Backgroound Image

Cisco ISR Project – NAT rules (10 of ?)

With the traffic rules in place next will come getting NAT rules set up.  In a nutshell Network Address Translation (NAT) is what converts internal IPs to public IPs, which allows internal machines to communicate on the internet.

With the IWAN design part of what I want to accomplish is to allow any internal site to be able to route through to another site in the event of an ISP failure.  To accomplish this the scope of the NAT rules will be expanded to cover all private IP ranges.  Getting NAT set up is pretty simple, though there are a number of steps.

  1. Define inside and outside interfaces
  2. Create ACL to define source machines
  3. Create route map for source machines
  4. Create NAT statement
  5. Create an ACL for traffic destined for inside
  6. Create route map to route traffic from internet to inside
  7. Apply the route map to the outside interface
  8. Create default route outbound

The NAT config will all be done via CLI, and it will all be from a config prompt.

The NAT inside interface would be the interface connected to the private side of your network, and the outside would be facing the public interface.  This is where the address translation will be taking place.  The interfaces in red may need to be modified to match your deployment.

int gi0/0/0  ip nat inside

 int gi0/0/1   ip nat outside

The next step is creating the ACL to define all inside networks.  Adjust this as needed.

ip access-list extended Inside_IPs

    permit ip any

    permit ip any

    permit ip any

Then a route map is created with the previous ACL and the interface being used.

route-map NAT-Inside permit 10

    match ip address Inside_IPs

    match interface GigabitEthernet0/0/1

 Next would be NAT statement.  In it we specify that traffic from the inside interface that matches the route map is translated to the outside interface (and uses the IP of that interface), and “overload” means that it will be a many-to-one NAT.  Since it is many-to-one we are allowing multiple inside machines to use the single outside IP, and the router tracks the traffic by altering the source port and matching the return traffic.

ip nat inside source route-map NAT-Inside interface GigabitEthernet0/0/1 overload

That concludes the actual NAT portion, but without the related routing it really doesn’t help.  So there are two routes that are needed.  One to get the traffic out and the other to get traffic back in.  We’ll start with the return traffic. First we need a ACL to define the traffic coming back in.

ip access-list extended InternalNetworks

    permit ip any

    permit ip any

    permit ip any

Then we create a route map for it.

route-map Internet-Internal permit 10

    description Return routing for Local Internet Access

    match ip address InternalNetworks

    set global

That route map is then applied to our external interface

interface GigabitEthernet0/0/1

     ip policy route-map Internet-Internal

The last step is to create the default route from the inside to get to the outside.

ip route GigabitEthernet0/0/1 Next_Hop_IP

Now internal machines should have internet access.  Here are a few commands that help with troubleshooting if there are issues:

show ip nat translation (shows current NAT translations)

clear ip nat translation * (clears all current translations, which is helpful if the NAT statement needs to be changed.)