Académique Documents
Professionnel Documents
Culture Documents
ConfiguringNATOverloadOnACiscoRouter
Rating4.55(31Votes)
Share
Tweet
NAT(NetworkAddressTranslation)isamethodthatallowsthetranslation(modification)ofIPaddresseswhilepackets/datagramsare
traversingthenetwork.NATOverload,alsoknownasPAT(PortAddressTranslation)isessentiallyNATwiththeaddedfeatureof
TCP/UDPportstranslation.
ThemainpurposeofNATistohidetheIPaddress(usuallyprivate)ofaclientinordertoreservethepublicaddressspace.Forexample
a complete network with 100 hosts can have 100 private IP addresses and still be visible to the outside world (internet) as a single IP
address.OtherbenefitsofNATincludesecurityandeconomicalusageoftheIPaddressrangesathand.
The following steps explain basic Cisco router NAT Overload configuration. NAT overload is the most common operation in most
businessesaroundtheworld,asitenablesthewholenetworktoaccesstheInternetusingonesinglerealIPaddress.Ifyouwouldliketo
know more about the NAT theory, be sure to read our popular NAT articles, which explain in great depth the NAT functions and
applicationsintoday'snetworks.
EXAMPLE SCENARIO
ThediagrambelowrepresentsourexamplenetworkwhichconsistsofanumberofinternalclientsandarouterconnectedtoourISPvia
itsserialinterface.ThecompanyhasbeenassignedthefollowingClassCsubnet:200.2.2.0/30(255.255.255.252).
ThistranslatestooneusablerealIPaddress200.2.2.1configuredonourrouter'sserialinterface.IPaddress200.2.2.2willbeusedon
theotherend,thatis,theISP'srouter.OurISPhasalsoprovideduswiththenecessarydefaultgatewayIPaddress(configuredonour
routernotshown)inordertoroutealltraffictotheInternet.
OurgoalinthisexampleistoconfigureNATOverload(PAT)andprovideallinternalworkstationswithInternetaccessusingonepublicIP
address(200.2.2.1).
ThefirststepinanyNATconfigurationistodefinetheinsideandoutsideinterfaces.Itisimperativethatwedefinethetheseinterfaces
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html
forNAToverloadtofunction.
1/4
4/30/2016
ConfiguringNATOverloadOnACiscoRouter
Setthefastethernet0/0interfaceastheinsideinterface:
R1#configureterminal
R1(config)#interfacefastethernet0/0
R1(configif)#ipnatinside
NextstepistosettheserialinterfaceS0/0astheoutsideinterface:
R1(configif)#interfaceserial0/0
R1(configif)#ipnatoutside
R1(configif)#exit
WenowneedtocreateanAccessControlList(ACL)thatwillincludelocal(private)hostsornetwork(s).ThisACLwilllateronbeapplied
totheNATservicecommand,effectivelycontrollingthehoststhatwillbeabletoaccesstheInternet.Youcanusestandardorextended
accesslistsdependingonyourrequirements:
R1(config)#accesslist100remark==[ControlNATService]==
R1(config)#accesslist100permitip192.168.0.00.0.0.255any
Theabovecommandinstructstheroutertoallowthe192.168.0.0/24networktoreachanydestination.NotethatCiscorouterstandard
andextendedACLsalwaysusewildcards(0.0.0.255).
Allthat'sleftnowistoenableNAToverloadandbindittotheoutsideinterfacepreviouslyselected:
R1(config)#ipnatinsidesourcelist100interfaceserial0/0overload
From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to the
Internet.
4/30/2016
ConfiguringNATOverloadOnACiscoRouter
emailclient.
Becausetheseentriesarealldynamicallycreated,theyaretemporaryandwillberemovedfromthetranslationtableaftersometime.
Anotherpointyoumightwanttokeepinmindisthatwhenweuseprogramsthatcreatealotofconnectionse.gUtorrent,Limewire,etc.,
youmightseesluggishperformancefromtherouterasittriestokeepupwithallconnections.Havingthousandsofconnectionsrunning
throughtheroutercanputsomeseriousstressontheCPU.
Inthesecases,wemightneedtocleartheIPNATtablecompletelytofreeupresources.
Thisiseasilydoneusingthefollowingcommand:
R1#clearipnattranslation*
Assumingnorequesthasbeensentrightafterthecommandwasentered,theNATtranslationtableshouldbeempty:
R1#showipnattranslations
ProInsideglobal...........Insidelocal.....Outsidelocal.......Outsideglobal
Lastly,youcanobtainstatisticsontheoverloadNATservice.ThiswillshowyoutheamountofcurrenttranslationstrackedbyourNAT
table,plusalotmore:
R1#showipnatstatistics
Totalactivetranslations:200(0static,200dynamic200extended)
Outsideinterfaces:
Serial0/0
Insideinterfaces:
FastEthernet0/0
Hits:163134904Misses:0
CEFTranslatedpackets:161396861,CEFPuntedpackets:3465356
Expiredtranslations:2453616
Dynamicmappings:
InsideSource
[Id:2]accesslist100interfaceserial0/0refcount195
Appldoors:0
Normaldoors:0
QueuedPackets:0
ARTICLE SUMMARY
Inthisarticlewe'vecoveredconfigurationofNATOverloadonCiscorouters.WealsosawhowyoucancontroltheNATOverloadservice
usingACLs and obtain detailed statistics on the NAT service. The configuration and commands presented here is compatible with all
CiscoroutermodelsandIOS's.
Ifyouhavefoundthearticleuseful,wewouldreallyappreciateyousharingitwithothersbyusingtheprovidedservicesonthetopleft
corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such
services.
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html
3/4
4/30/2016
ConfiguringNATOverloadOnACiscoRouter
AmmarMuqaddasisaCCNAcertifiedEngineer,CCNAInstructorandmemberoftheFirewall.cxTeam.
ChrisPartsenidisisaCCNAcertifiedEngineer,MCP,LCP,Founder&SeniorEditorofFirewall.cx
http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html
4/4