Cisco Router Nat Tutorial
-
Upload
lynn-donnelly-montes -
Category
Documents
-
view
115 -
download
2
Transcript of Cisco Router Nat Tutorial
1
Cisco Router NAT Tutorial How to Configure NAT on a Cisco Router
By Eric S. Severson President / Sr. Network Consultant
Key IT Consulting, Inc. © Eric S. Severson and Key IT Consulting, Inc.
You do not have resell rights or giveaway rights to this eBook. Only customers that have purchased this material are authorized to view it.
This eBook contains material protected under International and Federal Copyright Laws and Treaties. No part of this publication may be transmitted or reproduced in any way without the prior written permission of the author. Violations of this copyright will be enforced to the full extent of the law. LEGAL NOTICE: The information services and resources provided in this eBook are based upon the current Internet environment as well as the author’s experience. The techniques presented have been proven to be successful. Because technologies are constantly changing, the services and examples presented in this eBook may change, cease or expand with time. We hope that the skills and knowledge acquired from this manual will provide you with the ability to adapt to inevitable evolution of technological services. However, we cannot be held responsible for changes that may affect the applicability of these techniques. All product names, logos and artwork are copyrights of their respective owners. None of the owners have sponsored or endorsed this publication. While all attempts have been made to verify information provided, the author assumes no responsibility for errors, omissions, or contrary interpretation of the subject matter herein. Any perceived slights of peoples or organizations are unintentional. The purchaser or reader of this publication assumes responsibility for the use of these materials and information. No guarantees of income are made. The author reserves the right to make changes and assumes no responsibility or liability whatsoever on behalf of any purchaser or reader of these materials.
2
Table of Contents
INTRODUCTION................................................................................................................................................ 3
COMMON FORMS OF NAT ON A CISCO ROUTER ....................................................................................... 5
STATIC NAT CONFIGURATION DETAILS...................................................................................................... 9
STATIC NAT IN AN HSRP ENVIRONMENT .................................................................................................. 12
DYNAMIC NAT CONFIGURATION DETAILS................................................................................................ 15
NAT OVERLOADING CONFIGURATION DETAILS...................................................................................... 22
NAT OVERLOADING IN AN HSRP ENVIRONMENT .................................................................................... 26
VERIFYING NAT IS OPERATING AS EXPECTED........................................................................................ 32
CONCLUSION ................................................................................................................................................. 33
3
Introduction
If you are reading this document chances are pretty good that you have a
general idea of what Network Address Translation (or NAT) is so I will be brief
in explaining the basics so we can get right to the configurations and how-
to’s.
Network Address Translation (NAT) is designed as essentially a way of
conserving IP addressing. In its most common usage, it allows an IP network
that utilizes RFC 1918 private address space to be translated to publicly
registered and routable address space for communication on the public
internet.
What you will probably see most commonly happening is NAT being
configured to advertise only one address for the entire inside private network
to the public outside world. This is certainly the most common usage.
There are two benefits to using NAT in this way; one is that utilizing NAT
allows one to conserve the rapidly diminishing supply of registered public
addresses. The other benefit is that a layer of security is added by “shielding”
the entire inside internal network behind that single private address.
Most routers or firewalls on the market today do some form of NAT. If you
have read my ebook titled “PIX/ASA Firewall Keys”
(http://www.firewallkeys.com) you should be well aware of how NAT operates
on a PIX/ASA Firewall.
4
The objective of this document is to clearly lay out how to configure NAT on a
Cisco Router platform.
We will be looking at the most common implementations and get specific in
regards to the exact Cisco Router IOS commands you will need to know,
where to enter them, and how and why they work the way they do.
While there may be variations on how these designs and configurations are
used based on your specific network topology, if you develop a solid grasp of
the concepts laid out here, you will be well on your way to being able to
configure NAT in your own environment.
I personally consider this essential and crucial information any Network
Engineer working on Cisco Routers simply MUST KNOW. NAT on a Cisco
Router is up there with having general knowledge of something like
subnetting.
