IPv4 Network Address Translation

Network Address Translation

4.5.d i Static NAT, PAT

Static NAT

Static NAT = Permanent mapping between an internal IP address (inside local) and a public IP address (inside global).

Configuration steps for “Static NAT”:

  1. Define and configure outside interface
  2. Define and configure inside interface(s)
  3. Configure static NAT mapping

“Static NAT” CLI configuration commands:

## Configuring NAT outside interface
Router(config)# interface <if>
Router(config-if)# ip nat outside

## Configuring NAT inside interface
Router(config)# interface <if>
Router(config-if)# ip nat inside

## Configuring static NAT translation
Router(config)# ip nat inside source static <inside-ip> <outside-ip>

“Static NAT” CLI show commands:

## Showing active NAT translations
Router# show ip nat translations

Static PAT

Static PAT = Permanent mapping between an internal IP address and port (inside local) and a public IP address and port (inside global).

Configuration steps for “Static NAT”:

  1. Define and configure outside interface
  2. Define and configure inside interface/s
  3. Configure static PAT mapping

“Static PAT” CLI configuration commands:

## Configuring NAT outside interface
Router(config)# interface <if>
Router(config-if)# ip nat outside

## Configuring NAT inside interface
Router(config)# interface <if>
Router(config-if)# ip nat inside

## Configuring static PAT translation
Router(config)# ip nat inside source static <protocol> <inside-ip> <inside-port> <outside-ip> <outside-port>

“Static PAT” CLI show commands:

## Showing active NAT translations
Router# show ip nat translations

4.5.d ii Dynamic NAT, PAT

Dynamic NAT

Dynamic NAT = Dynamic mapping of internal IP addresses (inside local) to a pool of public IP addresses (inside global).

Configuration steps for “Dynamic NAT”:

  1. Define and configure outside interface
  2. Define and configure inside interface/s
  3. Define ACL for permitted internal IP addresses
  4. Define NAT IP Pool for available public IP addresses
  5. Configure dynamic NAT rule

“Dynamic NAT” CLI configuration commands:

## Configuring NAT outside interface
Router(config)# interface <if>
Router(config-if)# ip nat outside

## Configuring NAT inside interface
Router(config)# interface <if>
Router(config-if)# ip nat inside

## Configuring an ACL for dynamic NAT
Router(config)# ip access-list standard [NAME]
Router(config-std-nacl)# permit <ip> <wildcardmask>

## Configuring a dynamic NAT inside global address pool
Router(config)# ip nat pool <pool-name> <start-ip> <end-ip> netmask <mask>

## Configuring dynamic NAT translation
Router(config)# ip nat inside source list [ACL-NAME] pool [POOL-NAME]

“Dynamic NAT” CLI show commands:

## Showing active NAT translations
Router# show ip nat translations

## Showing NAT statistics (interfaces, packet count, ...)
Router# show ip nat statistics

Dynamic PAT

Dynamic PAT = Traffic is mapped based on unique ports to one public IP address (inside global).

Configuration steps for “PAT”:

  1. Define and configure outside interface
  2. Define and configure inside interface/s
  3. Define ACL for permitted internal IP addresses
  4. Configure PAT rule

“Dynamic PAT” CLI configuration commands:

## Configuring NAT outside interface
Router(config)# interface <if>
Router(config-if)# ip nat outside

## Configuring NAT inside interface
Router(config)# interface <if>
Router(config-if)# ip nat inside

## Configuring an ACL for dynamic PAT
Router(config)# ip access-list standard [NAME]
Router(config-std-nacl)# permit <ip> <wildcardmask>

## Configuring dynamic PAT translation
Router(config)# ip nat inside source list [ACL-NAME] interface <outside-if> overload

“Dynamic PAT” CLI show commands:

## Showing active NAT translations
Router# show ip nat translations

## Showing NAT statistics (interfaces, packet count, ...)
Router# show ip nat statistics

4.5.d iii Policy-based NAT, PAT

Policy-based NAT/PAT is NAT/PAT in conjunction with route-maps.

No other notes taken.

