How to configure Static NAT on Cisco IOS Router

Thanks for these questions, Laz–and the opportunity to learn from this exercise.

These are multiple devices per site, each utilizing the same static IP scheme–changing it is not practical. Each device does not and should not communicate with any other, but I need to access each client on each device in order to scan them. The scanner will run on a server, to be installed at each site. The WAN provider has given me 200 addresses for each site, and those are the addresses I will use to reach each client.

I intend to subnet those 200 addresses into seven /27 networks, enough for six devices and a few addresses left over for management. The static IPs on the devices are contiguous (.1-.25) within the local 192.168.115.0/24 address space. The problem I am trying to solve is to transcend the “public” IPs and reach the local IPs remotely. Is this possible with NAT? If so, can it be done on the router in the diagram? Or do I need additional L3 devices between the switches?

network_layout

Troy

Hello Troy

Can you clarify the following:

  1. The scanner will run on a server to be installed at each site. Will this scanner have an internal IP address of the form 192.168.115.X?
  2. The 200 addresses, are those routable? i.e. not private?
  3. You say that the WAN provider has given you 200 address for each site. That’s 200 for each site?
  4. Where is the central device from which you want to access all of the internal clients? What is it’s IP address?
  5. What role do the servers at each site play? not sure I understood that part.

At first glance, what you will require is some nat translation with port forwarding so that you can access each individual client, but I must more fully understand the network topology before i can answer.

I await your response!

Laz

My preference would be to keep the scanner off the 192.168.115.x network, but instead route its 172 address to all the clients on site. Yes, I have 200 addresses at each site and can route to them from a central server at a different site (ie. 172.168.22.195), for the purpose of initiating and collecting the scans at all of the other sites.

Ideally, I want a one-to-one translation between the local 192.168.115.1-30 to a 172.168.23.1-30 public address. Then repeat that scheme for the next one on site–192.168.115.1-30 can be reached from the outside by 172.168.23.33-62, and so on. Is NAT right for me?

Troy

Hello Troy

Sorry for the late response. If you have a one to one relationship between the internal and external IP addresses for the clients, then yes, NAT would work for what you want to do. Sounds like an interesting setup, let us know how it goes!

I hope this has been helpful!

Laz

the following config is in the C891F-K9 in a production network my Question is why they config the ip nat static with route-map option

  router#sh running-config interface g8
Building configuration...

Current configuration : 357 bytes
!
interface GigabitEthernet8
 description WAN
 bandwidth 512
 bandwidth receive 3000
 ip address x.x.x.x 255.255.255.248
 ip access-group BLOCK_RECURSIVE in
 ip nat outside
 ip ips myips in
 ip virtual-reassembly in
 zone-member security INTERNET-ZONE
 duplex auto
 speed auto
 crypto map primarymap
 service-policy output MP_STD_4QUEUE
end


ip nat inside source static 10.1.1.1 10.87.11.11 route-map NAT_MAP


route-map NAT_MAP permit 10
 match ip address NAT_LIST
 match interface GigabitEthernet8




ip access-list extended NAT_LIST
 deny   ip 10.0.0.0 0.255.255.255 168.182.0.0 0.0.255.255
 deny   ip 10.0.0.128 0.255.255.63 any
 permit ip 10.0.0.0 0.255.255.255 any

Hello Mohanad

Using a route map to define a static NAT is helpful because it adds a lot of flexibility. You can easily adjust which addresses are allowed and which are not. This is especially the case for one to one static NAT like the one you show in your post where users from the Internet (or from the outside network) can directly access the device on the inside via this static NAT translation. By adding the route-map and placing entries in the associated access list, you are blocking incoming requests from the specific IPs that are listed there.

You can limit and filter who has access from the outside to the device you are translating to. This is typical good practice especially when this is something that you want to adjust over the days and months of its operation.

I hope this has been helpful!

Laz

PLease check under the NAT Router this configuration has the wrong IPs listed… they have

!
interface FastEthernet0/0
 ip address 192.18.23.2 255.255.255.0
 ip nat outside
!
interface FastEthernet1/0
 ip address 192.18.12.2 255.255.255.0
 ip nat inside

I am having problems with the PAT so I came to this one to back track and so I had just copied the configs from the config tabs.

that is why its not working for people!!!

should be 192.“168”.x.x on both

Ok I have tested this one and it works…. minus the changes that need to be made that I posted above. I also did no ip routing on the Web server… before I did that I could not ping from host to web but after I did that I could… odd!

Hello Brian

Thanks for catching that, I’ll let Rene know!

Laz

Is there a tangible difference between

ip nat inside source static 192.168.12.1 192.168.23.2

and

ip nat outside source static 192.168.23.2 192.168.12.1

?

