Sunday, 13 February 2011

Learn to configure Cisco IOS NAT on a stick

“NAT on a stick” is not a common Cisco router configuration, but it is a tool that you will want to understand in case you ever have a situation that calls for it.
A well known NAT configuration is called “NAT on a stick.” Besides having a funny name, NAT on a stick can be very useful to network administrators. In this article, learn what NAT on a stick is and how it can help you.

What is Network Address Translation?

Network Address Translation (NAT) is used to translate IP addresses from one network into IP addresses for another network. NAT is performed by a router and is commonly used to translate private IP addresses used in homes and businesses into the public IP addresses that are used on the Internet.
When configuring NAT, there are a number of terms and concepts you need to know. For example: the difference between inside local, inside global, outside local, outside global, NAT vs. PAT, and “NAT overload.”
I don’t recommend that you configure NAT on a stick until you have a good understanding of NAT. I recommend that you try one of the easier NAT configurations prior to NAT on a stick.

What is NAT on a stick?

First, the “stick” is just a single router interface. As NAT is typically performed between two router interfaces, NAT on a stick is used to describe a NAT configuration where a single router interface is used and NAT is performed. Thus, we are really talking about NAT on a single-router interface (but that’s not as catchy, is it?).
For NAT to work, a packet has to be sent from an inside NAT interface to an outside NAT interface. This is still true with NAT on a stick, but we are able to get around having only a single interface because we use a virtual interface to accomplish the same task. You use a policy-based route (PBR) to route and NAT the traffic between the virtual interface, which is a Cisco IOS loopback interface, and the physical interface.
Prior to configuring NAT on a stick, you should make sure that your Cisco IOS supports this feature.
How can NAT on a stick help you?
NAT on a stick is not what I would consider a common configuration. However, I have seen it listed on Cisco certification exam objectives; I have heard Cisco instructors talk about it; and I have had readers ask me questions about it. So, even though you won’t find NAT on a stick in use on most enterprise networks, I think that it is important that you know what it is, how it can help you, and that it is yet another tool available to you, should you need it.
While there are a number of options for using NAT on a stick, here is a scenario in which I’ve seen it in use. (I have selected this scenario because it is based on the official Cisco documentation on this topic where you can go to find more information.)
You have a LAN with a number of computers, a single Cisco router with one Ethernet interface, and a cable DSL modem. Your ISP has given you a single IP address plus a block of two other IP addresses on a different network. Usually, you would get around this by using NAT (actually PAT or NAT overload) with a home/SMB router such as Linksys, Netgear, D-Link, or Belkin. But let’s say that you want to use a Cisco router only, and unfortunately, all you have is a 2501 (single Ethernet and Serial interface). The DSL modem is just a bridge (not a router) and the Cisco router cannot be connected directly to the cable modem because the router only has one LAN interface. You put a small hub in between the DSL modem and the 2501 Cisco router.
While this might sound like a wild scenario to some, and we all agree that you just need to buy more hardware — I don’t want to leave out any possible option that you could consider for using the Cisco IOS to solve a problem. Should this configuration be used on the Internet in production? No. Is it valuable to know how to configure NAT on a stick? Absolutely!

How do you configure NAT on a stick?

The sample configuration below for NAT on a stick is based on the following details: The local LAN is the 192.168.1.0 network. You are given one useable IP address on this network from the ISP, plus a block of two IP addresses on the 192.168.2.0 network. This network has access to the DSL modem. The 10.0.0.0 network is the LAN where you will have as many devices as you want and the devices on that LAN will rely on NAT on a stick.
Remember — the Cisco IOS loopback interface is the virtual interface that helps us get around the “one interface only” issue. Here is what you need to do:

Configure Interfaces with NAT statements and IP policy routing

interface Loopback0
 ip address 10.0.1.1 255.255.255.252
 ip nat outside
interface Ethernet0
 ip address 192.168.1.2 255.255.255.0 secondary
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
 ip policy route-map nat-loop

Configure your NAT pools

ip nat pool external 192.168.2.2 192.168.2.3 prefix-length 29
ip nat inside source list 10 pool external overload

Ensure that you have IP Routes

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.2.0 255.255.255.0 Ethernet0

Create ACLs for NAT and the Policy Routing

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 102 permit ip any 192.168.2.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

Create the Route Map that is applied to the Ethernet interface

route-map Nat-loop permit 10
 match ip address 102
 set interface loopback0
 
With this configuration, the PC clients, assigned with 10.0.0.x network IP addresses will be NATed when their traffic arrives on the Ethernet0 interface. That NATing will use the 192.168.2.x pool.
You should note that you will have to configure the router’s primary Ethernet IP as the default gateway for all PCs in the NAT network. Also, you will also have to do ONE of the following:
1. Have the ISP or any other router on the other side of the NAT network create a static route for your 192.168.2.0/29, pointing to your router’s 192.168.1.2 IP address
2. Have your router advertise that network (in #1) via a dynamic routing protocol like RIP, OSPF, or EIGRP
This configuration is based on the example provided in Cisco’s official Network Address Translation on a Stick documentation. Please review it if you have questions on this example as it has a diagram and debug steps.

In Conclusion

NAT on a Stick is one of the many tools that a network admin may need to employ in certain situations. If nothing else, it is a configuration that you should recognize by name if you are asked about it on certification exams or by colleagues. For some admins, it is an irreplaceable tool.

No comments:

Post a Comment