NAT Configuration Examples

This section contains NAT configuration examples for a single virtual router configuration and NAT translation between two virtual routers.

NAPT Example

Figure 6 illustrates a NAPT configuration for a private network with two inside subnetworks, a field office, and a corporate office.

Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).

Figure 6: NAPT Example

NAPT Example

The address pool consists of three addresses (the number of addresses is small, because NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool through NAPT.

To configure this example:

  1. Enter the correct virtual router context.
    host1(config)#virtual-router blue
  2. Mark the inside interfaces.
    1. Mark the field office:
      host1:blue(config)#interface serial 2/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit
    2. Mark the two corporate T-3 links:
      host1:blue(config)#interface serial 1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit
      host1:blue(config)#interface serial 1/2 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit
  3. Mark the outside interface.
    host1:blue(config)#interface gigabitEthernet 3/0.1 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit
  4. Create a static nil-translation for the FTP server on the corporate network.
    host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 21
  5. Create the address pool for dynamic translations.
    host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24
  6. Create the access list for addresses eligible for dynamic translation.
    host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255 host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255
  7. Create the NAPT dynamic translation rule.
    host1:blue(config)#ip nat inside source list justcorp pool corpxyz overload
  8. Configure a default route to the outside interface.
    host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1
  9. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.
    host1:blue(config)#ip route 192.32.6.0 255.255.255.248 null 0

    Note: Null route applies to 192.32.6.0–192.32.6.3, which do not exist in the address pool

All hosts that use private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because this example uses NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.

Bidirectional NAT Example

Figure 7 illustrates how outside hosts can initiate conversations with inside hosts through the use of a DNS server that resides on the inside network.

The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses.

Figure 7: Bidirectional NAT Example

Bidirectional NAT Example

To configure this example:

  1. Enter the correct virtual router context.
    host1(config)#virtual-router blue
  2. Mark the inside interface.
    host1:blue(config)#interface serial 1/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit
  3. Mark the outside interface.
    host1:blue(config)#interface gigabitEthernet 3/0.1 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit
  4. Create the translation for the DNS.
    host1:blue(config)#ip nat inside source static 192.168.22.2 192.32.6.1
  5. Create the address pool for dynamic translations.
    host1:blue(config)#ip nat pool entA192 192.32.6.2 192.32.6.63 prefix-length 24
  6. Create the access list for addresses eligible for dynamic translation (that is, private addresses).
    host1:blue(config)#access-list entA permit 192.168.22.0 0.0.0.255
  7. Create the dynamic translation rule.
    host1:blue(config)#ip nat inside source list entA pool entA192
  8. Configure a default route to the outside interface.
    host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1
  9. Configure a null route for the inside global addresses, to prevent routing loops when no matching translation exists.
    host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0

    Note: Null route applies to 192.32.6.0 and 192.32.6.1, which do not exist in the address pool.

Twice NAT Example

Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and you want it to connect to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router.

Figure 8 illustrates how the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this subnetwork that want to access the inside network need their global addresses translated.

Figure 8: Twice NAT Example

Twice NAT Example

To configure this example:

  1. Enter the correct virtual router context.
    host1(config)#virtual-router blue
  2. Mark the inside interface.
    host1:blue(config)#interface fast-ethernet 6/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit
  3. Mark the outside Interface.
    host1:blue(config)#interface atm 3/0.20 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit
  4. Create the address pool for inside source translations.
    host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255 prefix-length 16

    Note: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time.

  5. Create the access list for addresses eligible for dynamic translation.
    host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255
  6. Create the dynamic translation rule for outbound traffic.
    host1:blue(config)#ip nat inside source list entAout pool entAoutpool
  7. Create the address pool for outside source translations.

    Using an address range of 10.1.32.0/8 prevents any overlap with the private network (15.12.0.0/16).

    host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255 prefix-length 16

    Note: This pool is purposely small, allowing for only a few connections.

  8. Configure the access list for global addresses that overlap with inside addresses.
    host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255
  9. Create the dynamic translation rule for inbound traffic.
    host1:blue(config)#ip nat outside source list entAin pool entAinpool
  10. Create one of the following:
    • A route to the outside interface for inside hosts to access outside hosts that have overlapping addresses.
      host1:blue(config)#ip route 10.1.32.0 255.255.255.0 atm 3/0.1

      Note: An inside host cannot directly access hosts on the outside network that use addresses that overlap with the inside subnetwork. However, by using outside source translation and DNS name resolution, the NAT router can install translations so inside hosts can access these outside hosts by using nonoverlapping addresses.

    • A default route to the outside interface.
      host1:blue(config)#ip route 0.0.0.0 0.0.0.0 atm 3/0.1
  11. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.
    host1:blue(config)#ip route 12.220.1.0 255.255.0.0 null 0

Cross-VRF Example

In MPLS VPN configurations, you might want to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, you can use NAT to enable access to the public network because the NAT implementation is both VR and VRF aware. Figure 9 illustrates how the subscriber interface feature of the router is used in conjunction with NAT to connect the VPNs to the public network.

Figure 9: Cross-VRF Example

Cross-VRF Example

VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. Enterprise A communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). VR1, of which the VRF is administratively a member, represents the public network. The interface to EnterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off the uplink to the core network and anchored in the VRF. A DA-based demultiplexer matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface.

To configure this example:

  1. Enter the correct virtual routing and forwarding instance.
    host1(config)#virtual-router vr1:vrf11
  2. Mark the inside interfaces.
    host1:vr1:vrf11(config)#interface fast-ethernet 6/1 host1:vr1:vrf11 (config-interface)#ip nat inside host1:vr1:vrf11 (config-interface)#exit
  3. Set the primary interface to DA-type demultiplexer (for subsequent shared interfaces).
    host1:vr1(config)#interface atm 12/0.101 host1:vr1(config-interface)#ip demux-type da-prefix host1:vr1(config-interface)#exit
  4. Create the address pool for dynamic translations.
    host1:vr1(config)#virtual-router vr1:vrf11 host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.0 128.13.44.255 prefix-length 24
  5. Create the access list for addresses eligible for dynamic translation.
    host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255
  6. Create the dynamic translation rule.
    host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool
  7. Create the subscriber interface off the uplink.
    host1:vr1:vrf11(config)#interface ip vrf11vr1 host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101 host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1
  8. Configure a group of destination prefixes with which the device can communicate on the public network.
    host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0 255.255.255.0
  9. Mark the subscriber interface as outside.
    host1:vr1:vrf11(config-interface)#ip nat outside host1:vr1:vrf11(config-interface)#exit
  10. Point the default route to the shared interface.
    host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1
  11. Install a null route to avoid routing loops to the inside global address.
    host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0