Hello Chris,

There is:

ip nat inside source:

  • Translates the source IP address of packets that travel from inside to outside.
  • Translates the destination IP address of packets that travel from outside to inside.

ip nat outside source:

  • Translates the source IP address of packets that travel from outside to inside.
  • Translates the destination IP address of packets that travel from inside to outside.

So in your first example: source IP address 192.168.12.1 is translated to 192.168.23.2 when it translates from inside to outside. Destination IP address 192.168.23.2 is translated to 192.168.12.1 when the packet travels from outside to inside.

In the second example, we translate source IP address 192.168.23.2 to 192.168.12.1 when the packet travels from the outside to the inside. We translate destination IP address 192.168.12.1 to 192.168.23.2 when the return packet travels from the inside to the outside.

This question comes up every now and then so I decided to create some examples for it:

https://networklessons.com/cisco/ccie-routing-switching/ip-nat-inside-source-vs-ip-nat-outside-source/

Hope this helps!

Rene

Hello there,

just joined the community and already struggling with a lesson :slight_smile:
I cannot configure ip nat commands on a physical interface of a C3560 multilayer switch. I can configure it on a vlan interface but not e.g. on Gi0/1. The CLI just don´t recognize the ip nat inside command.
The lab is running in Packet Tracer 7.2.2.0418. Is that a limitation of the switch or the virtual environment?

Hello Andy

NAT can only be applied to a Layer 3 interface. That means that it can only be applied to a VLAN interface (SVI) or a physical interface for which the command no switchport has been applied. This command converts a physical interface from a layer 2 to a layer 3 interface. Once that is done, you will see that the ip nat commands are enabled.

I hope this has been helpful!

Laz

Hi Rene,

Can you let me know if we have configured one-to-one nat with route-map; Out-side server has initiated the traffic, will that check route-map for outbound traffic ?

Scenario

Clients  MPLS  FIS DC

Clients Real IP : 192.168.6.0/24
Clients NAT Range : 10.27.195.0 /24
FIS DC IP : 10.29.154.4
209.149.158.0 0.0.0.15
10.96.18.0 0.0.0.255
10.96.140.0 0.0.1.255
10.96.202.0 0.0.0.255
10.96.72.0 0.0.7.255
199.38.140.0 0.0.0.255
156.55.112.0 0.0.7.255
10.121.8.0 0.0.3.255
10.118.27.40 0.0.0.7
10.118.32.0 0.0.31.255
10.118.154.0 0.0.1.255
10.118.184.0 0.0.7.255

Situation 1 :- FIS DC is initiating Traffic
Situation 2 : Clients different Branch offices are initiating traffic

Configuration done on Client side (NOT ON FIS SIDE)

route-map FIS_TRAFFIC permit 10
match ip-address access-list 102
!
ip access-list extended 102
deny ip host 10.29.154.4 any
permit ip any 209.149.158.0 0.0.0.15 
permit ip any 10.96.18.0 0.0.0.255
permit ip any 10.96.140.0 0.0.1.255
permit ip any 10.96.202.0 0.0.0.255
permit ip any 10.96.72.0 0.0.7.255
permit ip any 199.38.140.0 0.0.0.255 
permit ip any 156.55.112.0 0.0.7.255 
permit ip any 10.121.8.0 0.0.3.255
permit ip any 10.118.27.40 0.0.0.7
permit ip any 10.118.32.0 0.0.31.255 
permit ip any 10.118.154.0 0.0.1.255
permit ip any 10.118.184.0 0.0.7.255
 !
permit ip 209.149.158.0 0.0.0.15 10.27.195.0
permit ip 192.168.6.0 209.149.158.0 0.0.0.15 
 !
ip nat inside source static network 192.168.6.0 10.27.195.0 /24 route-map FIS_TRAFFIC

Situation 1: IF FIS DC has initiated traffic, will that be checked Static NAT rule and route-map for outbound traffic and will do the translation or return traffic will be matching with static NAT Rule???

Hello Manami

When you configure NAT using route maps, what you are actually implementing is called Policy NAT. This allows you to create more specific NAT rules as you have done with your route maps. In this case, your NAT rule will translate from the inside network 192.168.6.0 to the outside network 10.27.195.0 /24 so any traffic originating from FIS (which from what I understand is outside) will not be translated, and will not be matched to the route map.

Take a look at this lesson for more information about policy NAT:

In order to allow outside hosts to reach inside devices, you will have to take a look at the following lesson:

I hope this has been helpful!

Laz

Hi,

When I’m learning NAT, i’m always confused with the correlation between NAT and routing. Would you please explain how would routing fits into NAT? The other question is if we would want to do a filter, how would we know whether we should choose the real IP or the mapped IP?

Thank you very much for your help,

Hello Helen

NAT involves the translation of source and/or destination IP addresses in the header of an IP packet as it traverses a NAT router. The NAT router simply changes the IP address in the header of the packet according to the configured NAT rules.

