Category:Cisco Systems -> Routing and Switching
NAT - Network Address Translation.
NAT terminology:
- Inside Local address: An IP address assigned to a device within the organization. This is mostly a private IP address.
- Inside Global address: A public IP address that represents the “inside” network to the outside world.
- Outside Local address: IP address of a device outside the organization as it appears to the internal network.
- Outside Global address: An IP address on a device outside the network.
Reference diagram:
A few basic configuration examples:
// In global configuration mode.
ip access-list extended 100
permit ip 192.168.0.0 0.0.255.255 any
exit
ip nat inside source list 100 interface gi0/1 overload
int Gi0/0
ip nat inside
int Gi0/1
ip nat outside
Extend with port forwarding:
ip nat inside source static tcp 192.168.1.10 3389 interface gi0/1 3389 ext
// Mind, it's insecure to forward 3389 TCP port!
// or you can do the following thing (also insecure) but gives an example of static port forwarding flexibility.
ip nat inside source static tcp 192.168.1.10 3389 11.22.22.45 15000 ext
ip nat inside source static tcp 192.168.1.11 3389 11.22.22.45 15001 ext
ip nat inside source static tcp 192.168.1.12 3389 11.22.22.45 15002 ext
The next thing was a kind of a remote lab a couple of years ago. Although I didn’t have a chance to check if the configuration really worked for some reasons but it certainly gives food for thought. External IP pools are made up so don’t bother investigating.
The diagram:
The configuration:
ip access-list ext 192168101out
10 deny ip host 192.168.10.1 172.16.4.0 0.0.0.255
20 permit ip host 192.168.10.1 any
exit
route-map 192168101out permit 10
match ip address 192168101out
exit
ip nat pool NATpool101 87.230.156.101 87.230.156.101 prefix-length 28
ip nat inside source route-map 192168101out pool NATpool101
-----------------------------------------------------
ip access-list ext 192168102out
10 deny ip host 192.168.10.2 172.16.4.0 0.0.0.255
20 permit ip host 192.168.10.2 any
exit
route-map 192168102out permit 10
match ip address 192168102out
exit
ip nat pool NATpool102 87.230.156.102 87.230.156.102 prefix-length 28
ip nat inside source route-map 192168102out pool NATpool102
-----------------------------------------------------
ip access-list ext to1721640
10 permit ip 192.168.10.0 0.0.0.255 172.16.4.0 0.0.0.255
route-map to1721640 permit 10
match ip address to1721640
ip nat pool NATpool172x41 172.16.4.1 172.16.4.1 prefix-length 24
ip nat inside source route-map to1721640 pool NATpool172x41