You are here
Simple NAT With Cisco IOS
Performing NAT with any variety of a LINUX box is possibly one of the most redundantly documented applications on the Web. Attempting to do the same with a Cisco IOS router is not documented in so straight-forward a way.
This little snippet shows the configuration for an IOS router where vLAN 13 is a public network and vLAN 12 is a private network. The router has a public IP address of A.B.C.D [netmask: E.F.G.H] and the gateway address is A.B.C.I. The private network is a 10.0.0.0/8 with multiple /24 segments which all route to this NAT gateway.
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 10.66.x.y 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address A.B.C.D E.F.G.H
ip nat outside
!
ip nat inside source list 1 interface FastEthernet0/0.13 overload
ip classless
ip route 0.0.0.0 0.0.0.0 A.B.C.I
access-list 1 permit 10.0.0.0 0.255.255.255
The access-list 1 matches all 10.0.0.0/8 traffic and is used by the ip nat policy which causes the NATing of all matching traffic with the source IP address of the vLAN 13 interface. The template for the ip nat inside source command is:
ip nat inside source {list {access-list-number | access-list-name} | route-map name}
{interface type number | pool name} [mapping-id map-name | vrf name] [overload]
The overload option is what enables the routers use of a single address to NAT many local addresses; this corresponds to the default behavior of most iptables configuration tools (does iptables have a "default" behavior?)
One nice feature of using a Cisco for NAT, rather than a host (besides the simplicity of no moving parts) is the very concise reporting provided by show ip nat translations and show ip nat statistics commands.
Router#show ip nat statistics
Total active translations: 208 (0 static, 208 dynamic; 208 extended)
Outside interfaces:
FastEthernet0/0.13
Inside interfaces:
FastEthernet0/0.12
Hits: 4890142 Misses: 52844
Expired translations: 52640
Dynamic mappings:
-- Inside Source
[Id: 3] access-list 1 interface FastEthernet0/0.13 refcount 208
This is similar to iptables -t nat -L -v command in LINUX.
Additional, and much more technical, documentation for this feature can be found here.