How to configure Static NAT on Cisco IOS Router

(Mohammad Hasanuz Zaman) #12

Dear Rene/Maher,

Thanks . Please correct me if I dont get you correctly …

IP NAT INSIDE : 1. Source ip will rewrite to inside Global when traffic flow from inside to outside and
2. Destination ip will rewrite when traffic flow from outside to inside.

IP NAT OUTSIDE= 1. Source ip will rewrite when traffic flow from outside to inside and
2. Destination ip will rewrite when traffic flow from inside to outside.

Which situation will we use IP NAT OUTSIDE . Still I am confused , Could you please give some example or write a lessone on it .Thanks in again .

br/
zaman

0 Likes

(Lazaros Agapides) #13

Hello Mohammad!

The IP NAT INSIDE command indicates that the interface in question is on the inside network. The IP NAT OUTSIDE command indicates that the interface in question is on the ouside network. (I’m sure you got that down, I just want to start from the beginning.) Let’s say the IP address of the inside interface is 10.10.10.1/24 and that of the outside interface is 20.20.20.1/24.

Any traffic that enters the router on the inside interface and exits the router on the outside interface will have the following addresses changed:

Source address will change from 10.10.10.X to 20.20.20.1, destination address will be unchanged where 10.10.10.X is the host on the inside network communicating with the outside world.

Any traffic that enters the router on the outside interface and exits on the inside interface will have the following address changed:

Source address will remain unchanged. Destination address will change from 20.20.20.1 to 10.10.10.X.

So, the purpose of the outside command on an interface is to indicate that this interface is participating in NAT and will have to make the appropriate changes to the source addresses when packets are traversing it.

I hope this has been helpful!

Laz

0 Likes

(Stanislav P) #14

Hi Rene,

some of our customers use “extendable” at the end of static nat command.
Could you please explain what does it mean?
Thanks

0 Likes

(Rene Molenaar) #15

I figured it would be best to answer this with an example. Take a look here:

1 Like

(AZM U) #16

Hello Laz,
I have a question regarding NAT. I am going to use the below topology for my question.

In this topology, I have a 3560 switch that is acting as my edge device that is connected to the ISP through Fa0/2 interface. Two firewalls and the edge switch are connected to the same segment (172.16.0.0/24) through the Layer 2 switch. The ASA 0 is using 172.16.0.4 - 172.16.0.100 address block as the Natted IPs for some internal hosts that are using 10.0.0.0/24 and ASA1 is using 172.16.0.101- 172.16.0.200 address block as the Natted IP for some other internal hosts that are using 10.10.0.0/24.

Question:

  1. Let’s say one of the internal hosts 10.0.0.1 is being natted to 172.16.0.10 on ASA0. When the edge switch sends out an ARP request to get the mac address of 172.168.0.10 IP address, how would ASA0 know it has to respond to the ARP request even though the IP is not attached to any interface? Why would ASA1 not respond to the same ARP request?

  2. Can ASA0 and ASA1 both use the same IP address (for instance 172.16.0.10) as a NATTED IP for the internal hosts located behind them on different ports? [for instance, in ASA0 some internal IPs(10.0.0.1-10.0.010) are taking traffic on 172.16.0.10 on port 80 and in ASA1 some internal IPs(10.10.0.1-10.10.0.10) are taking traffic on the same IP 172.16.0.10 on port 443] ?

Thank you so much in advance.

0 Likes

(Lazaros Agapides) #17

Hello AZM

The ARP request would come from the 3560 router saying “I need the MAC address of the device which has an IP address of 172.16.0.10.” Because ASA0 is configured with the specific NAT configurations, it knows that it must respond to any ARP requests for addresses in the range of 172.16.0.4 to 172.16.0.100. Similarly, ASA1 knows that it is responsible to answer any ARP requests for addresses in the range of 172.16.0.101 to 172.16.0.200. When ASA1 gets the ARP request, it will discard it, while ASA0 will take it and answer with the appropriate MAC address.

No, this is not possible. If you configured both ASAs to NAT the same external IP address, for example, 172.16.0.10, then any ARP request coming from the 3560 for this IP address would be responded to by both ASAs. You would essentially have an IP address conflict on the subnet. In order to have this work, the two ASAs must be differentiated based on Port Number, something that cannot be achieved on layers 2 and 3.

I hope this has been helpful!

Laz

1 Like

(Mohammad Hasanuz Zaman) #18

Hi Rene,

Thanks.When we will use “ip nat outside source static tcp 192.168.12.1 80 192.168.23.2 80” command in global configuration mode. Could you please share in which situation we can use it.Actually i didn’t see any scenario where we used “ip nat outside”[It’s Not interface level command but global configuration mode ] command in global configuration mode .

One more questions …
Can we configure NAT on L3 switch in full features and use SVI as inside /outside interface??

br//zaman

0 Likes

(Rene Molenaar) #19

Hi @Zaman.rubd

IP nat outside source static translates:

* The source IP address from packets that are sent from the outside to the inside.
* The destination IP address for packets that are sent from the inside to the outside.

One example of how you can use this is if you have overlapping address space. For example, you can configure your router so that whenever a host on the inside sends something to destination 5.5.5.5, it gets translated to 192.168.1.5.

Most Cisco IOS switches don’t support NAT, only the higher end platforms like the 6500 do. Here’s an old document from Cisco that explains which switches support NAT:

0 Likes

(Rene Molenaar) #20

Here’s an example from Cisco btw:

0 Likes

(MAODO T) #21

I did a little bit more sophisticated nat static lab. I want to validate something with you about the addresses in the following command : ip nat inside source static w.x.y.z a.b.c.d.