In my career I have had a chance to take part in interviewing many Network
Engineer candidates for various jobs. One of the common areas I generally
want to get a quick reading on is their knowledge of NAT on a Cisco Router.
So in an interview I’ll ask them to walk me through the general steps they
would need to talk to implement a specific NAT method on a Cisco Router.
What I have found is that a pretty small percentage know this stuff well
enough to be able to answer my questions with any clarity and certainty! This
should not be the case. This is basic stuff that every Network Engineer
working on Cisco Routers simply must know! So, let’s get started…
5
Common Forms of NAT on a Cisco Router
Before we get into the actual configurations let’s briefly look at the different
options you have when configuring NAT on a Cisco Router.
NAT has some different general forms and can work in different ways, so let’s
look at each of these at a high level.
Static NAT
Static NAT is essentially a one-to-one mapping of IP addressing. As you
might guess, this is usually for cases where you would want to map a private
internal unregistered IP to a registered public external IP on a one-to-one
basis.
Now I should note here that this concept of going from unregistered to
registered IP addressing is the most common way of using NAT, but in reality
you may want one of your internal unregistered IP addresses to map to
another unregistered IP address to connect to another partner network or
something of that nature.
So, static NAT is always based on a one-to-one mapping. The router gets
configured with a command that tells it to always translate a particular inside
IP to another particular outside IP as it meets specific criteria. We will be
looking at this in more detail shortly.
6
Dynamic NAT
Dynamic NAT maps unregistered IP address to a registered IP address from a group of registered IP addresses.
In this case, the actual address mapping is still on a one-to-one mapping,
similar to Static NAT, however the difference is the mapping could change
based on how many addresses are in the pool, which devices are actually
using them, and at which time.
So if there were a pool of 10 registered addresses and 10 inside private
addresses needing to be mapped, in the morning you could potentially be
mapped to 1 public IP, then after disconnecting and reconnecting in the
afternoon be mapped to another public IP. It is all based on what is available
in the pool at that time.
The addresses are assigned per the general state and availability of what is
in the pool. The mapping will take the first available address in the pool and
map it accordingly.
Overloading
Overloading is a form of Dynamic NAT that maps unregistered IP addresses
to a single registered IP address. This could be considered a many-to-one
mapping.
7
This is also what is known as PAT (or Port Address Translation) because this
works by using actual TCP ports to provide the Address Translation.
So even though all of the devices configured with unregistered private
addresses on an internal network are being mapped to the same registered
public address, they even will have unique TCP port designations on the
Router.
Cisco uses the following name designations for IP addresses to determine
whether they are on the private network (generally Local Area Network –LAN)
or on the public network (Internet) and the general direction of the traffic:
Inside Local
Inside Global
Outside Local
Outside Global
Inside local addresses are those IP addresses that are assigned to a host
on the inside network. This would generally be a private IP address assigned
by DHCP or the local network administrator. These are generally
unregistered private IP addresses.
Inside global addresses are those addresses which are a legitimate
registered IP address assigned by the ISP that represent one or more inside
local IP addresses.
The outside local address is an IP address of an outside host as it appears
to the inside network. In other words, an address residing on the outside that
8
the inside network knows about. This address may not be the “real” address
of the outside host.
The outside global address is the IP address assigned to a host on the
outside network by the host owner. The address is allocated from a globally
routable address or network space. This would be the “real” address of the
host on the outside network.
The following definitions of local and global addresses help to keep all of this
in perspective:
Local address – A local address is any address that appears on the inside
portion of the network
Global address – A global address is any address that appears on the outside
portion of the network.
These “inside and outside” classifications are NAT definitions. Specific
interfaces on a Cisco router are configured for NAT as “inside” and “outside”
using the “ip nat inside” and “ip nat outside” commands. We will go more into
that as we look at the configurations.
9
Static NAT Configuration Details
Let’s say we have a network of only 1 person and we want this person to
always be statically translated from a private unregistered IP address to a
public registered IP address.
This is probably the most basic way of doing NAT. It is also very simple to
configure.
In this case the private IP of this user is 10.10.10.10. The public IP we want
to map to this user is 200.200.200.200.
