Friday, January 2, 2009

NAT on a Stick

NAT on a stick can get pretty confusing. Here is a lab I put together with the help of an example on Cisco site. I don't know if it is accessible through the DocCD so here is the link:

Network Address Translation on a Stick

The topology is a little different because I am using routers without any cable devices:


R2 is a host on the 10.0.0.0/24 network. It is using 10.0.0.1 (R1) as the gateway. R1 then NATs this address to 192.168.2.X before sending the packet on its way to R3. That's the basic rundown but the configuration is a little more complex.

First things first...Since 192.168.2.0 will be our translated address range make sure R4 and R3 both have routes to this range. R3 will use 192.168.1.1 as the next hop and R4 will use 100.0.0.3.

The rest of the configuration is on R1. Assign two addresses to R1 and configure it as our inside interface. 10.0.0.1 is used as a gateway address for hosts on the LAN and 192.168.1.1 is used to communicate with R3.

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside


Create the loopback that will be used as our outside interface. Keep in mind we are using a /30 network, you will see why a little later on.

interface Loopback0
ip address 10.0.1.1 255.255.255.252
ip nat outside


Next define an ACL to match our inside hosts then configure the NAT pool and NAT statements:

access-list 10 permit 10.0.0.0 0.0.0.255
ip nat pool NAT 192.168.2.100 192.168.2.200 prefix-length 24
ip nat inside source list 10 pool NAT


Now this is where it get's a little tricky. I am trying to do this in a logical order, but in reality I just have to memorize what needs to be configured to finish this thing off.

Since the 192.168.2.0 network does not exist on any interface we tell R1 that it exists of F0/0 like this:

ip route 192.168.2.0 255.255.255.0 FastEthernet0/0

Finally, we add our policy routing configuration. Remember the ACL has to match traffic in both directions:

access-list 100 permit ip any 192.168.2.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

route-map NAT-LOOP permit 10
match ip address 100
set ip next-hop 10.0.1.2

interface FastEthernet0/0
ip policy route-map NAT-LOOP


So now R1 knows to policy route any traffic coming from 10.0.0.0/24 or going towards 192.168.2.0/24. The next hop address is 10.0.1.2 which technically exists on the Loopback 0 network. Since our loopback has the NAT outside statement, translation occurs here.

Let's test:

R2#ping 100.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/60/112 ms
R2#

R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.2.100:8 10.0.0.2:8 100.0.0.4:8 100.0.0.4:8
--- 192.168.2.100 10.0.0.2 --- ---
R1#


Key things to remember about NAT on a Stick:

-Ensure upstream routers have to routes back to the NAT (outside) address
-ACL for policy routing is 2-way
-Loopback is used for outside interface, but the NAT pool is on a separate network.
-Use a route pointing to the LAN interface to tell the router where the outside network resides.

There are probably some variations of this configuration that will work. I am going to play around with some now, but that should be enough to get started.

3 comments:

Note: Only a member of this blog may post a comment.