Configuring NAT and PAT

Published by Joe Conklin on

What is NAT and PAT and why to use them?

Network Address Translation (NAT) in its most simple form is a method of translating a one IP address to another. For example a public IP address is translated to a private IP address and vice versa. Without NAT computers on private networks would be unable to reach any Internet resources as private IP addresses are not routable on the Internet. Hence the creation of NAT. Port Address Translation (PAT) on the other hand uses a single outside public address and maps multiple inside addresses to it using different port numbers. Both are extremely common and useful for establishing Internet connectivity and providing access from the Internet to systems on private networks.

In the network below there is a single router, one end-user computer, and two servers. We will be performing a total of three configurations: a NAT for computers to access the Internet using a single public IP address, a static one to one NAT translating all traffic from 1.1.1.2 to 10.1.0.2, and a PAT translating 1.1.1.1:2323 to 10.1.0.3:23. These configurations will provide Internet connectivity and make remote services accessible on the Internet. However, it is important to understand when a static one to one NAT is configured without any additional access list filtering traffic or ports the device is essentially directly connected to the Internet.

Steps to configure NAT and PAT

Step 1: Configure all applicable router interfaces. We are also going to assign a secondary IP address on FastEthernet0/0 which will be used later in one of the NAT configurations.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 1.1.1.2 255.255.255.248 secondary
R1(config-if)#ip address 1.1.1.1 255.255.255.248
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 10.1.0.1 255.255.255.0
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 10.1.10.1 255.255.255.0

Step 2: Configure each interface as either an outside or inside NAT interface.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip nat outside
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip nat inside
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip nat inside

Step 3: Configure a basic NAT so that inside computers can reach the Internet. This will include specifying a router interface as an overload interface which allows many to one NAT translations. E.g. many computer to one public IP address

R1(config)#ip nat inside source list 1 interface FastEthernet0/0 overload

Step 4: Configure a access list to specify which networks are allowed to make use of the NAT. End the access-list with a deny statement to ensure any traffic that is not matched is dropped.

R1(config)#access-list 1 permit 10.1.10.0 0.0.0.255
R1(config)#access-list 1 permit 10.1.0.0 0.0.0.255
R1(config)#access-list 1 deny any

Step 5: Configure a one to one NAT translating 1.1.1.2 to to 10.1.0.2.

R1(config)#ip nat inside source static 10.1.0.2 1.1.1.2

Caution: when a static one to one NAT is configured without any additional access list filtering traffic or ports the device is essentially directly connected to the Internet. If the device does not have a firewall the device is unprotected and vulnerable.

Step 6: Configure a PAT translating 1.1.1.1 port 2323 to 10.1.0.3 port 23.

R1(config)#ip nat inside source static tcp 10.1.0.3 23 1.1.1.1 2323 extendable

Verify the configuration

Now that the configuration is finished lets verify remote connectivity. Using the ping command you can verify the inside addresses will no longer respond. Use the telnet command to verify connectivity to Server2 and Server3. The Server3 device will only response to telnet request when using the defined port we are translating from the outside to the inside device.

Categories: Cisco NetworkingCisco RoutingInternet Routing

Related Posts

Cisco Networking

BGP Load Sharing

Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP paths that are learned from different ASs, which Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that are known as Provider Edge routers (PEs), as they sit on Read more…