Now NAT and routing are two different operations, but when they are both occuring in a network, it can be confusing as to what the role of each is. To help us, let’s take a look at the following diagram:


Notice here that there is a PC connected to an internal enterprise network, which is connected to the NAT router. The NAT router is in turn, connected to the Internet. The PC wants to communicate with the Web Server. Now remember, that routing is applied based on the destination IP found in the header of the IP packet.

The PC will send a packet to the web server using the web server’s IP address as the destination IP. Routing will take place in the LAN based on the destination IP, and will thus be routed to the NAT router. The NAT router will translate the source IP address (that of the PC) to an public IP address. Note that the destination IP has not been changed. The NAT router sends the packet to the next hop router, through the internet, and is routed until it reaches the web server.

Notice that the destination IP did not change for the full extent of the journey from PC to web server. The source IP did change, due to NAT.

Now on the return trip, the destination IP address will be that of the NAT’ed address of the PC, that is, the public address to which the PC’s private address was translated. Routing within the Internet will bring that packet to the NAT router. Once it reaches the NAT router, this address is translated to the private address of the PC. Based on this new destination address, the routing continues as the NAT router sends it into the enterprise network, until it reaches the PC.

So you can see that the routing procedure takes place “on either side of the NAT router” and always uses the destination address of the IP packet. If that destination address doesn’t change (from PC to Server), the routing simply continues. If it does change (Server to PC), then the new destination address is used to continue the routing process.

This is an excellent question, and it depends upon what is known as NAT order of operations. When a packet comes into a NAT router, what is applied first? The translation? ACL filtering? routing? An excellent document that clearly states which operations are applied when for NAT is the following:


Here you can see for each direction (outside to inside, and visa versa) what takes place. For both directions, input access lists are applied before translation, while output access lists are applied after translation. Take a look at the document for more details.

I hope this has been helpful!

Laz

Thank you very much Laz.

1 Like

Hi Rene/Laz,

Can you clarify if there is any limitation of NATing on opposite sides.

. All routers are connected using OPSF. I have 4 loopbacks on R3(1.1.1.X/32) and R4(2.2.2.X/32). I have implemented PAT on routers R1 and R2. The configs are as follows:

R1:

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45

ip nat inside source list 10 interface GigabitEthernet0/0 overload
access-list 10 permit 10.0.0.0 0.0.0.7
access-list 10 permit 1.1.1.0 0.0.0.255
access-list 10 permit any

R2:

interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45

interface GigabitEthernet0/1
 ip address 11.0.0.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
ip nat inside source list 10 interface GigabitEthernet0/0 overload
access-list 10 permit 11.0.0.0 0.0.0.7
access-list 10 permit 2.2.2.0 0.0.0.255
access-list 10 permit any

If I dont do PAT on one of the side it works just fine, up on PATing on both sides the R3 is not able ping R4 and vice versa. From my understanding if R3 tries to ping R4 the packet flow should be as follows:

R3: 1.1.1.1 (S) ping 2.2.2.2 (D)
R1: 1.1.1.1 -> 192.168.1.1(S) while exiting interface gi0/0 to 2.2.2.2 (D)
R2: 192.168.1.1(S) -> 2.2.2.2(D)
R4: 2.2.2.2(S) -> 192.168.1.1(D)
R2: 2.2.2.2->192.168.1.2(S) ->192.168.1.1(D)
R1: 192.168.1.2(S)-> 1.1.1.1(D)

I am assuming that R1 and R2 will be stateful while performing NAT or PAT although I am not really sure, but I think this is how they remember the different ports assigned to different internal ip’s.

Attaching Screen captures of debug messages.

Can you help me find where exactly am I doing wrong or where my understanding of NATing is not right. Thanks a ton in advance.

Hello Teja

The behaviour that you are describing makes sense. NAT, especially with the “overload” feature (PAT), is designed to enable many devices on the inside to communicate with devices on the outside. Unless special provisioning is implemented, this communication must be initiated by the hosts on the inside, and any return traffic will be allowed in, due to the stateful nature of NAT. That is, it detects that the return traffic is a response to the original request, and “allows” that traffic in. Any traffic that originates on the outside will not be allowed in, by default.

Let’s take a look at your topology:
image
Any traffic originating from R3 to R4 will be successfully NAT’ed at R1, will reach R2, and will be dropped. This is because, from the point of view of R2, this traffic originated on the outside. There is no stateful entry in the translation table that indicates that this is return traffic, so it is dropped. The same goes for traffic from R4 trying to reach R3, it will be dropped at R1, because it originated on the outside.

If you disable PAT on either R2 or R3, then the communication is successful, because there is no attempt for translation from outside to inside, but the packets are simply routed.

This example you shared highlights the difficulties involved in implementing end to end services between sites that run NAT on both ends. In order to successfully implement such communication, it is necessary to use features such as port forwarding.

I hope this has been helpful!

Laz

1 Like

Thanks a lot Laz. Its clear now.