Here is a diagram of the general design and what we are setting out to
accomplish:
10
Okay, so let’s look at what we need to do on the Cisco Router to make this
happen. This will be one of the more simple NAT configurations.
Step 1
Define which interface is inside and which is outside. We do this with the “ip
nat inside” and “ip nat outside” commands.
In this case we know that Ethernet1 is the inside since that is what our user is
directly connected to. And the outside interface, Serial1/0 is the one
connecting out to the internet, so there we have it!
11
Here is all we have to do to make Ethernet1 the nat inside interface:
Router(config)# Interface ethernet1 Router(config-if)# ip address 10.10.10.1 255.255.255.0 Router(config-if)# ip nat inside
Now, let’s define the nat ouside interface:
Router(config)# Interface serial1/0 Router(config-if)# ip address 200.200.200.2 255.255.255.0 Router(config-if)# ip nat outside
Step 2
Configure the source static entry on the Router.
This is done with the “ip nat inside source static command”
Router(config)# ip nat inside source static 10.10.10.10 200.200.200.200
Step 3
Done! That is literally all there is to it for a basic static mapping. You could
also do this based on an access-list so that the translation only occurred if the
specific criteria laid out in the access list was met, and we will be looking at
how to do that shortly, but in this first example I just wanted to show how easy
this is. Pretty simple, huh?
12
Static NAT in an HSRP Environment
Let’s say we had an environment where Hot Standby Router Protocol (HSRP)
was used. We would want our static NAT functionality to work in the event
that our primary HSRP router failed. This is pretty easy to accomplish, let’s
go through the steps necessary…
Ok, let’s look at the diagram of how this looks and then we’ll walk through the
steps:
Internet
200.200.200.0/24.2
Local Area Network
10.10.10.0/24
ISP Router
10.10.10.10
.1
.1
NAT Routers (running HSRP)Interface Eth1
Interface Serial1/0
Static NAT
Map 10.10.10.10 to 200.200.200.200
HSRP
.3Interface Serial1/0
Interface Eth1.2 .3
13
As you can see, the 10.10.10.10 client uses 10.10.10.1 as his default
gateway, and this gateway address is an HSRP shared address between the
2 NAT routers.
Let’s walk through the steps necessary to make this happen.
Step 1
Set up our Ethernet interface configurations, including IP Address, NAT
inside, HSRP and set up an HSRP group name.
Router1(config)# Interface ethernet1 Router1(config-if)# ip address 10.10.10.2 255.255.255.0 Router1(config-if)# ip nat inside Router1(config-if)# standby 1 IP 10.10.10.1 Router1(config-if)# standby 1 HSRP In this example we’ll name our HSRP group simply “HSRP”. We need to do
the same on the other router:
Router2(config)# Interface ethernet1 Router2(config-if)# ip address 10.10.10.3 255.255.255.0 Router2(config-if)# ip nat inside Router2(config-if)# standby 1 IP 10.10.10.1 Router2(config-if)# standby 1 HSRP
14
Step 2
Set up our Serial interface configurations for each router. All that is needed
here is the NAT outside configuration:
Router1(config)# Interface serial1/0 Router1(config-if)# ip address 200.200.200.2 255.255.255.0 Router1(config-if)# ip nat outside
And secondary router:
Router2(config)# Interface serial1/0 Router2(config-if)# ip address 200.200.200.3 255.255.255.0 Router2(config-if)# ip nat outside
Okay, so now our HSRP config is set up and our NAT config is set up on
each router. Next, we need to make the static NAT configuration redundant
on each router. Here is how we do it:
Router1(config)# ip nat inside source static 10.10.10.10 200.200.200.200 redundancy HSRP And the same on Router2:
Router2(config)# ip nat inside source static 10.10.10.10 200.200.200.200 redundancy HSRP
Now in the event that Router1 failed, we would still have our static NAT
functionality happening through Router2.
15
Dynamic NAT Configuration Details
In this next example I want to walk you through how to configure Dynamic
NAT on the Cisco Router. The steps are pretty similar to the above, with a
few changes.
