This post discusses the configuration of Network Address Translation (NAT) on Cisco IOS/IOS-XE routers.

Overview

Network Address Translation (NAT) provides the ability to translate an IP address to another IP address, usually a private IP address into a publicly routable internet IP address. When a packet egresses the device (router or firewall), NAT translates the local RFC 1918 IP address into a globally unique publicly IP address and an entry is added to the NAT translation table. When the reply is returned, the network device checks the NAT translation table to determine the correct NAT entry, un-translate and send to the correct host.

Inside/Outside

Interfaces on the Cisco IOS routers must be explicitly configured, to determine whether they connect to the “inside” network or “outside” network. The IOS router interface(s) connecting to the internal LAN must be configured with ip nat inside and the interface(s) leading to the internet, must be configured with ip nat outside. NAT uses the following definitions: –

Inside local – IP addresses prior to translation, connected to inside of the local network.

Inside global – Public IP address(es) that an inside local address is translated to.

Outside local – IP address of an outside host as it appears to the inside network.

Outside global – IP address that are assigned from the global address space

NAT interfaces are configured as either inside or outside, you can have multiple inside or outside interfaces.

interface GigabitEthernet 1
 description ## To the internet ##
 ip nat outside
!
interface GigabitEthernet 2
 description ## To the internal LAN ##
 ip nat inside

Static vs Dynamic

With static translation, the pre-translation IP or IP + Port will permanently map to the same post-translation IP or IP + Port. The static entry will be permanently added to the NAT translation table and will always be a bidirectional translation. Static NAT is typically used in scenarios when internal hosts need to be reachable from the outside network, such as webservers or application servers.

With Dynamic translation, the translation from a local IP address to a global address is dynamic, there is no guarantee that the same global address or port will be used for each connection (unlike static). The dynamic mapping is present in the NAT translation mapping table for the duration of the connection, after a period of inactivity the entry will timeout and removed.

Important considerations – Access Control Lists used for NAT configurations do not support “permit ip any any”

For each NAT rule configured an ip alias and an ARP entry is created. Run the command show ip alias, from the output below we can determine the interfaces and one NAT entry, which is a Static PAT and will have a permanent alias, until the NAT statement is deleted.

Generate some traffic that matches a Dynamic PAT/NAT rule, run the show ip alias command again, an alias is dynamically added. Once the translation expires, the alias will be removed.

Run show arp to display the ARP entries. When using dynamic PAT/NAT, there will only be an ARP entry if there is an active NAT translation.

Order of Operations

The following table represents the NAT order of operations, the order is top down: –

Inside to Outside

1. Apply ingress ACL (if present)
2. Routing decision to determine egress interface
3. NAT operation inside to outside
4. Apply egress ACL (if present)

Outside to Inside

1. Apply ingress ACL (if present)
2. NAT operation outside to inside
3. Routing decision to determine interface
4. Apply egress ACL (if present)

Considerations

• Outbound ACLs are always processed after routing and NAT
• Inbound ACLs are always processed before routing and NAT. Unlike the ASA which un-translates inbound traffic on the outside interface and uses the real IP address inbound on the outside ACL.
• Traffic inbound on the outside interface is un-translated before routing, as the router needs to know the real IP address to forward to the correct destination.

More information regarding NAT order of operations can be found here: – https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

NAT Types

The types of Network Address Translation include: –

Static NAT

The following are the key points regarding Static Network Address Translation (NAT).

• Static NAT allows a one-to-one mapping between local and global IP addresses, all ports and protocols are translated.
• Used to map a single global IP address to the local server
• Static NAT is bi-directional – traffic can be initiated from either an external or internal host.

In the example configuration below, the private IP address of 192.168.10.5 is translated to the public/global IP address of 1.1.1.50.

ip nat inside source static 192.168.10.5 1.1.1.50

Run the command show ip nat translations, to confirm the static NAT entry is added to the NAT translations table, note the lack of outside local/global maps yet.

