Network Address Translation or NAT is a feature that enables access to the internet from a private network. Therefore, it becomes a mandatory requirement for any kind of network unless it is an isolated one. NAT works by translating the local address using global address as the packets moving back and forth towards the public network. Translation can be done manually using static NAT or automatically using dynamic NAT. Cisco supports both method and in this article, we’re going to learn to configure dynamic NAT in Cisco IOS router.
How to Configure Dynamic NAT in Cisco IOS Router
Overall, the way to configure dynamic NAT in Cisco IOS router is similar to the static NAT configuration. The only difference is that dynamic NAT requires an access-list for the local address and a pool for global address. With dynamic NAT, network administrator can leave the complexity of manually pairing local address with global address. The details of the configuration will be explained using scenario with topology below:
The goal of this configuration is to have all 6 computers able to access the internet using the 5 available global address.
1. Define the inside and outside interface
Assuming the IP addressing and routing to default gateway has been configured, the next step will be defining the inside and outside interface of the router. Inside interface is usually the one side facing to LAN, while outside interface is the other side facing the internet.
The configuration is done at the interface level with command ip nat inside or ip nat outside depending on the types of interface it will be set. For this scenario, the configuration will be like this:
R1(config)#interface f0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface f0/1 R1(config-if)#ip nat outside R1(config-if)#exit
2. Create access-list for local address
Next step is creating an access-list (ACL) that define the list of local address allowed to be translated to global address using dynamic NAT. For this scenario, all the PCs IP address can simply be summarized as 10.2.2.0/24 and therefore the ACL configuration will be as shown below:
R1(config)#access-list 22 permit ip 10.2.2.0 0.0.0.255
Note that ACL can be a standard, extended, or named ACL and you might want to use a more specific ACL in the real practice. Use the simplest ACL that fits the requirement. Remember to keep the ACL ID as it will be used as the reference in step 4.
3. Create NAT pool for global address
The command to create NAT pool is ip nat pool [pool name] [global starting IP] [global ending IP] netmask [subnet mask]. Once again make sure that the global address scope is within the subnet range of the outside interface.
For this scenario, the NAT pool is created using the available global IP address ranging from 172.26.10.91 to 172.26.10.95. Therefore the command to create the NAT pool is:
R1(config)#ip nat pool SysVN 172.26.10.91 172.26.10.95 netmask 255.255.255.248
Notice that the NAT pool is created with the name SysVN. Keep the pool name as it will also be used as the reference in step 4.
4. Configure the dynamic NAT mapping
The last step is to create the dynamic NAT mapping rule. The command to do so is ip nat inside source list [ACL ID] pool [pool name], and therefore the command for this example scenario is:
R1(config)#ip nat inside source list 22 pool SysVN
Notice that the reference ACL ID is 22 and pool name is SysVN as has been created in the previous steps. With this way, we’re simply telling the router to allow local address in subnet 10.2.2.0/24 (or IP address range 10.2.2.1-10.2.2.255) to be translated to global address defined in the NAT pool which are 172.26.10.91-172.26.10.95.
Verifying the NAT sessions
With dynamic NAT in Cisco IOS router, we don’t need to have matching number of local and global address. One global address can be used by any local address as long as it is not currently in use in an active session. To view the active NAT sessions, use command show ip nat translations:
R1#show ip nat trans Pro Inside global Inside local Outside local Outside global icmp 172.26.10.91:20553 10.2.2.51:20553 8.8.8.8:20553 8.8.8.8:20553 icmp 172.26.10.91:21065 10.2.2.51:21065 8.8.8.8:21065 8.8.8.8:21065 --- 172.26.10.91 10.2.2.51 --- --- icmp 172.26.10.92:23625 10.2.2.52:23625 8.8.8.8:23625 8.8.8.8:23625 icmp 172.26.10.92:24137 10.2.2.52:24137 8.8.8.8:24137 8.8.8.8:24137 icmp 172.26.10.92:24649 10.2.2.52:24649 8.8.8.8:24649 8.8.8.8:24649 --- 172.26.10.92 10.2.2.52 --- --- icmp 172.26.10.93:25557 10.2.2.54:25557 8.8.8.8:25557 8.8.8.8:25557 icmp 172.26.10.93:25945 10.2.2.54:25945 8.8.8.8:25945 8.8.8.8:25945 --- 172.26.10.93 10.2.2.54 --- ---
An example output above shows that there are three active sessions, which are 10.2.2.51 that is currently translated to 172.26.10.91, 10.2.2.52 that is currently translated to 172.26.10.92, and 10.2.2.54 that is currently translated to 172.26.10.93. It means that there are two more global address that is currently unused, which are 172.26.10.94 and 172.26.10.95, and these can be used by any of the remaining local address.
The disadvantage of dynamic NAT is when all global address are currently used, other local address requiring new translation will be rejected until there is any dropped session. Also, dynamic NAT is unable to be used for translation of incoming connection due to its nature of doing translation per-session based.
And that’s everything you need to know to configure dynamic NAT in Cisco IOS router.