Defining NAT Inside and Outside Interfaces

The first step to deploy NAT is to define NAT inside and outside
interfaces. You may find it easiest to define your internal network as
inside, and the external network as outside. However, the terms
internal and external are subject to arbitration as well. This figure
shows an example of this.

Define what you're trying to accomplish with NAT

Allow internal users to access the internet

Allow the internet to access internal devices
Redirect TCP traffic to another TCP port or address?
Redirect TCP traffic to another TCP port or address
NAT during a network transition
Allow overlapping networks to communicate

Configure NAT

Configure NAT in order to accomplish what you defined above.

Based on what you defined in step 2, you need determine which
of the following features to use:

Static NAT
Dynamic NAT
Overloading (PAT)
Any combination of the above

Static NAT
Uses a one-to-one mapping of local and global addresses, and these
mappings remain constant. Static NAT is particularly useful for web
servers or hosts that must have a consistent address that is accessible
from the Internet.

Step 1) Configure the static translation of an inside local address to an

inside global address:
Router(config)#ip nat inside source static local-ip global-ip

Step 2) Specify the inside interface:

Router(config)#interface type number
Router(config-if)#ip nat inside

Step 3) Specify the outside interface:

Router(config)#interface type number
Router(config-if)#ip nat outside

Static NAT Example

Dynamic NAT
Uses a pool of public addresses and assigns them on a first-come, first-served basis. When a
host with a private IP address requests access to the Internet, dynamic NAT chooses an IP
address from the pool that is not already in use by another host.
Step 1) Define a pool of global addresses to be allocated
Router(config)#ip nat pool name start-ip end-ip {netmask netmask |prefix-length prefix-length}

Step 2) Define a standard access list permitting those addresses that are to be translated
Router(config)#access-list access-list-number source source-wildcard

Step 3) Bind the pool of addresses to the access list

Router(config)#ip nat inside source list access-list-number pool name

Step 4) Specify the inside interface

Router(config)#interface type number
Router(config-if)#ip nat inside

Step 5) Specify the outside interface

Router(config)#interface type number
Router(config-if)#ip nat outside

Dynamic NAT Example

NAT Overload (PAT)

NAT overloading (sometimes called Port Address Translation [PAT]) maps multiple private IP
addresses to a single public IP address or a few addresses. To do this, each private address is also
tracked by a port number. When a response comes back from outside, port numbers determine to
which client the NAT router translates the packets.
Commonly with home networks and small to medium-sized businesses, the ISP assigns only one
registered IP address to your router. Therefore, it is necessary to overload that one IP address so
that multiple inside clients can use it simultaneously.
The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the
interface keyword is used to identify the outside IP address. Therefore, no NAT pool is defined. The
overload keyword enables the addition of the port number to the translation.

NAT Overload Descriptions

1. PC1 and PC2 send packets destined for the Internet.

2. When the packets arrive at R2, NAT overload changes the source address to the inside global IP
address and keeps the assigned port numbers (1555 and 1331 in this example) to identify the client from
which the packet originated.
3. R2 updates its NAT table. Notice the assigned ports. R2 then routes the packets to the Internet.
4. When the web server replies, R2 uses the destination source port to translate the packet to the
correct client.

NAT Overload Example

R2(config)#ip nat inside source list 1 pool NAT-POOL1 overload

Practical Example (1)

Allowing Internal Users to Access the Internet
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
(Defines Ethernet 0 with an IP address and as a NAT inside interface)
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
(Defines Ethernet 1 with an IP address and as a NAT inside interface)
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
(Defines serial 0 with an IP address and as a NAT outside interface)
ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
(Defines a NAT pool named no-overload with a range of addresses
172.16.10.1 - 172.16.10.63)
ip nat inside source list 7 pool no-overload
(Indicates that any packets received on the inside interface that
are permitted by access-list 7 has the source address translated to
an address out of the NAT pool "no-overload)
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
(Access-list 7 permits packets with source addresses ranging from
10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31)

Practical Example (2)

Configuring NAT to Allow Internal Users to Access the Internet Using Overloading

interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
(Defines Ethernet 0 with an IP address and as a NAT inside interface)
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
(Defines Ethernet 1 with an IP address and as a NAT inside interface)
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
(Defines serial 0 with an IP address and as a NAT outside interface)
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24
!
(Defines a NAT pool named ovrld with a range of a single IP
address, 172.16.10.1)
ip nat inside source list 7 pool ovrld overload
(Indicates that any packets received on the inside interface that are
permitted by access-list 7 has the source address translated to an
address out of the NAT pool named ovrld.
Translations are
overloaded, which allows multiple inside devices to be translated to
the same valid IP address)
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
(Access-list 7 permits packets with source addresses ranging from
10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31)

Practical Example (3)

Redirecting TCP Traffic to Another TCP Port or Address

interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat inside
(Defines Ethernet 0 with an IP address and as a NAT inside interface)
interface serial 0
ip address 200.200.200.5 255.255.255.252
ip nat outside
(Defines serial 0 with an IP address and as a NAT outside interface)
ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80
(Static NAT command that states any packet received in the inside interface with a source IP address of
172.16.10.8:8080 is translated to 172.16.10.8:80)

Practical Example (4)

Using NAT During a Network Transition
interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside

(Defines Ethernet 0 with an IP address and as a NAT

outside interface)
interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside
(Defines Ethernet 1 with an IP address and as a NAT
inside interface)
interface serial 0
ip address 200.200.200.5 255.255.255.252
(Defines serial 0 with an IP address. This interface is
not participating in NAT)

ip nat inside source static 172.16.50.8 172.16.10.8

States that any packet received on the inside
interface with a source IP address of 172.16.50.8 is
translated to 172.16.10.8)