4.5.d iv VRF aware NAT, PAT

General information on “VRF aware NAT, PAT”:

“VRF aware NAT, PAT” CLI configuration commands:

## ===================
## "VRF to Global" NAT
## ===================

## Configuring a route in the VRF routing table to the destination (which resides in the global routing table)
Router(config)# ip route vrf [VRF-NAME] <subnet> <mask> <next-hop> global

## Configuring the NAT statement (Static NAT)
Router(config)# ip nat inside source static <inside-ip> <outside-ip> vrf [VRF-NAME]

## Configuring the NAT statement (Dynamic NAT)
Router(config)# ip nat inside source list [ACL-NAME] pool <pool> vrf [VRF-NAME]

## Configuring the NAT statement (Dynamic PAT)
Router(config)# ip nat inside source list [ACL-NAME] interface <outside-if> vrf [VRF-NAME] overload


## ===================
## "Global to VRF" NAT
## ===================

## Configuring a route in the global routing table to the destination (which resides in the VRF routing table)
Router(config)# ip route <subnet> <mask> <exit-if> <next-hop>

## Configuring a route in the VRF routing table to the source (which resides in the global routing table)
Router(config)# ip route vrf [VRF-NAME] <subnet> <mask> <next-hop> global

## Configuring the NAT statement (Static NAT)
Router(config)# ip nat inside source static <inside-ip> <outside-ip>

## Configuring the NAT statement (Dynamic NAT)
Router(config)# ip nat inside source list [ACL-NAME] pool <pool>

## Configuring the NAT statement (Dynamic PAT)
Router(config)# ip nat inside source list [ACL-NAME] interface <outside-if> overload


## ===============
## "Intra-VRF" NAT
## ===============

## Configuring the NAT statement (Static NAT)
Router(config)# ip nat inside source static <inside-ip> <outside-ip> vrf [VRF-NAME] match-in-vrf 

## Configuring the NAT statement (Dynamic NAT)
Router(config)# ip nat inside source list <acl> pool <pool> vrf [VRF-NAME]  match-in-vrf

## Configuring the NAT statement (Dynamic PAT)
Router(config)# ip nat inside source list <acl> interface <outside-if> vrf [VRF-NAME] match-in-vrf overload

4.5.d v IOS-XE VRF-Aware Software Infrastructure (VASI) NAT

VASI = VRF-Aware Software Infrastructure

General information on “IOS-XE VRF-Aware Software Infrastructure (VASI) NAT”:

VASI traffic flow:

// Graphic missing - Coming soon //

Configuration steps for “IOS-XE VRF-Aware Software Infrastructure (VASI) NAT”:

  1. Create vasileft and vasiright interface, put them in their respective VRFs and assign IP addresses using a /30
  2. Configure static routes within the VRF to the destination using the source-VRF VASI-interface as exit-if and destination-VRF VASI-interface as next-hop IP address
  3. Apply the ip nat inside and ip nat outside keywords:
    1. Option 1: Physical source-interface = ip nat inside ; VASI source-interface = ip nat outside
    2. Option 2: VASI destination-interface = ip nat inside ; Physical destination-interface = ip nat outside
  4. Configure NAT statement in NAT-router

“IOS-XE VRF-Aware Software Infrastructure (VASI) NAT” CLI configuration commands:

## Creating VASI interfaces
Router(config)# interface <vasileft/vasiright> [id]
Router(config-if)# vrf forwarding [VRF-NAME]
Router(config-if)# ip address <ip> <mask>

## Configuring static routes
Router(config)# ip route vrf <vrf-name> <subnet> <mask> <exit-if> <next-hop>

## Applying the NAT inside/outside statements
Router(config)# interface <if>
Router(config-if)# ip nat inside

Router(config)# interface <if>
Router(config-if)# ip nat outside

## Configuring the NAT statement (Static NAT)
Router(config)# ip nat inside source static <inside-ip> <outside-ip> vrf [VRF-NAME]

## Configuring the NAT statement (Dynamic NAT)
Router(config)# ip nat inside source list <acl> pool <pool> vrf [VRF-NAME]

## Configuring the NAT statement (Dynamic PAT)
Router(config)# ip nat inside source list <acl> interface <outside-if> vrf [VRF-NAME] overload