2. Acknowledgements
• Note for expediency, this slide-deck summarises and uses graphics from
various Cisco documentation, including:
– Cisco − NAT: Local and Global Definitions
– Cisco − How NAT Works
– Cisco − Configuring Network Address Translation: Getting Started
– Cisco – NAT Virtual Interface
– Cisco NAT FAQ:
• http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-
nat/26704-nat-faq-00.html
– The Inside and Outside of NAT
• http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
3. Foundations
• First of all need to understand some basic terms:
– Inside network = This is inside your network
– Outside network = This is outside your network
– Inside Local = The assigned IP address of a host inside your network
– Inside Global = The “public” IP address used to represent a host inside your network
– Outside Local = The locally known IP address of an outside host
- not the legitimate host address but is an address ithat s routable to the
inside network
– Outside Global = The assigned IP address of a host outside of your network
- assigned by the host’s owner, could itself be a NAT’d address
4. Legacy (domain-based)
Inside-to-Outside NAT
• Have to:
1. Declare a NAT INSIDE and a NAT OUTSIDE interface
2. Set up a NAT pool
3. Set up a source-list to define what source addresses will be NAT’d for outbound
traffic
5. Legacy Inside-to-Outside NAT
No-Overload
interface Serial 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!−− Defines serial 0 with an IP address and as a NAT inside interface
!
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
!
!−− Defines Ethernet 1 with an IP address and as a NAT inside interface
!
interface serial 1
ip address 172.16.10.64 255.255.255.0
ip nat outside
!−− Defines serial 1 with an IP address and as a NAT outside interface
!
ip nat pool POOL-NO-OVERLOAD 172.16.10.1 172.16.10.63 prefix 24
!
!−− Defines a NAT pool named POOL-NO-OVERLOAD with a range of
addresses
!−− 172.16.10.1 − 172.16.10.63
!
ip nat inside source list 7 pool POOL-NO-OVERLOAD
!
!−− Indicates that any packets received on the inside interface that
!−− are permitted by access−list 7
!−− will have the source address translated to an address out of the
!−− NAT pool “POOL-NO-OVERLOAD"
!
access−list 7 permit 10.10.10.0 0.0.0.31
access−list 7 permit 10.10.20.0 0.0.0.31
!
!−− Access−list 7 permits packets with source addresses ranging from
!−− 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through
10.10.20.31
Note: Packet is routed first and then NAT occurs
6. Legacy Inside-to-Outside NAT
Overload (also known as “PAT”)
interface Serial 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!−− Defines serial 0 with an IP address and as a NAT inside interface
!
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
!
!−− Defines Ethernet 1 with an IP address and as a NAT inside interface
!
interface serial 1
ip address 172.16.10.64 255.255.255.0
ip nat outside
!−− Defines serial 1 with an IP address and as a NAT outside interface
!
ip nat pool POOL-OVERLOAD 172.16.10.1 172.16.10.2 prefix 24
!
!−− Defines a NAT pool named POOL-OVERLOAD with a range of
addresses
!−− 172.16.10.1 − 172.16.10.2
! −− Means that the users will re-use the two NAT addresses but be
distinguished by their source ports.
!
ip nat inside source list 7 pool POOL-OVERLOAD overload
!
!−− Indicates that any packets received on the inside interface that
!−− are permitted by access−list 7
!−− will have the source address translated to an address out of the
!−− NAT pool “POOL−OVERLOAD"
!
access−list 7 permit 10.10.10.0 0.0.0.31
access−list 7 permit 10.10.20.0 0.0.0.31
!
!−− Access−list 7 permits packets with source addresses ranging from
!−− 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through
10.10.20.31
Note: Packet is routed first and then NAT occurs
7. Static NAT of Outside Host for Inside
access
interface s0
ip nat inside
!
interface s1
ip nat outside
!
!
ip nat outside source static 171.16.68.1 10.10.10.5
The outside global host IP of 172.16.68.1 will be
translated to 10.10.10.5 so that any inside host
may be able to reach it without having to be
source NAT’d.
