| Copyright (c) 2008 Don R. Crawley | | | | 4. Enable NAT overloading (PAT) on the outside |
| Network Address Translation, better known simply as | | | | interface: |
| NAT, allows an outside address to represent a single | | | | ip nat inside source list 101 interface e0/1 |
| or many inside addresses. There are several forms of | | | | overload |
| NAT, but one of the most common is called NAT | | | | In this example, the "ip nat inside" and "ip nat outside" |
| overloading, Port Address Translation, or simply PAT. | | | | statements are used to tell the router which interface |
| PAT provides a many-to-one mapping with many | | | | is considered inside and which interface is considered |
| inside private addresses mapped to one outside public | | | | outside for the purpose of NAT. Interface Ethernet 0/0 |
| address. We often see PAT used in home firewalls | | | | is inside and Interface Ethernet 0/1 is outside. Your |
| and routers to allow several home computers and | | | | interfaces will probably different, for example you |
| perhaps a gaming console to use private addresses | | | | might be configuring "f0/0" or "gigabit 0/1", etc. |
| such as 192.168.1.1-100 and share a single registered | | | | The access control list statement tells the router to |
| public address on the Internet. The process is made | | | | permit all IP traffic to flow from any source to any |
| possible by appending different port numbers to the | | | | destination. The number (101) is simply an ID that must |
| source and destination addresses to create a unique | | | | match the number used in the "ip nat" statement. (Note |
| connection. Given that there are more than 65,000 port | | | | that, in this case, the number must fall between 100 |
| numbers, you'll likely run out of bandwidth or system | | | | and 199 inclusive.) |
| resources long before running out of translation slots! | | | | The "ip nat insisde source list" statement tells the router |
| Here are the four steps to configuring Port Address | | | | which access control list to use to know the traffic to |
| Translation (each step starts in configuration mode | | | | permit (access-list 101), the interface on which NAT will |
| ("config t"): | | | | be performed (interface ethernet 0/1) and the form of |
| 1. Configure nat on your inside interface: | | | | NAT to perform (overload). |
| int e0/0 | | | | This configuration will allow any host on the inside |
| ip nat inside | | | | subnet to share the outside interface for the purpose |
| 2. Configure nat on your outside interface: | | | | of going on the Internet. There is no restriction as to |
| int e0/1 | | | | the type of traffic, nor are there any restricted hosts. |
| ip nat outside | | | | Obviously, this configuration would only be acceptable |
| 3. Configure an access control list to allow the inside | | | | in a small office or home type of network. Even then, |
| traffic to use NAT: | | | | you might want to limit hosts' access to the Internet by |
| access-list 101 permit ip any any | | | | creating a more restrictive access control list. |