It seems a.b.c.d must be the address that is configured in the same network interface as the ip nat outside command ?

NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat outside
NAT(config-if)#ip add **a.b.c.d ...** 

For w.x.y.z, it seems that any inside address routable to the NAT does work ?

0 Likes

(Rene Molenaar) #22

Hi @kayoutoure,

With the ip nat inside source static command, you’ll need an inside local + inside global address. The inside local can be any address that is routable on the inside. For the inside global address, you can pick any IP address that falls within the network of any of your interfaces that has the ip nat outside command. Usually, you’ll pick the IP address on your outside interface, but this is not really required. For example, this also works:

Let’s create a new loopback:

NAT(config)#interface loopback 0
NAT(config-if)#ip nat outside 
NAT(config-if)#ip address 2.2.2.2 255.255.255.0

NAT(config)#ip nat inside source static 192.168.12.1 2.2.2.1 

2.2.2.1 belongs to the 2.2.2.0/24 network on loopback 0. Let’s enable a debug on the “host”:

HOST#debug ip packet 
IP packet debugging is on

And do a quick ping:

WEB1#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/9 ms

Which works:

HOST#
IP: s=192.168.23.3 (GigabitEthernet0/1), d=192.168.12.1, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
0 Likes

(MAODO T) #23

Ok. I see.

By the way (if you have time to correct it) ; you are using R1, R2, R3 router names, while the schema is using Host, NAT, Web1.

0 Likes

(Rene Molenaar) #24

You are right, just fixed it :slight_smile:

0 Likes

(Olof L) #25

Just a little type I guess. “on” not “no” in the first sentence?

0 Likes

(Rene Molenaar) #26

Hi Olof,

That’s a typo yes :smile: Thanks for letting me know, I just fixed it.

Rene

0 Likes

(Manami B) #27

Hi Rene,

What will happen if we configure like this:-

interface xxx
ip nat inside
ip nat outside source static a.a.a.a b.b.b.b

interface yyy
ip nat outside
ip nat inside source static c.c.c.c d.d.d.d

Will it work at all and if at all it works how would be the packet flow?

0 Likes

(Manami B) #28

Okay, My another doubt :-

For Cisco VASI Configuration, what we are doing -

Interface Physical_Interface1 (may be LAN Interface)
IP nat inside
Interface VasiLeft1
IP nat outside
ip nat inside source static 1.1.1.1 100.100.100.100.1
ip nat outside source static 2.2.2.2 200.200.200.2

interface VasiRight1
ip nat inside source static 5.5.5.5 500.500.500.5
ip nat outside source static 6.6.6.6 600.600.600.6

Please rectify me if I am wrong:-

When traffic enters “Physical_Interface1” it will translate the LAN Side IP as per “ip nat inside” command and forward it to VasiLeft1 Interface. Here it is mentioned as “Outside” so send it to VasiRight1 as usual.

My doubt is what it will do with “inside NAT statement” here in VasiLest1 interface?

it reaches VasiRight1 automatically.

Now here gain we see “inside” and “outside” NAT Statement. What would be the traffic flow?

For return traffic,

Where it will D-NAT? On VasiRight or on VasiLeft?

it should be on any one of the interface. Not on both. Why we are configuring “inside” “outside” combined NAT Statement on both the interface vasiright and vasileft?

Totally Confused about packet flow.

Will eagerly wait to get your answer.

0 Likes

(Lazaros Agapides) #29

Hello Manami

I assume in your example you mean the following:

router(config)#interface xxx
router(config-if)#ip nat inside
router(config-if)#exit
router(config#) ip nat outside source static a.a.a.a b.b.b.b

router(config)#interface yyy
router(config-if)#ip nat outside
router(config-if)#exit
router(config)#ip nat inside source static c.c.c.c d.d.d.d

I’ve never actually configured something like this, but I don’t see why it wouldn’t work. You may have some restrictions as to the IP addresses being used. I suggest you try it out in a lab environment and see what happens. Share your results with us if you can.

I hope this has been helpful!

Laz

0 Likes

(Troy H) #30

I’m still trying to understand this lesson–but please allow me a quick question regarding “overlapping” networks… where multiple networks share common IP addresses?

If I need to connect multiple different networks together, but they share a common IP scheme (192.168.115.0/24), can I do that with NAT?

Thanks–trying to find the practical solution for a real world problem.

Troy

0 Likes

(Lazaros Agapides) #31

Hello Troy

In the specific reference to overlapping address spaces, what is being referred to here is if you have an inside network address that is the same as an address on the outside.

For this specific question, you’ll have to be a little more specific. Are these multiple different networks remote locations all using the same private address space of 192.168.115.0/24 internally? When you say connect them together, what do you want to achieve? Have each network have access to all other networks as if they were in the same physical location or just have access to specific resources at each location such as a web or email server?

In general, NAT is not a technology used to connect remote networks, but allows the use of one address scheme on the “inside” network to be translated to another on the “outside” network. The inside network is almost always a private address scheme while the outside network is almost always the Internet.

For connectivity between remote sites, technologies such as VPNs are an option for remote connectivity, but this will require even internal address schemes to be unique. If they are not unique, NAT can be employed to translate appropriately but this becomes unnecessarily complex for a relatively simple solution.

I hope this gives you some insight into what you need to do. Feel free to comment or provide additional information so we can look into the issue in more detail.

I hope this has been helpful!

Laz

0 Likes