configuring nat overload on a cisco router
TRANSCRIPT
4/30/2016 Configuring NAT Overload On A Cisco Router
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html 1/4
CONFIGURING NAT OVERLOAD ON A CISCO ROUTERWRITTEN BY ADMINISTRATOR. POSTED IN CISCO ROUTERS CONFIGURING CISCO ROUTERS
NAT (Network Address Translation) is a method that allows the translation (modification) of IP addresses while packets/datagrams aretraversing the network. NAT Overload, also known as PAT (Port Address Translation) is essentially NAT with the added feature ofTCP/UDP ports translation.
The main purpose of NAT is to hide the IP address (usually private) of a client in order to reserve the public address space. For examplea complete network with 100 hosts can have 100 private IP addresses and still be visible to the outside world (internet) as a single IPaddress. Other benefits of NAT include security and economical usage of the IP address ranges at hand.
The following steps explain basic Cisco router NAT Overload configuration. NAT overload is the most common operation in mostbusinesses around the world, as it enables the whole network to access the Internet using one single real IP address. If you would like toknow more about the NAT theory, be sure to read our popular NAT articles, which explain in great depth the NAT functions andapplications in today's networks.
EXAMPLE SCENARIO
The diagram below represents our example network which consists of a number of internal clients and a router connected to our ISP viaits serial interface. The company has been assigned the following Class C subnet: 200.2.2.0/30 (255.255.255.252).
This translates to one usable real IP address 200.2.2.1 configured on our router's serial interface. IP address 200.2.2.2 will be used onthe other end, that is, the ISP's router. Our ISP has also provided us with the necessary default gateway IP address (configured on ourrouter not shown) in order to route all traffic to the Internet.
Our goal in this example is to configure NAT Overload (PAT) and provide all internal workstations with Internet access using one public IPaddress (200.2.2.1).
CONFIGURE NAT OVERLOAD ‐ PAT (PORT ADDRESS TRANSLATION)
'Overloading' means that the single public IP assigned to your router can be used by multiple internal hosts concurrently. This is done bytranslating source UDP/TCP ports in the packets and keeping track of them within the translation table kept in the router (R1 in our case).This is a typical NAT configuration for almost all of today's networks.
In addition, NAT Overload (PAT) is covered in great depth on Firewall.cx. Those interested can visit our NAT Overload (PAT) article.
The first step in any NAT configuration is to define the inside and outside interfaces. It is imperative that we define the these interfacesfor NAT overload to function.
Rating 4.55 (31 Votes)
TweetShare
4/30/2016 Configuring NAT Overload On A Cisco Router
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html 2/4
Set the fast ethernet 0/0 interface as the inside interface:
R1# configure terminalR1(config)# interface fastethernet0/0R1(configif)# ip nat inside
Next step is to set the serial interface S0/0 as the outside interface:
R1(configif)# interface serial0/0R1(configif)# ip nat outside R1(configif)# exit
We now need to create an Access Control List (ACL) that will include local (private) hosts or network(s). This ACL will later on be appliedto the NAT service command, effectively controlling the hosts that will be able to access the Internet. You can use standard or extendedaccess lists depending on your requirements:
R1(config)# accesslist 100 remark == [Control NAT Service]==R1(config)# accesslist 100 permit ip 192.168.0.0 0.0.0.255 any
The above command instructs the router to allow the 192.168.0.0/24 network to reach any destination. Note that Cisco router standardand extended ACLs always use wildcards (0.0.0.255).
All that's left now is to enable NAT overload and bind it to the outside interface previously selected:
R1(config)# ip nat inside source list 100 interface serial 0/0 overload
From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to theInternet.
VERIFYING NAT OVERLOAD OPERATION
Viewing the NAT translation table can sometimes reveal a lot of important information on your network's activity. Here you'll be able toidentify traffic that's not supposed to be routed to the Internet or traffic that seems suspicious.
As packets start traversing the router it will gradually build up its NAT/PAT translation table as shown below:
R1# show ip nat translationsPro Inside global Inside local Outside local Outside globaludp 200.2.2.1:53427 192.168.0.6:53427 74.200.84.4:53 74.200.84.4:53udp 200.2.2.1:53427 192.168.0.6:53427 195.170.0.1:53 195.170.0.1:53tcp 200.2.2.1:53638 192.168.0.6:53638 64.233.189.99:80 64.233.189.99:80tcp 200.2.2.1:57585 192.168.0.7:57585 69.65.106.48:110 69.65.106.48:110tcp 200.2.2.1:57586 192.168.0.7:57586 69.65.106.48:110 69.65.106.48:110
As shown, the first 2 translations directed to 74.200.84.4 & 195.170.0.1 are DNS requests from internal host 192.168.0.6. The third entryseems to be an http request to a web server with IP address 64.233.189.99.
Looking at the fourth and fifth translation entry, you should identify them as pop3 requests to an external server, possibly generated by an
4/30/2016 Configuring NAT Overload On A Cisco Router
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html 3/4
email client.
Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time.
Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc.,you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections runningthrough the router can put some serious stress on the CPU.
In these cases, we might need to clear the IP NAT table completely to free up resources.This is easily done using the following command:
R1# clear ip nat translation *
Assuming no request has been sent right after the command was entered, the NAT translation table should be empty:
R1# show ip nat translationsPro Inside global ...........Inside local .....Outside local .......Outside global
Lastly, you can obtain statistics on the overload NAT service. This will show you the amount of current translations tracked by our NATtable, plus a lot more:
R1# show ip nat statisticsTotal active translations: 200 (0 static, 200 dynamic; 200 extended)Outside interfaces:Serial 0/0 Inside interfaces: FastEthernet0/0Hits: 163134904 Misses: 0CEF Translated packets: 161396861, CEF Punted packets: 3465356Expired translations: 2453616Dynamic mappings: Inside Source[Id: 2] accesslist 100 interface serial 0/0 refcount 195Appl doors: 0Normal doors: 0Queued Packets: 0
ARTICLE SUMMARY
In this article we've covered configuration of NAT Overload on Cisco routers. We also saw how you can control the NAT Overload serviceusing ACLs and obtain detailed statistics on the NAT service. The configuration and commands presented here is compatible with allCisco router models and IOS's.
If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top leftcorner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through suchservices.
ABOUT THE WRITERS
4/30/2016 Configuring NAT Overload On A Cisco Router
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html 4/4
Ammar Muqaddas is a CCNA certified Engineer, CCNA Instructor and member of the Firewall.cx Team.
Chris Partsenidis is a CCNA certified Engineer, MCP, LCP, Founder & Senior Editor of Firewall.cx