Both static and dynamic Network Address Translations (NAT) allows the translation of local address to global address and allowing it to communicate to outside of the local area network. The problem is the number of global address is usually a lot less than the local address requiring the translation. To overcome this issue, Cisco supports the usage of dynamic Port Address Translations or dynamic PAT in its device. If the administrator can configure dynamic Port Address Translations (PAT) in Cisco IOS router correctly, then one global address can be used for translations of multiple local address at once.
How to Configure Dynamic Port Address Translations (PAT) in Cisco IOS Router
Port Address Translations works by assigning a combination of one global address with a port number to one local address session. This allows multiple local address to use the same global address for connection to public network at the same time. There are two ways to configure Dynamic Port Address Translations (PAT) in Cisco IOS router, depending on the number of the available global address. These examples of scenario below will be used to explain the two ways to configure Dynamic PAT:
- Scenario 1 — Configure dynamic PAT using R1 outside interface IP address
- Scenario 2 — Configure dynamic PAT using the available global address in the NAT pool
The configuration for both scenario are basically the same, except on the declaration of the NAT rules itself. To better understand the configuration, follow the step by step below:
1. Define the inside and outside interface
The first step is the same for both scenario and for every NAT implementation. The inside and outside interface of the router is crucial and must be specified correctly for successful NAT translation.
For the topology above, assuming the IP address and default routing has been configured before, the configuration of inside and outside interface on R1 is as follows:
R1(config)#interface f0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface f0/1 R1(config-if)#ip nat outside R1(config-if)#exit
2. Create access-list
The access-list (ACL) defines the local address space allowed to be translated when using NAT or dynamic PAT. The ACL can be any types you preferred either standard, extended, or named ACL. In the real practice, the local address should be summarized as specific as possible, but for the simplicity of this example the all the local address will be just summarized as 10.2.2.0/24. Therefore, the ACL configuration is:
R1(config)#access-list 22 permit ip 10.2.2.0 0.0.0.255
In the example above we’re using standard ACL with ACL ID number 22. Keep in mind of this number as it will be used later in step 4.
3. Create the NAT pool (required only for scenario 2)
This step only applies for scenario 2 where dynamic PAT will be configured for address in a NAT pool. To create a NAT pool, use command ip nat pool [pool name] [global starting IP] [global ending IP] netmask [subnet mask].
The NAT pool for scenario 2 is named MustBeGeek and is configured with the command below:
R1(config)#ip nat pool MustBeGeek 172.26.10.91 172.26.10.95 netmask 255.255.255.248
Keep in mind of the NAT pool name as will be used later in step 4 for scenario 2.
4. Define the NAT rules with overload enabled
Now that we have everything set up, the last step is to define the NAT rules with keyword “overload” added at the end of the command. The keyword “overload” is what activating dynamic PAT on the NAT rules and allowing one global address to be used for translations of multiple local address.
For scenario 1, where dynamic PAT is configured on a router outside address, the command is ip nat inside source list [ACL ID] interface [outside interface number] overload. In this example, the command should refer to ACL ID number 22 that has been created before, therefore it will looks like below:
R1(config)#ip nat inside source list 22 interface f0/1 overload
Alternatively, for scenario 2, where dynamic PAT is configured for a NAT pool, the command is ip nat inside source list [ACL ID] pool [pool name] overload. In this example, the command should refer to ACL ID number 22 and NAT pool name MustBeGeek that has been created before. Therefore the configuration for this example will looks like below:
R1(config)#ip nat inside source list 22 pool MustBeGeek overload
With this, we have successfully configured Dynamic PAT.
Usage of Dynamic Port Address Translations (PAT)
Dynamic PAT sessions can be seen using the same command as to show the NAT sessions, which is show ip nat translations. The difference is only on the output as shown below:
R1#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.26.10.90:60411 10.2.2.51:60411 172.26.10.89:60411 172.26.10.89:60411 icmp 172.26.10.90:60667 10.2.2.51:60667 172.26.10.89:60667 172.26.10.89:60667 icmp 172.26.10.90:50427 10.2.2.52:50427 172.26.10.89:50427 172.26.10.89:50427 icmp 172.26.10.90:50683 10.2.2.52:50683 172.26.10.89:50683 172.26.10.89:50683 icmp 172.26.10.90:56571 10.2.2.53:56571 172.26.10.89:56571 172.26.10.89:56571 icmp 172.26.10.90:57083 10.2.2.53:57083 172.26.10.89:57083 172.26.10.89:57083
Notice on the output above that the same global address (inside global) is used to translate multiple different local address (inside local) at the same time, and each with different port number. Due to this behavior, the global address in dynamic PAT cannot be used for incoming connection, but dynamic PAT can help to conserve the usage of global address.
The good news is that in Cisco IOS router, dynamic PAT can be configured together with static NAT as long as it doesn’t use the same global address. In this case, for example if we want to make Server1 to be accessible from the internet, then we can just add static NAT configuration for Server1.
The configuration snippet below shows the example that use both static NAT and dynamic PAT together:
interface FastEthernet0/0 ip address 10.2.2.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 ip address 172.26.10.90 255.255.255.248 ip nat outside duplex auto speed auto ! ip nat pool MustBeGeek 172.26.10.92 172.26.10.95 netmask 255.255.255.248 overload ip nat inside source list 22 interface FastEthernet0/1 overload ip nat inside source static 10.2.2.3 172.26.10.91
And that’s how you can configure PAT in Cisco IOS router.