With the traffic rules in place next will come getting NAT rules set up. In a nutshell Network Address Translation (NAT) is what converts internal IPs to public IPs, which allows internal machines to communicate on the internet.
With the IWAN design part of what I want to accomplish is to allow any internal site to be able to route through to another site in the event of an ISP failure. To accomplish this the scope of the NAT rules will be expanded to cover all private IP ranges. Getting NAT set up is pretty simple, though there are a number of steps.
- Define inside and outside interfaces
- Create ACL to define source machines
- Create route map for source machines
- Create NAT statement
- Create an ACL for traffic destined for inside
- Create route map to route traffic from internet to inside
- Apply the route map to the outside interface
- Create default route outbound
The NAT config will all be done via CLI, and it will all be from a config prompt.
The NAT inside interface would be the interface connected to the private side of your network, and the outside would be facing the public interface. This is where the address translation will be taking place. The interfaces in red may need to be modified to match your deployment.
int gi0/0/0 ip nat inside
int gi0/0/1 ip nat outside
The next step is creating the ACL to define all inside networks. Adjust this as needed.
ip access-list extended Inside_IPs
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
Then a route map is created with the previous ACL and the interface being used.
route-map NAT-Inside permit 10
match ip address Inside_IPs
match interface GigabitEthernet0/0/1
Next would be NAT statement. In it we specify that traffic from the inside interface that matches the route map is translated to the outside interface (and uses the IP of that interface), and “overload” means that it will be a many-to-one NAT. Since it is many-to-one we are allowing multiple inside machines to use the single outside IP, and the router tracks the traffic by altering the source port and matching the return traffic.
ip nat inside source route-map NAT-Inside interface GigabitEthernet0/0/1 overload
That concludes the actual NAT portion, but without the related routing it really doesn’t help. So there are two routes that are needed. One to get the traffic out and the other to get traffic back in. We’ll start with the return traffic. First we need a ACL to define the traffic coming back in.
ip access-list extended InternalNetworks
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
Then we create a route map for it.
route-map Internet-Internal permit 10
description Return routing for Local Internet Access
match ip address InternalNetworks
That route map is then applied to our external interface
ip policy route-map Internet-Internal
The last step is to create the default route from the inside to get to the outside.
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 Next_Hop_IP
Now internal machines should have internet access. Here are a few commands that help with troubleshooting if there are issues:
show ip nat translation (shows current NAT translations)
clear ip nat translation * (clears all current translations, which is helpful if the NAT statement needs to be changed.)