Twice NAT Example

Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and you want it to connect to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router.

Figure 8 illustrates how the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this subnetwork that want to access the inside network need their global addresses translated.

Figure 8: Twice NAT Example

To configure this example:

1. Enter the correct virtual router context.

   host1(config)#virtual-router blue

2. Mark the inside interface.

   host1:blue(config)#interface fast-ethernet 6/1

   host1:blue(config-interface)#ip nat inside

   host1:blue(config-interface)#exit

3. Mark the outside Interface.

   host1:blue(config)#interface atm 3/0.20

   host1:blue(config-interface)#ip nat outside

   host1:blue(config-interface)#exit

4. Create the address pool for inside source translations.

   host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255 prefix-length 16

   Note: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time.

5. Create the access list for addresses eligible for dynamic translation.

   host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255

6. Create the dynamic translation rule for outbound traffic.

   host1:blue(config)#ip nat inside source list entAout pool entAoutpool

7. Create the address pool for outside source translations.

   Using an address range of 10.1.32.0/8 prevents any overlap with the private network (15.12.0.0/16).

   host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255
   prefix-length 16

   Note: This pool is purposely small, allowing for only a few connections.

8. Configure the access list for global addresses that overlap with inside addresses.

   host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255

9. Create the dynamic translation rule for inbound traffic.

   host1:blue(config)#ip nat outside source list entAin pool entAinpool

10. Create one of the following:
    • A route to the outside interface for inside hosts to access outside hosts that have overlapping addresses.

      host1:blue(config)#ip route 10.1.32.0 255.255.255.0 atm 3/0.1

      Note: An inside host cannot directly access hosts on the outside network that use addresses that overlap with the inside subnetwork. However, by using outside source translation and DNS name resolution, the NAT router can install translations so inside hosts can access these outside hosts by using nonoverlapping addresses.

    • A default route to the outside interface.

      host1:blue(config)#ip route 0.0.0.0 0.0.0.0 atm 3/0.1

11. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.

    host1:blue(config)#ip route 12.220.1.0 255.255.0.0 null 0

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.