Note: Packet is NAT’d first and then routed
8. NAT Virtual Interface (NVI)
• Introduced in IOS 12.3(14)T
• Simplifies the config a little (but may be less clear in intention!)
• Removes the requirement to configure an interface as either:
– NAT inside, or
– NAT outside
• An interface can be configured to use NAT or not use NAT.
• Configure by:
1. Using the command: ‘ip nat source …’ without specifying the inside/outside tag
when defining the source address(es) to be NAT’d
2. Enable NAT on the interfaces via the command ‘ip nat enable’
9. Inside-to-Outside NAT No-Overload using
NVI
interface Serial 0
ip address 10.10.10.1 255.255.255.0
ip nat enable
!
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat enable
!
interface serial 1
ip address 172.16.10.64 255.255.255.0
ip nat enable
!
ip nat pool POOL-NO-OVERLOAD 172.16.10.1 172.16.10.63 prefix 24
!
ip nat source list 7 pool POOL-NO-OVERLOAD
!
!
access−list 7 permit 10.10.10.0 0.0.0.31
access−list 7 permit 10.10.20.0 0.0.0.31
!
Notice the “NAT Inside” and “NAT Outside”
statements are now replaced by “NAT
Enable”
Also: NAT Source no longer has an ‘inside’
or ‘outside’ reference.
Commands to show translation:
• show ip nat nvi translations
• show ip nat nvi statistics
10. Inside-to-Outside NAT
Overload (also known as “PAT”) using
NVI
interface Serial 0
ip address 10.10.10.1 255.255.255.0
ip nat enable
!
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat enable
!
!
interface serial 1
ip address 172.16.10.64 255.255.255.0
ip nat enable
!
ip nat pool POOL-OVERLOAD 172.16.10.1 172.16.10.2 prefix 24
!
!
ip nat source list 7 pool POOL-OVERLOAD overload
!
access−list 7 permit 10.10.10.0 0.0.0.31
access−list 7 permit 10.10.20.0 0.0.0.31
!
11. Static NAT of Outside Host for Inside
access with NVI
interface s0
ip nat enable
!
interface s1
ip nat enable
!
!
ip nat source static 171.16.68.1 10.10.10.5
12. So what exactly is NVI?
• NVI is the name of a virtual interface (NVI0) created by Cisco IOS when you
enable NAT
– Created when using legacy (inside/outside) NAT
– Created when using NVI NAT
• “OK, I’m confused”, you say.
– Basically, Cisco introduced a new configuration format in IOS 12.3(14T) and called
it “NVI NAT” to distinguish it from “NAT’ing on a stick” where a single routing
interface is used to perform the NAT
• A loopback interface is used and that is the OUTSIDE interface
• The single local network interface is the INSIDE interface
• The NAT’ing direction is automatically defined by the traffic flow
• And ….. importantly
13. So what exactly is NVI?
• Traffic is symmetrically handled:
1. the NAT translation table is used to make a routing decision to send the packet to
the NVI0 interface
• Basically a static route forwarding to NVI0 for all packets matching the NAT pool is
automatically configured
2. The packet is translated at the NVI0 interface
3. The packet is then routed based on the translated destination
• Difference:
– Legacy (domain-based) NAT:
• Outbound NAT – packet is routed and then translated
• Inbound NAT – packet is translated and then routed
– NVI-based NAT
• Symmetrical handling, routing is performed twice
– 1st to send packet to the NVI
– Second to send packet to destination based on translated address
14. NOTE:
• Cisco recommends legacy NAT still be used for:
– Virtual Router Function (VRF) to global NAT
– NAT’ing between interfaces in the same VRF
• NVI can be used to NAT between different VRFs or for traffic going across the
router that is performing the NAT
15. The End
Ibbidy …. Ibbidy …. Ibbidy ….. That’s All Folks!!!
Image courtesy of: dmgermain.blogspot.com