March 30, 2008

Router(config)# ip nat inside & outside ! at one interface

Let's face a situation. You have a network with 2 routers (one router and one L3 switch) as you can see on the this diagram:

image

The LAN network is using private addresses (RFC1918) and is routed to the Internet via the R2 L3 switch-router. L3 switch-routers as the R2 are generally not capable of doing NAT/PAT (it may be a L3 switch). So the switch-router R2 is just sending send each packet from the LAN network to the router R1 where we are going to do PAT (network + port address translation) for the private address range used in LAN.

This situation is a little bit tricky, as in a normal situation, where there is one interface on a router connected to a LAN and an another interface connected to the Internet, you can write down the "ip nat inside" to the LAN interface, and the "ip nat outside" command to the Internet interface, add some additional "ip nat source ..." commands to the configuration and the NAT/PAT router is ready.

image

Well, in our situation we have the router R1 with only one interface, which is connected to the Internet and is used to route the LAN traffic as well. If you try to put the "ip nat inside" and the "ip nat outside" to the same interface, only one of these command will remain in the interface configuration (the last entered). And as you know, the NAT process is applied only to packets, which are traveling through an inside to an outside interface.

The workaround for this situation is to create a loopback interface, which will be used by PBR as a next hop interface for packets coming from the LAN network to the Ethernet interface of the router R2 (PBR - Policy Based Routing). The loopback will be configured with the "ip nat inside" command. After the packets go through the loopback interface, they will go through the "ip nat inside" configuration, and continue their journey to the Internet. The path to the Internet is over the Ethernet connection where we can put the "ip nat outside" configuration command. Now that means, when the packets from the LAN network will arrive to the router R1, they will go through the loopback interface where they will turn back but use the "nat inside" settings. On the way back (to the Internet by default route) then they will leave the router on the "nat outside" Ethernet interface. Obviously now we can apply the NAT/PAT process to these packets.

image

R1's configuration:

R1#sh run
!Building configuration...
! The special loopback interface used for turning packets around inside the router
interface Loopback0
 description NATLO
! This IP address can be any, just update the next hop in PBR
 ip address 172.16.255.253 255.255.255.252
! Let's mark packets going through this interface as packets with nat inside flag
 ip nat inside
! This is the actual real interface used for incomming and outgoing traffic as well
interface Ethernet1/0
 description Inet
! should be public IP address
 ip address 5.0.0.1 255.255.255.0
! disable ICMP redirect messages - may be useful
 no ip redirects
! Finaly when we get a packet flagged with "nat inside", the router can apply the NAT/PAT process
 ip nat outside
! Route incomming packets from LAN by PBR rules
 ip policy route-map toNat
! The default router to Internet (ISP)
ip route 0.0.0.0 0.0.0.0 5.0.0.2
! ACL for PBR and NAT/PAT
access-list 1 remark LAN_IPs
access-list 1 permit 192.168.1.0 0.0.0.255
! PAT as always
ip nat inside source list 1 interface Ethernet1/0 overload
! and the PBR 
route-map toNat permit 10
 match ip address 1
! The next hop should be an IP address from the Lo 0 IP network (except the Lo0 address!)
 set ip next-hop 172.16.255.254
!
R1#debug ip nat
*Mar 30 00:56:14.019: NAT: s=192.168.1.2->5.0.0.1, d=1.1.1.1 [90]
*Mar 30 00:56:14.119: NAT: s=5.0.0.2, d=5.0.0.1->192.168.1.2 [132]
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 5.0.0.1:18        192.168.1.2:18     1.1.1.1:18         1.1.1.1:18

You can find more information about this topic pretty well documented in the Cisco's paper called "Network Address Translation on a Stick". Enjoy :-)

at

16 comments:

  1. AnonymousJuly 13, 2008 at 9:14 AM

    Hi, jozjan...
    Many thx for the article

    ReplyDelete
  2. AnonymousSeptember 4, 2008 at 10:25 PM

    This article explained this well. Thank you.

    ReplyDelete
  3. Jozef JanitorSeptember 4, 2008 at 10:32 PM

    You are welcome :-)

    ReplyDelete
  4. AnonymousNovember 26, 2008 at 11:19 AM

    thx for the article
    good job

    ReplyDelete
  5. AnonymousMay 16, 2009 at 11:41 AM

    how R1 knows about the route to 192.168.1.0/24?

    ReplyDelete
  6. Jozef JanitorMay 18, 2009 at 12:37 AM

    @Anonymous: in the displayed configuration we are missing a static route (or some sort of Dynamic Routing Protocol) to the 192.168.1.0/24 network trough the R2 router.

    ReplyDelete
  7. teething factsMay 4, 2010 at 6:56 PM

    I think this blog is pretty cool,it has a lot of good and interesting content,good for you I hope you can add more useful information and upgrade your site,I like it,it has full details about router configuration and remember there are good medicines to reduce fever and it's always important take care so much about our health

    ReplyDelete
  8. AnonymousJuly 16, 2010 at 11:51 AM

    Thank you very much, very intersting thing!!!

    ReplyDelete
  9. @ridernakorMarch 30, 2011 at 3:08 PM

    Thank you.
    One little comment: I had to change the route-map to "set interface lo0" instead "set next-hop .."
    Then it worked! :)

    ReplyDelete
  10. AnonymousMay 25, 2011 at 11:58 PM

    what if your destination address is on router R1. how can you do that with the nat in place. PBR do not respond to destination within the same router.

    ReplyDelete
  11. AnonymousApril 5, 2012 at 10:02 AM

    Can someone plz make this tutorial a bit more explicit. Is there a static route for the LAN missing or not? Lets say that R2 was actually a cisco switch 2950, how would this config change?

    ReplyDelete
  12. UnknownJune 18, 2012 at 3:25 PM

    Hi, jozjan...

    Sir,

    Can you tell me how to do multiple natting on same routers..
    example : private network ---> Public network
    Public network--->private network

    ReplyDelete
  13. seoexpertMay 20, 2019 at 7:43 PM

    Grandstream PBX System- Grandstream Distributor Cameroon VDS the Grandstream distributor in  Cameroon continues to bring innovative Grandstream Products to the IP communications / Telephony market with compelling values and features. Grandstream Networks is headquartered in Brookline, Massachusetts with offices in Yealink IP Phones

    ReplyDelete
  14. AnonymousJuly 5, 2019 at 3:45 AM

    The data you have posted is extremely valuable. The locales you have alluded was great. A debt of gratitude is in order for sharing... check my ip

    ReplyDelete
  15. SEO ExpertDecember 2, 2019 at 9:21 AM

    I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. netgear ac1750

    ReplyDelete
  16. William JessieFebruary 16, 2021 at 10:27 PM

    I read this article, it is really informative one. Your way of writing and making things clear is very impressive. Thanking you for such an informative article. business telephone service provider

    ReplyDelete