)# permit 192.168.10.0 0.0.0.255
R-1(config-std-nacl)# deny any
Configure NAT overload:
R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME overload
or
R-1(config)# ip nat inside source list NAT-ELIGIBLE interface serial 0/0/0 overload
6. Best Practices for NAT Configuration
- Clearly define and document all NAT rules.
- Regularly review and update NAT configurations to match current network policies.
- Monitor NAT performance and troubleshoot issues promptly.
- Use specific and concise rules to minimize unnecessary traffic inspection.
7. Troubleshooting NAT Issues
- Check NAT Translations: Use show ip nat translations to verify active translations.
- Verify Interface Configuration: Ensure the correct interfaces are designated as inside or outside.
- Check ACLs: Ensure ACLs are correctly defining the internal addresses eligible for NAT.
- Monitor NAT Statistics: Use show ip nat statistics to check the number of active translations and interface roles.
8. Conclusion
Configuring NAT for IPv4 allows efficient management of public IP addresses and provides secure internet access for internal devices. By understanding and properly configuring static, dynamic, and overload NAT, network administrators can enhance network performance and security.