In this scenario, we have the same office and network topology as before, but
the office has grown and now we need to dynamically NAT 4 users on the
inside to a pool of 4 registered addresses.
The clients on the inside network have private IP addresses 10.10.10.10-13
and they need to be mapped to 200.200.200.200-204
See the following diagram for the general topology:
16
Okay, so let’s look at the steps we need to take to make this happen.
17
Step 1
Just like last time we define which interface is inside and which is outside with
the “ip nat inside” and “ip nat outside” commands.
Router(config)# Interface ethernet1 Router(config-if)# ip address 10.10.10.1 255.255.255.0 Router(config-if)# ip nat inside
Router(config)# Interface serial1/0 Router(config-if)# ip address 200.200.200.2 255.255.255.0 Router(config-if)# ip nat outside
Step 2
This is where things are a bit different.
We need to set up our pool of addressed to be used to NAT with. We do this
with the “ip nat pool” command.
Router(config)# ip nat pool public 200.200.200.200 200.200.200.203 netmask 255.255.255.0
In the last step we created a nat pool called “public” which contains the IP
addresses we want to be in the nat pool, four addresses - 200.200.200.200 to
200.200.200.203. You can either indicate the subnet mask with the
18
“netmask” command as above, or with newer versions of code with the
“prefix” command which in this case would be “prefix 24” because of the
mask we have here of 255.255.255.0.
Step 3
Now we need to create an access-list on the Router to indicate what source
addresses can be translated. In our case, we want all of the devices on our
inside 10.10.10.0/24 network, so we can create the ACL based on the entire
network:
Router(config)# access-list 7 permit 10.10.10.0 0.0.0.255 Alternatively, we could create this ACL just based on our four hosts, either
way would work fine:
Router(config)# access-list 7 permit host 10.10.10.10 Router(config)# access-list 7 permit host 10.10.10.11 Router(config)# access-list 7 permit host 10.10.10.12 Router(config)# access-list 7 permit host 10.10.10.13 As long as whatever devices we want to be translated are in the ACL we are
good and ready to move on to the next step.
19
Step 4
Next, we create our nat inside source list based on the new ACL we just
created. We do this with the “ip nat inside source list” command, as follows:
Router(config)# ip nat inside source list 7 pool public This command says to NAT anything matching access-list number 7 and use
the pool named “public”. That is basically all there is to it for dynamic NAT.
You can obviously name your pool whatever you like and number your ACL
whatever you like (all it needs to be is a standard access-list).
Taking the example one step further, let’s say this company decided to grow
even more and ended up needing to put another network in place, so now
hanging off this same router was a new Ethernet interface with some new
hosts and these new hosts also need to partake in this dynamic NAT setup.
Let’s look at what we would have to do to modify this existing configuration.
20
First, the updated diagram showing the new addition to the topology:
Internet
200.200.200.0/24.2
e10.10.10.0/24
ISP Router
.10
.1
.1
NAT RouterInterface Eth1
Interface Serial1/0Dynamic NAT
Map 10.10.10.10-13and 10.20.20.10-13 200.200.200.200-206
10.10.10.xClients
.11.12
.13
e10.20.20.0/24
Interface Eth2
.10
10.20.20.xClients
.11.12
.13
.1
So now we have some new hosts, on a new network, Ethernet2 on our router
which has an IP of 10.20.20.1.
21
Step 1
The first thing we would need to do is add our new interface as a nat inside
interface:
Router(config)# Interface ethernet2 Router(config-if)# ip address 10.20.20.1 255.255.255.0 Router(config-if)# ip nat inside
Step 2
Increase the number of registered IP addresses in our NAT pool from 200-
203 to 200-206
Router(config)# ip nat pool public 200.200.200.200 200.200.200.206 netmask 255.255.255.0
Step 3
Update access-list 7 to include the new network:
Router(config)# access-list 7 permit 10.20.20.0 0.0.0.255
And that would be it. The new network would now be able to be dynamically
NAT’d just like the original network.
22
NAT Overloading Configuration Details
The configuration involved with NAT overloading is not much different than
our previous example. There is just a slight difference with an introduction of
a new keyword in the config. Let’s check it out.
