Friday, January 2, 2009

NAT on a Stick

NAT on a stick can get pretty confusing. Here is a lab I put together with the help of an example on Cisco site. I don't know if it is accessible through the DocCD so here is the link:

Network Address Translation on a Stick

The topology is a little different because I am using routers without any cable devices:

R2 is a host on the network. It is using (R1) as the gateway. R1 then NATs this address to 192.168.2.X before sending the packet on its way to R3. That's the basic rundown but the configuration is a little more complex.

First things first...Since will be our translated address range make sure R4 and R3 both have routes to this range. R3 will use as the next hop and R4 will use

The rest of the configuration is on R1. Assign two addresses to R1 and configure it as our inside interface. is used as a gateway address for hosts on the LAN and is used to communicate with R3.

interface FastEthernet0/0
ip address secondary
ip address
ip nat inside

Create the loopback that will be used as our outside interface. Keep in mind we are using a /30 network, you will see why a little later on.

interface Loopback0
ip address
ip nat outside

Next define an ACL to match our inside hosts then configure the NAT pool and NAT statements:

access-list 10 permit
ip nat pool NAT prefix-length 24
ip nat inside source list 10 pool NAT

Now this is where it get's a little tricky. I am trying to do this in a logical order, but in reality I just have to memorize what needs to be configured to finish this thing off.

Since the network does not exist on any interface we tell R1 that it exists of F0/0 like this:

ip route FastEthernet0/0

Finally, we add our policy routing configuration. Remember the ACL has to match traffic in both directions:

access-list 100 permit ip any
access-list 100 permit ip any

route-map NAT-LOOP permit 10
match ip address 100
set ip next-hop

interface FastEthernet0/0
ip policy route-map NAT-LOOP

So now R1 knows to policy route any traffic coming from or going towards The next hop address is which technically exists on the Loopback 0 network. Since our loopback has the NAT outside statement, translation occurs here.

Let's test:


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/60/112 ms

R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- ---

Key things to remember about NAT on a Stick:

-Ensure upstream routers have to routes back to the NAT (outside) address
-ACL for policy routing is 2-way
-Loopback is used for outside interface, but the NAT pool is on a separate network.
-Use a route pointing to the LAN interface to tell the router where the outside network resides.

There are probably some variations of this configuration that will work. I am going to play around with some now, but that should be enough to get started.


Note: Only a member of this blog may post a comment.