Online Test Banks
Score higher
See Online Test Banks
eLearning
Learning anything is easy
Browse Online Courses
Mobile Apps
Learning on the go
Explore Mobile Apps
Dummies Store
Shop for books and more
Start Shopping

Setting up Network Address Translation (NAT)

Network Address Translation (NAT) is very easy to set up. These examples use the following illustration. This example sets up NAT on the router, but implements a one-to-one dynamic mapping. This allows dynamic assignment of the actual addresses, but you have the same number of inside and outside addresses so that every device receives an address.

image0.jpg

Without overloading, this is critical. Here are the commands that you need to issue to configure NAT on the router:

interface FastEthernet 0/0
description Inside Interface
ip address 192.168.8.1 255.255.255.0
ip nat inside
exit
interface FastEthernet 0/1
description Inside Interface
ip address 192.168.9.1 255.255.255.0
ip nat inside
exit
interface FastEthernet 0/2
description Outside Interface
ip address 192.0.2.1 255.255.255.0
ip nat outside
exit
access-list 10 permit 192.168.8.8 0.0.0.7
access-list 10 permit 192.168.9.8 0.0.0.7
!--- Access list only allows hosts 192.168.8.8 to 
!--- 192.168.8.15 and 192.168.9.8 to 192.168.9.15
!--- out through NAT.
ip nat pool no-overload 192.0.2.10 192.0.2.25 prefix 24
ip nat inside source list 10 pool no-overload

For this example, say you only have one outside address assigned to you by your ISP. All your traffic must go through this one address. This is the PAT example, as the one address will be translated on a port basis.

interface FastEthernet 0/0
description Inside Interface
ip address 192.168.8.1 255.255.255.0
ip nat inside
exit
interface FastEthernet 0/1
description Inside Interface
ip address 192.168.9.1 255.255.255.0
ip nat inside
exit
interface FastEthernet 0/2
description Outside Interface
ip address 192.0.2.1 255.255.255.252
ip nat outside
exit
access-list 10 permit 192.168.8.8 0.0.0.7
access-list 10 permit 192.168.9.8 0.0.0.7
!--- Access list only allows hosts 192.168.8.8 to 
!--- 192.168.8.15 and 192.168.9.8 to 192.168.9.15
!--- out through NAT.
ip nat pool ovrld 192.0.2.1 192.0.2.1 prefix 30
ip nat inside source list 10 pool ovrld

Finally, you have two servers on the inside of the network that have internal addresses of 192.168.8.20 and 192.168.9.20. The first server is used for e-mail and the second server is a web server. The web server has the site running on the less standard TCP port 8080, but you want outside users to use TCP port 80.

interface FastEthernet 0/0
description Inside Interface
ip address 192.168.8.1 255.255.255.0
ip nat inside
exit
interface FastEthernet 0/1
description Inside Interface
ip address 192.168.9.1 255.255.255.0
ip nat inside
exit
interface FastEthernet 0/2
description Outside Interface
ip address 192.0.2.1 255.255.255.252
ip nat outside
exit
access-list 10 permit 192.168.8.8 0.0.0.7
access-list 10 permit 192.168.9.8 0.0.0.7
!--- Access list only allows hosts 192.168.8.8 to 
!--- 192.168.8.15 and 192.168.9.8 to 192.168.9.15
!--- out through NAT.
ip nat pool ovrld 192.0.2.1 192.0.2.1 prefix 30
ip nat inside source list 10 pool ovrld
ip nat inside source static tcp 192.168.9.20 8080 192.0.2.2 80
!--- This uses the second available address on external
!--- interface, while it could have used the configured
!--- address on FastEthernet0/2. It could have also been
!--- configured for the Interface address using this command.
ip nat inside source static tcp 192.168.8.20 25 interface FastEthernet0/2

Use your ports when you create static mappings to allow inside resources to publish out through the external interface of your router or firewall. Avoid using commands such as ip nat inside source static 192.168.1.50 192.0.2.50, which effectively places your entire host 192.168.1.50 outside of your router or firewall. This is much more exposure than you need for that host.

Making use of the interface command is useful when your ISP assigns your outside address through either DHCP or PPPoE dynamically. The interface command allows your configuration to use whatever address happens to be assigned to your router or firewall.

Using the later scenario, if you are required to change the IP address of the web server (perhaps moving from the 192.168.9.0/24 network to the 192.168.8.0/24 network, or changing the port number back to the standard port 80), then these changes can be made at the router with no impact to users outside of the network.

The DNS entry pointing to the outside address will remain the same and their lives will continue as normal. Often, people are amazed by how easy managing this exterior/interior mapping of their network is.

blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.