Configuring Cisco Router NAT

Traditionally Cisco based NAT on routers and firewalls was done in a fairly singular direction by defining two interfaces one as “inside” and the other as “outside”. As the names would suggest your “inside” would generally be your LAN with the private IP addressing and the “outside” would be your normally public ISP facing interface.

A typical configuration of this is below, where we have a single router with a LAN and WAN interface and outbound NAT towards the internet.

interface s0/1
  description link-to-isp-internet
  ip address
  ip nat outside

interface f0/0
  description link-to-corporate-lan
  ip address
  ip nat inside

Cleaner Method

Basically we can now enable NAT on an interface without specifying an explicit direction (inside/outside), this is really helpful if you want to perform PAT (outbound NAT for your clients) but also destination NAT (port forwarding) on the same inbound/outbound interface, plus it makes your whole NAT setup far more scalable for future changes.

The below command will define the IP addresses that we want to allocate for our NAT pool, the prefix length is the subnet mask for the IP range, plus we can also use the command to generate a ‘static’ type route into our routing table, this is useful if you need to ensure the NAT pool is reachable from the rest of your network via dynamic routing protocols.

ip nat pool PUBLIC_NAT_POOL prefix-length 24 add-route

The next step is to define an access list, this will be used to specify the pre NAT (think inside) addresses that will match the NAT rule.

access-list 1 permit

Now we need to join that access list up with the NAT pool and create a port address translation kind of setup

ip nat source list 1 pool PUBLIC_NAT_POOL overload

Finally we need to enable NAT on both interfaces, note we don’t define an inside/outside just enable as the access list and routing will take care of the direction.

interface s0/1
  ip nat enable
interface f0/0
  ip nat enable

Port Forwarding Example

It then makes it really simple to do something like port forwarding in the future, in the example below we forward HTTP requests to the interface IP address on s0/1 to port 8080 on our backend server.

ip nat source static tcp 80 interface s0/1 80

The syntax for that is fairly simple, as below:

ip nat source static [tcp/udp] [inside ip] [inside port] interface [outside interface] [outside port]

Technology enthusiastic with many ongoing online projects one of which is this personal blog PingBin. While also working full time within a data center designing and maintaining the network infrastructure.

Leave a reply:

Your email address will not be published.