In this scenario, the company we have been working on previously has
decided that they don’t want to do static or dynamic NAT, instead they want
everyone, including those users on network 10.10.10.0 and 10.20.20.0 to all
get Port Address Translated to a single IP address, which is
200.200.200.200. We do this with “overloading”.
We talked a bit about overloading also known as PAT before but the general
way this works is that TCP ports are assigned to the single public IP and this
is how the router differentiates which data flow actually belongs to which
source IP.
This I would say is by far the most common configuration you will use with
NAT on the Cisco, for one reason because it is a very efficient way to
conserve public address space.
So let’s get busy with the configuration.
23
Have a look at the diagram:
Let’s go through the steps:
Step 1
Add “ip nat inside” and “ip nat outside” to appropriate interfaces.
24
Done previously!
Step 2
Create access-list that will associate specific networks or hosts to what needs
to be translated
Done previously! (Access-list 7)
Step 3
Create pool.
The pool was created previously but since the company only wants to use
one particular IP address to overload all unregistered private IP addresses to
the one registered IP, we need to modify the pool. Let’s do that now.
Router(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Step 4
Create the IP NAT inside source list
This was done previously, but we need to modify that command now that we
want to overload:
Router(config)# ip nat inside source list 7 pool public overload
25
Notice that now we only have the the “overload” command applied to the end
of the ip nat inside source list command. What this does is tells the router to
begin overloading all connections to this single IP. This changes the
configuration from NAT to PAT, as we discussed before.
That is basically all there is to it.
One item that is also worth noting is that you can use an interface IP to PAT
connections to as well, as long as that interface has a valid registered public
IP address assigned to it.
Looking at our example, we said that serial1/0 on the router in this design has
an IP address of 200.200.200.2. If we did not have any other IP addresses to
use and wanted to use this address to overload with we could do it with the
following config:
Router(config)# ip nat inside source list 7 interface serial1/0 overload
26
NAT Overloading In An HSRP Environment Now we want to look at how we can set up NAT Overloading to work in an
HSRP environment.
This is very useful because if you have two routers and they are running
HSRP and assuming the primary failed, the secondary would pick up
handling the general connectivity and that might be fine for the general traffic.
But what would happen to the NAT connections? They would all break!
So what we need to do in this case is use what is called SNAT or Stateful
NAT to preserve the connections in the event of an HSRP Failover. You
might hear other vendors or people say that SNAT stands for Secure NAT, or
Source NAT, but in Cisco-ese, SNAT means Stateful NAT. Just wanted to
make that note.
Essentially the SNAT configuration allows the two routers to function as a
group. Since they are both “on the same page” by being in the same group,
they actually exchange all of the NAT information between each other. So
the NAT translations that are active on the primary router get immediately
passed over to the secondary router.
This goes for all new sessions, and sessions that eventually get terminated;
the bottom line is that the NAT tables on each router are identical including
not only just IP addresses, but also the actual TCP state information. This is
27
why it is called “Stateful NAT”. If you show the NAT translations on either
router, assuming you configured everything properly, they will look exactly the
same.
This is a very cool thing!
So let’s check out the diagram and then I’ll show you how to configure SNAT:
28
Step 1
As before, we first up our Ethernet interface configurations, including IP
Address, NAT inside, HSRP and set up an HSRP group name.
Router1(config)# Interface ethernet1 Router1(config-if)# ip address 10.10.10.2 255.255.255.0 Router1(config-if)# ip nat inside Router1(config-if)# standby 1 IP 10.10.10.1 Router1(config-if)# standby 1 SNATHSRP In this example we’ll name our HSRP group “SNATHSRP”.
