Evil TTL - Network Solutions
Evil TTL   >   NAT

Evil_TTL> show | s

NAT

Category:Cisco Systems -> Routing and Switching

NAT - Network Address Translation.

NAT terminology:

  • Inside Local address: An IP address assigned to a device within the organization. This is mostly a private IP address.
  • Inside Global address: A public IP address that represents the “inside” network to the outside world.
  • Outside Local address: IP address of a device outside the organization as it appears to the internal network.
  • Outside Global address: An IP address on a device outside the network.

Reference diagram:
NAT-eg.jpg

A few basic configuration examples:

// In global configuration mode.

ip access-list extended 100
 permit ip 192.168.0.0 0.0.255.255 any
 exit

ip nat inside source list 100 interface gi0/1 overload

int Gi0/0
 ip nat inside

int Gi0/1
 ip nat outside 

Extend with port forwarding:

ip nat inside source static tcp 192.168.1.10 3389 interface gi0/1 3389 ext

// Mind, it's insecure to forward 3389 TCP port!

// or you can do the following thing (also insecure) but gives an example of static port forwarding flexibility.

ip nat inside source static tcp 192.168.1.10 3389 11.22.22.45 15000 ext
ip nat inside source static tcp 192.168.1.11 3389 11.22.22.45 15001 ext
ip nat inside source static tcp 192.168.1.12 3389 11.22.22.45 15002 ext 

The next thing was a kind of a remote lab a couple of years ago. Although I didn’t have a chance to check if the configuration really worked for some reasons but it certainly gives food for thought. External IP pools are made up so don’t bother investigating.

The diagram:

NAT-10.png

The configuration:

ip access-list ext 192168101out
 10 deny ip host 192.168.10.1 172.16.4.0 0.0.0.255
 20 permit ip host 192.168.10.1 any
 exit

route-map 192168101out permit 10
 match ip address 192168101out
 exit

ip nat pool NATpool101 87.230.156.101 87.230.156.101 prefix-length 28

ip nat inside source route-map 192168101out pool NATpool101

-----------------------------------------------------

ip access-list ext 192168102out
 10 deny ip host 192.168.10.2 172.16.4.0 0.0.0.255
 20 permit ip host 192.168.10.2 any
 exit

route-map 192168102out permit 10
 match ip address 192168102out
 exit

ip nat pool NATpool102 87.230.156.102 87.230.156.102 prefix-length 28

ip nat inside source route-map 192168102out pool NATpool102

-----------------------------------------------------

ip access-list ext to1721640
 10 permit ip 192.168.10.0 0.0.0.255 172.16.4.0 0.0.0.255
 
route-map to1721640 permit 10
 match ip address to1721640

ip nat pool NATpool172x41 172.16.4.1 172.16.4.1 prefix-length 24

ip nat inside source route-map to1721640 pool NATpool172x41 
By privilege15