Configuring NAT
Consider the following NAT configuration for Router C of Figure 1-11 (for brevity, only the NAT-specific lines are listed):
hostname RTC 1
ip nat pool mypool 171.69.10.1 171.69.10.254 prefix-length 24 ip nat inside source list 2 pool mypool overload I
interface Serial© ip nat outside I
interface Ethernet© ip nat inside 1
access-list 2 permit 192.168.1.0 0.0.0.255
The line ip nat pool mypool 171.69.10.1 171.69.10.254 pretix-length 24 creates the pool of addresses for NAT—the inside global addresses. This pool contains 254 addresses, from 171.69.10.1 to 171.69.10.254. These addresses are legal, public addresses that the router will substitute for the private addresses (inside local addresses).
The line ip nat inside source list 2 pool mypool overload configures the router to translate internal private addresses that match access list 2 (configured in a following line), using the pool mypool that was created in the preceding line. Internal traffic that docs not match access list 2 will not be translated and will be routed normally.
The overload keyword means the router may use a single public address to represent multiple privately addressed hosts. This, in effect, multiplexes many private addresses over one public address. Overload might be needed if the public address pool is exhausted of any available addresses because there arc many active translations. With overload, the router uses unique TCP and UDP port numbers to differentiate multiple private hosts. Because over 64.000 TCP/UDP port numbers are available per address, you can theoretically support tens of thousands of private hosts with a single IP address; however, you will likely reach practical limits before that.
NOTE You can create a pool with just one address and use the overload keyword. This enables you to translate many private addresses by using a single IP address. That one address in the pool may also be an IP address belonging to one of the router's interfaces.
The line ip nat outside is configured in interface configuration mode for the serial interface (SerialO). This tells the router that this interface faces the publicly addressed world. In most cases, this points to the public Internet.
The line ip nat inside tells the router that the ethernet interface (EthernetO) faces the internal network. This is where our privately addressed hosts are: the hosts that need translation to communicate with the Internet.
The line access-list 2 permit 192.168.1.0 0.0.0.255 creates an access list numbered 2 that defines the hosts that need translation. This access list is used by the previous command, ip nat inside source list 2 pool mypool. The router identifies packets to and from inside local addresses by matching the access list criteria, allocates addresses from mypool, and translates the addresses as it passes packets between the internal network and the Internet. For information on how to configure access lists and the syntax used, see Chapter 6, "Deploying Basic Security Services."
Instead of using an access list, you can use a route map to trigger translation based on such information as next-hop address and outbound interface. To do this, use the command ip nat inside source route-map instead of ip nat inside source list. This can be particularly useful if you are connected to two ISPs and want to use different pools for each ISP. See Chapter 3 for information on route maps (covered under policy routing).
Post a comment