How to configure static nat on cisco routers
Download as DOCX, PDF3 likes30,165 views
This document provides instructions for configuring static network address translation (NAT) on a Cisco router to map a private IP address to a public IP address. It explains that NAT allows private IP addresses on an internal network to be represented by public IP addresses on the external network. It then outlines the steps to configure static NAT on a Cisco router by defining the inside and outside interfaces, and using commands like "ip nat inside" and "ip nat outside" to identify the interfaces and "ip nat inside source static" to define the address mapping. It verifies the NAT configuration is working properly using show commands.
How to configure static nat on cisco routers
- 1. How to Configure Static NAT on Cisco Routers? Network Address Translation (NAT) is an operation by which source and/or destination IP addresses within a packet are replaced with different IP addresses. NAT conserves available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses. Private IP addresses are defined in RFC 1918 and are addresses that cannot be used on the Internet. NAT is most commonly performed by routers or firewalls; however this tutorial focuses on NAT within Cisco routers. NAT can be performed both statically and dynamically. Static NAT simply maps one private IP address to a single public IP address, and this is the flavor of NAT we are discussing in this tutorial. A Cisco router performing NAT divides its universe into the inside and the outside. Typically the inside is a private enterprise, and the outside is the public Internet. In addition to the notion of inside and outside, a Cisco NAT router classifies addresses as either local or global. A local address is an address that is seen by devices on the inside, and a global address is an address that is seen by devices on the outside. Given these four terms, an address may be one of four types: 1. Inside local addresses are assigned to inside devices. These addresses are not advertised to the outside. 2. Inside global are addresses by which inside devices are known to the outside. 3. Outside local are addresses by which outside devices are known to the inside. 4. Outside global addresses are assigned to outside devices. These addresses are not advertised to the inside. Let’s jump right into NAT configuration on a Cisco router as shown in the Figure below: R1 is the router performing Network Address Translation (NAT) and has two
- 2. interfaces: Fa0/0 on the inside and Fa0/1 on the outside. The specific IP addresses involved are: Table 1 NAT Addresses for Figure Above NAT Address Type IP Address Inside local 192.168.1.2 Inside global 89.203.12.47 Outside local 202.14.35.28 Outside global 202.14.35.28 You probably know very well how to configure IP addresses on router interfaces, so we skip those configuration steps and move straight to the interesting stuff. First, we have to assign Fa0/0 as NAT inside interface and Fa0/1 as NAT outside interface on R1. This would tell the router that interesting traffic entering or exiting these two interfaces will be subject to address translation. R1#conf term Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface Fa0/0 R1(config-if)#ip nat inside R1(config-if)#interface Fa0/1 R1(config-if)#ip nat outside R1(config-if)#end Now we would tell the router how to perform address translation and mention which IP addresses (source or destination) to re-write in packets moving between the inside and outside interfaces. Here we go: R1(config)#ip nat inside source static 192.168.1.2 89.203.12.47 Here, we are telling the router to perform NAT on packets coming into the router on the inside interface Fa0/0. More specifically the router would identify which of these packets have a source IP address of 192.168.1.2 and would change it to 89.203.12.47 before forwarding the packet out the outside interface Fa0/1. Similarly, return packets coming in at outside interface Fa0/1 would undergo translation of destination IP address. Let’s now verify if NAT is actually working as it is supposed to work. There are a couple of very useful Cisco IOS commands that can be used to do just that. Command show ip nat statisticsdisplays the number of static and dynamic NAT translations, inside and outside interfaces, and the number of hits and misses. R1#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet0/1 Inside interfaces:
- 3. FastEthernet0/0 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: Appl doors: 0 Normal doors: 0 Queued Packets: 0 Command show ip nat translations displays the IP addresses for NAT translations. R1#show ip nat translations Pro Inside global Inside local Outside local Outside global — 89.203.12.47 192.168.1.2 — — As you see in the above output, we have one NAT entry configured with Inside global address 89.203.12.47 and Inside local address 192.168.1.2 specified. Outside local and Outside globaladdresses are blank because our NAT configuration does not change those addresses. Let’s now go to the PC and ping the Server before running the command show ip nat translations again to see if it makes any difference. R1#show ip nat statistics Total active translations: 2 (1 static, 1 dynamic; 1 extended) Outside interfaces: FastEthernet0/1 Inside interfaces: FastEthernet0/0 Hits: 10 Misses: 0 CEF Translated packets: 10, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: Appl doors: 0 Normal doors: 0 Queued Packets: 0 R1#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 89.203.12.47:1 192.168.1.2:1 202.14.35.28:1 202.14.35.28:1 — 89.203.12.47 192.168.1.2 — — As you can see in the above output, NAT is active as manifested by the appearance of an additional dynamic entry for ICMP protocol and some additional hits, corresponding to our ping attempt from PC to Server.
- 4. We just configured and verified a simple NAT scenario translating only the source or destination (not both at the same time) IP addresses of packets moving between inside and outside interfaces. This sort of NAT configuration is called static NAT as a single inside local IP address is statically mapped to a single outside local IP address. Another important feature of NAT is static Port Address Translation (PAT). Static PAT is designed to allow one-to-one mapping between local and global addresses. A common use of static PAT is to allow Internet users from the public network to access a Web server located in the private network. Let’s assume we intend to host a Web server on the inside on the same PC, that has an IP address 192.168.1.2. The following configuration line would allow us to do just that: R1(config)#ip nat inside source static tcp 192.168.1.2 80 89.203.12.47 80 This configuration line performs the static address translation for the Web server. With this configuration line, users that try to reach 89.203.12.47 port 80 (www) are automatically redirected to 192.168.1.2 port 80 (www). In our case, 192.168.1.2 is the IP address of the PC which is also the Web server. This configuration can be verified using the same two NAT verification commands: show ip nat translations and show ip nat statistics. Notice that the address 89.203.12.47 with port number 80 (HTTP) translates to 192.168.1.2 port 80, and vice versa. Therefore, Internet users can browse the Web server even though the Web server is on a private network with a private IP address. More Related NAT Tips: How to Configure Basic NAT with Overloading? How to Configure Static NAT for Inbound Connections? How to Configure NAT in Cisco IOS? How to Set up NAT Using the Cisco IOS?