In this brief article, veteran IT guy Don R. Crawley explains how to configure Port Address Translation on a Cisco router in four simple steps.
Copyright (c) 2008 Don R. Crawley
Network Address Translation, better known simply as NAT, allows an outside address to represent a single or many inside addresses. There are several forms of NAT, but one of the most common is called NAT overloading, Port Address Translation, or simply PAT. PAT provides a many-to-one mapping with many inside private addresses mapped to one outside public address. We often see PAT used in home firewalls and routers to allow several home computers and perhaps a gaming console to use private addresses such as 192.168.1.1-100 and share a single registered public address on the Internet. The process is made possible by appending different port numbers to the source and destination addresses to create a unique connection. Given that there are more than 65,000 port numbers, you'll likely run out of bandwidth or system resources long before running out of translation slots!
Here are the four steps to configuring Port Address Translation (each step starts in configuration mode ("config t"):
1. Configure nat on your inside interface:
int e0/0
ip nat inside
2. Configure nat on your outside interface:
int e0/1
ip nat outside
3. Configure an access control list to allow the inside traffic to use NAT:
access-list 101 permit ip any any
4. Enable NAT overloading (PAT) on the outside interface:
ip nat inside source list 101 interface e0/1 overload
In this example, the "ip nat inside" and "ip nat outside" statements are used to tell the router which interface is considered inside and which interface is considered outside for the purpose of NAT. Interface Ethernet 0/0 is inside and Interface Ethernet 0/1 is outside. Your interfaces will probably different, for example you might be configuring "f0/0" or "gigabit 0/1", etc.
The access control list statement tells the router to permit all IP traffic to flow from any source to any destination. The number (101) is simply an ID that must match the number used in the "ip nat" statement. (Note that, in this case, the number must fall between 100 and 199 inclusive.)
The "ip nat insisde source list" statement tells the router which access control list to use to know the traffic to permit (access-list 101), the interface on which NAT will be performed (interface ethernet 0/1) and the form of NAT to perform (overload).
This configuration will allow any host on the inside subnet to share the outside interface for the purpose of going on the Internet. There is no restriction as to the type of traffic, nor are there any restricted hosts. Obviously, this configuration would only be acceptable in a small office or home type of network. Even then, you might want to limit hosts' access to the Internet by creating a more restrictive access control list.
How to Use Private Keys for SSH Authentication from Windows to Linux
Learn how to generate and use RSA public/private keypairs for SSH authentication from your Windows computer to your Linux/UNIX server in this handy "how-to" guide.Configuring a Site-to-Site VPN Between Two Cisco Routers
Learn the steps for configuring a secure site-to-site Virtual Private Network (VPN) with Cisco routers.How to Configure SSH (Secure Shell) for Remote Login on a Cisco Router
Learn how to configure SSH for secure remote login on a Cisco router in this soundtraining.net "how-to" guide. SSH replaces the notoriously non-secure Telnet protocol for remote login.