Generating traffic from multiple outside sources destined to the global IP address. From the output of show ip nat translations we can determine there are 3 separate connections, all from the same source interface IP address but uniquely identified by the random port number.

If no spare publicly routable IP address is free, the NAT statement could utilise the outside interface IP address instead, using the following NAT syntax.

ip nat inside source static 192.168.10.5 interface GigabitEthernet1

Static PAT

The following are the key points regarding Static Port Address Translation (PAT).

• Static PAT is a modifies the IP addresses and the port (TCP/UDP)
• Allows for multiple servers to share using one public IP address.
• Static PAT is bi-directional – traffic can be initiated from either an external or internal host.
• The extendable keyword at the end of the NAT statement allows a single global address to be mapped to multiple local addresses.

In this example configuration below, 2 inside webservers listening on tcp/80 will share one global IP address, one server will of course require a non-standard port tcp/8080.

ip nat inside source static tcp 192.168.10.5 80 1.1.1.50 80 extendable
ip nat inside source static tcp 192.168.10.50 80 1.1.1.50 8080 extendable

Generate traffic to the webserver’s global IP address on tcp/80 and tcp/8080. From the output of show ip nat translations below, we can determine that the same global IP address with unique ports (tcp/80 and tcp/8080) is translated to different inside local IP addresses on tcp/80.

Dynamic PAT

The following are the key points regarding Dynamic Port Address Translation (PAT).

• Often referred to as NAT overload
• Modifies the IP addresses and the port (TCP/UDP)
• Dynamic PAT translates multiple IP addresses to a single IP address (many-to-one) or multiple IP addresses to multiple IP addresses (many-to-many).
• Dynamic PAT is the most common type of translation and helps conserving IP address space, allowing multiple hosts to share one public IP address.
• The router changes the source IP address as configured and randomly selects a unique source port number
• An entry is dynamically added to the NAT translation table when an internal host initiates a connection to a host on the outside.
• The entries in the NAT translation table expire after a period of inactivity.
• Translation is unidirectional and only works if the internal/inside host initiates the connection. If a new connection was initiated from the outside to the shared IP address, the router will not know what to do with the packet, the packet is subsequently dropped.
• Will not work with protocols that dynamically created connections back to the client, such as FTP.
• The keyword overload at the end of a NAT statement allows addresses in the NAT pool to be used by multiple hosts. Without the overload keyword, the configuration would Dynamic NAT.
• Only supports protocols whose port numbers are known; these protocols are Internet Control Message Protocol (ICMP), TCP, and UDP. Other protocols do not work with PAT because they consume the entire address in an address pool. The ACL should be configured to only permit ICMP, TCP, and UDP protocols, so that all other protocol traffic is prevented from entering the network.

In the example configuration below, a NAT ACL is used to define the inside source networks. A nat pool is created to define a range of global IP addresses (this could be just one) used for translation. Lastly a NAT statement is configured to translate the networks defined in the NAT ACL to a global IP address defined in the NAT pool, the use of the keyword overload ensures the global IP address can be used by multiple hosts.

ip access-list extended NAT_ACL
 permit tcp 192.168.8.0 0.0.3.255 any
 permit udp 192.168.8.0 0.0.3.255 any
 permit icmp 192.168.8.0 0.0.3.255 any
!
ip nat pool NAT_POOL 1.1.1.100 1.1.1.110 netmask 255.255.255.0
!
ip nat inside source list NAT_ACL pool NAT_POOL overload

Generate traffic to from multiple sources to multiple destinations. From the output of show ip nat translations, we can determine the outbound traffic from two unique inside source IP addresses was translated using the same global IP address 1.1.1.102, this IP address was defined in the NAT pool. Confirming Dynamic PAT worked as expected.

Dynamic NAT

The following are the key points regarding Dynamic Network Address Translation (NAT).

 Only the IP address is translated, NOT the port.

