Configuring Static NAT

Configuring Static NAT
Static NAT is used to map a single inside global IP address to a single inside local IP address.
Usually the inside local IP address is one from the RFC 1918 address space and the inside global
IP address is an Internet-routable address. IP addresses must be assigned to interfaces on the
router that will be participating in NAT in order for proper processing of IP traffic on those
interfaces. You must be in global configuration mode in order to configure NAT. The command
to use is ip nat inside source static local-ip global-ip.
90 Chapter 3  Network Address Translation
The local-ip is the local IP address of the host on the inside of the network to translate, and the
global-ip is the global IP address this inside host will be known as to the outside world. In this
example, a host on the inside network needs to access the Internet. Its IP address is 10.1.2.25 and is
not routable on the Internet. When the NAT border router receives a packet from 10.1.2.25 destined
for the Internet, the router must be configured to translate that IP address to one that is globally
routable. In this case it is 200.1.1.25 and the following command is used:
Border(config)#ip nat inside source static 10.1.2.25 200.1.1.25
Border(config)#
This creates a permanent entry in the NAT table. Now when traffic arrives for IP address
200.1.1.25 from the outside network, it will be translated to 10.1.2.25 and forwarded to the inside
network, and vice versa. This allows a device on the inside network using a non-Internet-routable
IP address to be accessible from the outside network. You can use this to make your internal DNS,
web, etc. servers accessible from the Internet. Optionally, you can configure just a certain port to be
translated. Adding a protocol and port numbers to the ip nat inside source static NAT command
does this. The following is an example of using an IP address and port combination:
Border(config)#ip nat inside source static tcp 10.1.2.25 80 200.1.1.25 80
Border(config)#ip nat inside source static tcp 10.1.2.24 80 200.1.1.25 81
Border(config)#
As you can see, the two port numbers do not need to match on both sides. I have translated
requests for port 81 from the outside to port 80 on the inside, which is commonly referred to
as port redirection. Now let’s discuss dynamic NAT.
Using Static NAT to Assist with Network Changes
Company XYZ needs to move a server from its old data center to its new data center. During
this transition, both the old and new data centers will be operational. The problem is that at the
remote warehouses they are using handheld scanners to process orders. The server they are
connecting to will be moving to the new data center, but the subnet it currently is connected to
is not going to move, so it will need to have a new IP address. There are about 1,000 of these
handheld scanners that need to have the server IP address changed in their configuration. The
IT staff estimates that it would take about 10 minutes to change each scanner, and they don’t
have the personnel to make this change overnight.
Static NAT can be used here to allow these handheld scanners at the remote warehouses to
communicate to the new server IP address without touching every device. You configure NAT
on each router at the remote locations to change the old IP address of the server to the new IP
address. This way they can still communicate, and the IT staff can take more time to change the
handheld units at one warehouse at a time.
Configuring NAT 91
Configuring Dynamic NAT
Dynamic NAT is used to map inside local IP addresses to inside global IP addresses on the fly
from a pool of available IP addresses. Again, you must have IP addresses assigned to the interfaces
on the router that will be participating in the NAT process in order for IP processing on
those interfaces to occur.
The dynamic NAT configuration starts in global configuration mode. In our example network,
we will use one interface connected to the inside network (Ethernet0) and one interface
connected to the Internet (Serial0). When a host on the inside of the network wants to communicate
with a host on the Internet, the NAT border router receives a packet from an interface
marked as NAT inside. The outbound interface is marked as NAT outside, and so the router
will choose an available IP address from the pool and assign it to the NAT table entry. Once an
IP address is allocated, it cannot be allocated to another translation entry until that entry times
out or is manually removed.
Let’s see how this configuration would look from a remote location. The old server IP address
is 17.1.1.60 and the new server IP address is 192.168.235.80. On the remote router you would
need to configure the LAN interface as the outside NAT interface and the WAN interface as the
inside NAT interface. Then you would configure the static NAT entry using the ip nat inside
source static command. The following is an example of how to configure a remote router:
Warehouse1#conf t
Warehouse1(config)#interface ethernet0
Warehouse1(config-if)#ip nat outside
Warehouse1(config-if)#interface serial0.35
Warehouse1(config-if)#ip nat inside
Warehouse1(config-if)#exit
Warehouse1(config)#ip nat inside source static 192.168.235.80 17.1.1.60
Warehouse1(config)#exit
Warehouse1#
Now we can look at the translations taking place with the show ip nat translations command:
Warehouse1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 17.1.1.60:2001 192.168.235.80:2001 192.100.110.176:2004 192.100.110.176:2004
tcp 17.1.1.60:2001 192.168.235.80:2001 192.100.110.175:2008 192.100.110.175:2008
tcp 17.1.1.60:2001 192.168.235.80:2001 192.100.110.182:2002 192.100.110.182:2002
tcp 17.1.1.60:2001 192.168.235.80:2001 192.100.110.186:2009 192.100.110.186:2009
tcp 17.1.1.60:2001 192.168.235.80:2001 192.100.110.177:2023 192.100.110.177:2023
tcp 17.1.1.60:2001 192.168.235.80:2001 192.100.110.192:2013 192.100.110.192:2013
Warehouse1#