The function of Network Address Translation (NAT) is to translation a private IP address to into a public IP address that connected to the internet before packets are forwarded to another network. NAT can advertise a single public IP address for the entire local private network to the internet and providing a security by hiding the entire internal network behind that address.
In this article, we will configure different configuration of static NAT and Dynamic NAT on Cisco router using GNS3.
In this document, it is supposed that:
a. You already have GNS3 VM installed up and running on your computer. In case that you don’t, please refer to this link. Installing GNS3 VM on VMware Workstation
b. You know how to configure SSH remote management on Cisco router. If you do not, you can refer this link SSH Configuration on Cisco Switch and Router.
3. Lab Scenario Set up
We will set up a Lab to configure NAT as show in the following diagram. We will configure NAT on “HQ-RT02”. There is one router in the LAN with the host name as “HQ-RT01” and this host is acting as an inside LAN server. We will configure SSH and Telnet server on this host. There is one router act as the internet and another router act as computer in the public network.
The following is the basic configuration of each devices.
First all, we can configure host name and IP as the following.
# hostname HQ-RT01 # int f0/0 ip add 10.0.0.2 255.255.255.0 no sh # ip route 0.0.0.0 0.0.0.0 10.0.0.1
Then, let’s configure SSH server fore remote management as the following.
# username netadmin privilege 15 secret 1111 # enable secret 2222 # service password-encryption # ip domain-name techspacekh.com # crypto key generate rsa # line vty 0 4 login local transport input all # ip ssh version 2 # aaa new-model
On HQ-RT02 let’s configure the basic configuration as the following.
# hostname HQ-RT02 # int f0/0 no sh ip add 10.0.0.1 255.255.255.0 # int f0/1 no sh ip add 18.104.22.168 255.255.255.248 # ip route 0.0.0.0 0.0.0.0 22.214.171.124
On router acts as the Internet
We just need to configure IP address on each interface on the Internet router.
# int f0/0 no sh ip add 126.96.36.199 255.255.255.248 # int f0/1 no sh ip add 188.8.131.52 255.255.255.0
On router acts as a computer in public network
On PC router, let’s configure the basic configuration as the following.
# int f0/0 no sh ip add 184.108.40.206 255.255.255.0 # ip route 0.0.0.0 0.0.0.0 220.127.116.11
4. Dynamic NAT
4.1 Configure Dynamic NAT To Interface IP
Before we configure dynamic NAT, HQ-RT01 is not able to ping to IP address of the internet router.
HQ-RT01#ping 18.104.22.168 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Now let start to configure dynamic NAT on HQ-RT02. First, we need to create an ACL to contain the IP address to be NATed. In below ACL, we allow all IP in the LAN can access to the internet.
# ip access-list standard ACL-DNAT permit 10.0.0.0 0.0.0.255
Then, we need to configure dynamic NAT using the created ACL above.
# int f0/0 ip nat inside # int f0/1 ip nat outside # ip nat inside source list ACL-DNAT interface f0/1
Now, HQ-RT01 should be able to ping to IP address of the internet router.
HQ-RT01#ping 126.96.36.199 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms
If we show the NAT translation, we should see something as the following.
#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 184.108.40.206:9 10.0.0.2:9 220.127.116.11:9 18.104.22.168:9
4.2 Configure Dynamic NAT With IP Pool
It is also possible if we want to translate our LAN IP subnet to pool of public IP address. In the following command will create a NAT pool with IP address rang from 22.214.171.124 to 126.96.36.199.
# ip nat pool DNAT-POOL01 188.8.131.52 184.108.40.206 netmask 255.255.255.248
Then we can use the pool created above to do the NAT configuration.
# no ip nat inside source list ACL-DNAT interface FastEthernet0/1 overload # ip nat inside source list ACL-DNAT pool DNAT-POOL01
5. Static NAT
5.1 Configure Static NAT To Interface IP
If we want to publish the access of the internal server to the internet, we can configure static NAT on our router “HQ-RT02”.
In the following command will configure a static NAT for remote SSH access from the internet using the IP address that is assigned to interface Fa0/1 of HQ-RT01.
# ip nat inside source static tcp 10.0.0.2 22 interface f0/1 22
Now, if we test telnet port 22 to the public IP configure on interface Fa0/1 of HQ-RT02 router from router PC, we should get the following successful result.
# telnet 220.127.116.11 22 Trying 18.104.22.168, 22 ... Open SSH-2.0-Cisco-1.25
To login to HQ-RT01 from the internet, we can use the following commands.
# ssh -l netadmin 22.214.171.124 Password: HQ-RT01>
5.2 Configure Static NAT To IP In The Same Interface Subnet
Usually, there are many local services to publish to be accessible from the internet. In this case, we can configure NAT the local IP to any available public IP within the same subnet of IP that assigned to the router “HQ-RT02” interface Fa0/1 which it is connect directly to the internet.
Now , we can configure NAT as the following to NAT public IP 126.96.36.199 port 2323 to the private IP 10.0.0.2 port 23.
# ip nat inside source static tcp 10.0.0.2 23 188.8.131.52 2323
We can test telnet from PC router as the following.
# telnet 184.108.40.206 2323 Trying 220.127.116.11, 2323 ... Open User Access Verification Username: netadmin Password: HQ-RT01>
In some case, we might want to NAT one private IP to one public IP for any services and we can do as the following.
# no ip nat inside source static tcp 10.0.0.2 22 interface FastEthernet0/1 22 # no ip nat inside source static tcp 10.0.0.2 23 18.104.22.168 2323 extendable # clear ip nat translation * # ip nat inside source static 10.0.0.2 22.214.171.124
Now, if we try to ping IP 126.96.36.199 from PC router, we should get the following result.
#ping 188.8.131.52 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 184.108.40.206, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 104/113/144 ms
If we test SSH from PC router, we should get the following result.
#ssh -l netadmin 220.127.116.11 Password: HQ-RT01>
If we test telnet from PC router, we should get the following result.
#telnet 18.104.22.168 Trying 22.214.171.124 ... Open User Access Verification Username: netadmin Password: HQ-RT01>
That’s all about configuring network address translation (NAT) on Cisco router from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.