• A single global IP address cannot be shared amongst multiple inside hosts, unlike Dynamic PAT.
• Maps multiple inside IP addresses to multiple global IP address from a pool of registered IP addresses (many-to-many).
• Dynamic NAT is bi-directional whilst the translation is active, once the timeout expires the translation is removed and the global IP address is freed and available for use by another inside host.
• When using Dynamic NAT, the number of global IP addresses defined in the NAT pool should equal the number of inside IP addresses. Therefore, when all global IP addresses are exhausted any subsequent outbound connections will fail.
• Used for protocols which create a secondary/dynamic connection back to the client, such as FTP. Dynamic PAT would only allow connections initiated from the inside hosts; the dynamic connection would be dropped.
• Least common type of translation used.

In the example configuration below, a NAT ACL is used to define the inside source networks and a nat pool is created to define a range of global IP addresses used for translation. The NAT statement is configured to translate the networks defined in the NAT ACL to a global IP address defined in the NAT pool, notice the overload command is not configured otherwise this configuration would be Dynamic PAT.

ip access-list extended NAT_ACL
 permit tcp 192.168.8.0 0.0.3.255 any
 permit udp 192.168.8.0 0.0.3.255 any
 permit icmp 192.168.8.0 0.0.3.255 any
!
ip nat pool NAT_POOL 1.1.1.100 1.1.1.110 netmask 255.255.255.0
!
ip nat inside source list NAT_ACL pool NAT_POOL

Generate traffic to from multiple sources to multiple destinations. From the output of show ip nat translations, we can determine the outbound traffic from two unique inside source IP addresses was translated to two unique global IP addresses (1.1.1.101 and 1.1.1.102). Confirming Dynamic NAT worked as expected.

Policy NAT

The following are the key points regarding Policy Network Address Translation.

• Both the source and destination of the packet are matched
• Policy NAT also referred to as conditional NAT
• Route-maps are used in conjunction with access-lists so you can create the NAT rules based on the parameters defined in the access-list.

In the scenario below, the same inside local address(es) needs to be translated to a different inside global address, based on the destination network.

An ACL is configured defining the source and destination networks.

ip access-list extended NAT-DEST-A
 permit ip 192.168.10.0 0.0.0.255 2.2.2.0 0.0.0.255
!
ip access-list extended NAT-DEST-B
 permit ip 192.168.10.0 0.0.0.255 3.3.3.0 0.0.0.255

Route-maps are created, referencing the access-lists previously defined.

route-map DEST-A-RM permit 10
 match ip address NAT-DEST-A
!
route-map DEST-B-RM permit 10
 match ip address NAT-DEST-B

Two unique NAT IP Pools are created.

ip nat pool DEST-A-POOL 1.1.1.200 1.1.1.200 netmask 255.255.255.0
ip nat pool DEST-B-POOL 1.1.1.201 1.1.1.201 netmask 255.255.255.0

Two NAT rules are created, referencing the route-map to define the source/destination and the NAT Pool for the translated address, the overload keyword is added to ensure multiple hosts can share the NAT address.

ip nat inside source route-map DEST-A-RM pool DEST-A-POOL overload
ip nat inside source route-map DEST-B-RM pool DEST-B-POOL overload

Generate traffic from the inside network to the outside destination networks. From the output of show ip nat translations, we can confirm two entries in the NAT translation tables, with the correct global IP address as per the configuration of the route-map.

NAT Virtual Interface (NVI)

• Not supported on Cisco IOS-XE operating systems
• Removes the concept of inside and outside, which is considered legacy
• Instead, NAT is “enabled” per interface.
• Translation occurs after routing decisions and are not dependant on traffic direction

NAT is enabled on each interface as follows: –

interface GigabitEthernet 1
 ip nat enable

The NAT statement is exactly the same except for the lack of the inside or outside keywords.

ip nat source static 192.168.10.5 1.1.1.11
ip nat source static tcp 192.168.10.6 80 1.1.1.12 80 extendable