Cisco IOS NAT on a Stick Configuration Example

This topic is to discuss the following lesson:

Hi,

Excellent article. I especially like this kind of setup because they are rare and enforce us to make our brain work harder.
I think there’s some kind of typo in the beginning, in the basic configuration of R2. The following line seems to be missing:

R2(config)#interface fa0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.12.2 255.255.255.0

R2(config-if)#interface loopback 0       <- This one

R2(config-if)#ip address 2.2.2.2 255.255.255.0

Hi Steve,

Merci for letting me know, I just fixed it. I also like these kind of scenarios, it really helps to understand the way Cisco IOS processes packets and makes us think a bit more.

Rene

Rene, you are a great person, thank you for all

Thank you as well David

Rene:

Brilliant article. Network Lessons is another great work done by you !!!

Continue this way you are great !!!

Dear Rene,
Very Thankful for your Post and all of them are very good for me.
Happy New Year !!! RENE

Interesting and epic work, seems to me like one of the funky CCIE scenarios…

Glad to hear you like it. It’s something I encountered during my CCIE studies.

Thanks Klaus! Glad you like it!

hi rene
i access a server That server not have GW behind a router how to config this nat ((plz describe DNAT and Full NAT in serprate article))

host-A-----------------R2-----------------SW-------Server

Hi Mostafa,

Take a look at this example:

https://networklessons.com/network-services/cisco-ios-nat-port-forwarding/

You can use the same example if you want 1:1 NAT without specifying specific port numbers.

Rene

Rene,

Great article! thanks for sharing.

I am wondering if there is a real world scenario where you would need to apply Nat on a Stick, specially the second exercise…

Thanks,

Jose

Hi Jose,

It’s unlikely to see this particular scenario…with the loopbacks, PBR and NAT it’s all a bit too much :slight_smile:

On the ASA it is common though. Sometimes you might encounter “hairpinning” (inside-to-inside NAT). The configuration is a bit more straight-forward. Take a look at this example:

ASA Hairpinning internal webserver

Rene

1 Like

Rene,

Great!! explanation. :slight_smile:
You are awesome.

Thanks again bhargavi for your words. You message has been forwarded to Rene.

Good learning.

Very interesting ; but, I have some questions.

* Question-1

I do not see the signification of “PBR” in the lesson ?

* Question-2

In the first scenario, the answer is return back by a “Reply” arrow. But, in second and third scenarios, the answer is returned by a “NAT” arrow. What is the difference between “Reply” and “NAT” answers ?

Hello Maodo

If you notice after the second diagram, it states that any traceroute initiated from R1 to R2 will cause FastEthernet 0/0 to respond rather than going all the way to the loopback interface and back triggering a NAT translation. This is remedied by using PBR.

The difference is that in the first case, no NAT translations take place. After PBR is implemented, NAT translations take place, packets reach the loopback interface and are returned back to R1 having already gone through a NAT translation.

I hope this has been helpful!

Laz

Awesome article Rene! Thanks for putting it together. How about if we switch the INSIDE and OUTSIDE NAT interfaces? and configure the NAT translation instead. That way, there won’t be a need to configure a local policy.

Topology
[R1]--------------(NAT OUTSIDE) [R2] ---- loopback0 (NAT INSIDE)

Configuration
ip nat inside source list 100 interface Loopback0 overload

Verification

 R1#traceroute 192.168.12.2 numeric
 Type escape sequence to abort.
 Tracing the route to 192.168.12.2 
 VRF info: (vrf in name/id, vrf out name/id)
 1 2.2.2.2 3 msec *  2 msec

Hello Haseeb

Your scenario does indeed fulfill the requirement of having the loopback respond in the traceroute. Thanks for sharing that!

One of the restrictions that was mentioned in the lesson is that we require traffic to flow from the inside interface to the outside interface such that the sender of the ICMP packets is on the inside of the network.

It’s always interesting to see multiple scenarios and thanks once again for sharing!

Laz