We need to do the same on the other router:
Router2(config)# Interface ethernet1 Router2(config-if)# ip address 10.10.10.3 255.255.255.0 Router2(config-if)# ip nat inside Router2(config-if)# standby 1 IP 10.10.10.1 Router2(config-if)# standby 1 HSRP
Step 2
Next of course we need to set up our Serial interface configurations for each
router. All that is needed here is the NAT outside configuration:
29
Router1(config)# Interface serial1/0 Router1(config-if)# ip address 200.200.200.2 255.255.255.0 Router1(config-if)# ip nat outside
And secondary router:
Router2(config)# Interface serial1/0 Router2(config-if)# ip address 200.200.200.3 255.255.255.0 Router2(config-if)# ip nat outside
Step 3
Create our ACL on both routers. We did this before, but just as a reminder:
Router1(config)# access-list 7 permit 10.10.10.0 0.0.0.255 Router2(config)# access-list 7 permit 10.10.10.0 0.0.0.255
Step 4
Here is where we add the Stateful NAT configurations to each router.
Router1(config)# ip nat Stateful id 1 Router1(config)# redundancy SNATHSRP Router1(config)# mapping-id 10
30
And same on Router 2
Router2(config)# ip nat Stateful id 1 Router2(config)# redundancy SNATHSRP Router2(config)# mapping-id 10 Step 5
Now we enter the pool information, and our “ip nat inside source” command.
You will notice the “ip nat inside source” is using a route map now to
reference the access list we created. This is essentially another way of doing
the same thing.
Router1(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Router1(config)#ip nat inside source route-map rm-snat1 pool public mapping-id 10 overload Router1(config)#route-map rm-snat1 permit 10
Router1(config-map)#match ip address 7
And the same on router 2:
Router2(config)# ip nat pool public 200.200.200.200 200.200.200.200 netmask 255.255.255.0 Router2(config)#ip nat inside source route-map rm-snat1 pool public mapping-id 10 overload Router2(config)#route-map rm-snat1 permit 10
Router2(config-map)#match ip address 7
31
Pretty cool huh? I have found this configuration very helpful when working
with dynamic NAT on routers utilizing HSRP.
There have been many times on a specific project I was working on where we
had two routers configured with HSRP and SNAT set up in the way
mentioned above and these two routers would failover from one to another
via HSRP.
In every case, because the NAT translations were always synchronized
between the two devices, these HSRP failovers were completely transparent
and all business continued as usual.
Had it not been for these configurations all existing data flows would have
been completely broken.
Congratulations, you now know what it takes to implement various flavors of
NAT on a Cisco Router!
Now let’s take a quick look at verifying NAT is operating as it should be and a
few tools to see what is really going on in regards to NAT from the routers
perspective.
32
Verifying NAT is Operating as Expected
There is a specific NAT command you will come to be very familiar with when
you are troubleshooting and/or verifying NAT operations:
“show ip nat translations”
This command will give you pretty much all of the information you will be
needing to find out, specifically whether or not your NAT is functioning as it
should be.
As you configure your NAT, try to attempt a connection to where you believe
NAT should be working, then check your NAT translations with the above
command.
Another command you will need to know is
“show ip nat statistics”
This will tell you all of the valid info about your NAT configuration such as
which interfaces you have set up as inside and outside, whether or not these
interfaces have any NAT hits, how the mapping is occurring, via which access
list, etc.
Very useful commands - know them well!
33
Conclusion
If you have faithfully followed the concepts and examples I have laid out in
this tutorial I trust that you now understand the basic principles of NAT on the
Cisco Router. These “foundational principles” will guide you and help you in
whatever specific types of requirements and configurations you will face. The
access lists and IP addresses will change but you will bring to the table a
knowing and understanding of what it takes to configure the Router for the
client or employer you are working for.
It is up to you know to take this information and “run with it”. There are plenty
of opportunities out there in your sphere of influence to take these
foundational principles of NAT on the Cisco Router and put them into
practice. You have been given keys to success, now it is up to you to take
those keys and do something with them! If you came into this tutorial with
some Cisco NAT experience behind you, I hope that it was able to reinforce
and confirm what you already knew and potentially clarify some of those
things you weren’t too sure of.
Be sure to get on my free email list where I give tips and tricks for both the
PIX/ASA Firewall and Cisco Router topics.
To do so send a blank email to: [email protected]
It has been a pleasure serving you this information. Until next time!
Eric S. Severson
www.firewallkeys.com
www.routerkeys.com