March 30, 2008

Router(config)# ip nat inside & outside ! at one interface

Let's face a situation. You have a network with 2 routers (one router and one L3 switch) as you can see on the this diagram:


The LAN network is using private addresses (RFC1918) and is routed to the Internet via the R2 L3 switch-router. L3 switch-routers as the R2 are generally not capable of doing NAT/PAT (it may be a L3 switch). So the switch-router R2 is just sending send each packet from the LAN network to the router R1 where we are going to do PAT (network + port address translation) for the private address range used in LAN.

This situation is a little bit tricky, as in a normal situation, where there is one interface on a router connected to a LAN and an another interface connected to the Internet, you can write down the "ip nat inside" to the LAN interface, and the "ip nat outside" command to the Internet interface, add some additional "ip nat source ..." commands to the configuration and the NAT/PAT router is ready.


Well, in our situation we have the router R1 with only one interface, which is connected to the Internet and is used to route the LAN traffic as well. If you try to put the "ip nat inside" and the "ip nat outside" to the same interface, only one of these command will remain in the interface configuration (the last entered). And as you know, the NAT process is applied only to packets, which are traveling through an inside to an outside interface.

The workaround for this situation is to create a loopback interface, which will be used by PBR as a next hop interface for packets coming from the LAN network to the Ethernet interface of the router R2 (PBR - Policy Based Routing). The loopback will be configured with the "ip nat inside" command. After the packets go through the loopback interface, they will go through the "ip nat inside" configuration, and continue their journey to the Internet. The path to the Internet is over the Ethernet connection where we can put the "ip nat outside" configuration command. Now that means, when the packets from the LAN network will arrive to the router R1, they will go through the loopback interface where they will turn back but use the "nat inside" settings. On the way back (to the Internet by default route) then they will leave the router on the "nat outside" Ethernet interface. Obviously now we can apply the NAT/PAT process to these packets.


R1's configuration:

R1#sh run
!Building configuration...
! The special loopback interface used for turning packets around inside the router
interface Loopback0
 description NATLO
! This IP address can be any, just update the next hop in PBR
 ip address
! Let's mark packets going through this interface as packets with nat inside flag
 ip nat inside
! This is the actual real interface used for incomming and outgoing traffic as well
interface Ethernet1/0
 description Inet
! should be public IP address
 ip address
! disable ICMP redirect messages - may be useful
 no ip redirects
! Finaly when we get a packet flagged with "nat inside", the router can apply the NAT/PAT process
 ip nat outside
! Route incomming packets from LAN by PBR rules
 ip policy route-map toNat
! The default router to Internet (ISP)
ip route
! ACL for PBR and NAT/PAT
access-list 1 remark LAN_IPs
access-list 1 permit
! PAT as always
ip nat inside source list 1 interface Ethernet1/0 overload
! and the PBR 
route-map toNat permit 10
 match ip address 1
! The next hop should be an IP address from the Lo 0 IP network (except the Lo0 address!)
 set ip next-hop
R1#debug ip nat
*Mar 30 00:56:14.019: NAT: s=>, d= [90]
*Mar 30 00:56:14.119: NAT: s=, d=> [132]
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

You can find more information about this topic pretty well documented in the Cisco's paper called "Network Address Translation on a Stick". Enjoy :-)