enobosarm

Configuring PAT on Cisco Routers (NAT Overload)

PAT (Port Address Translation) is by far the most common implementation of NAT, and if you have an ADSL router at home there is a 100% chance you are using it.

PAT or otherwise known as NAT overload, allows you to translate IP addresses in a many-to-one method.
In my previous post on Configuring Dynamic NAT we saw that we can NAT many-to-many  but this was limited by the amount of public addresses that you have available. In cases such as home ADSL, your ISP will only issue you with a single public IP address but you might have 2 or more devices that need to access the Internet at any given time. This is where PAT takes over and makes this all possible.

As with any NAT configuration we need to first define our inside and outside interfaces. In this example I’ll use FastEthernet 0/0 as my inside, and Serial 0 as my outside.

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

The next step is to define which addresses in my inside network I want to allow to be translated. Let’s assume my inside IP address range is 10.0.1.0 /24

AOIP.ORG (config) # access-list 1 permit 10.0.1.0 0.0.0.255 (Using a standard access-list is the easiest way to achieve this)

Then I need to configure the address that will be used by my internal IP addresses for accessing the outside interface. This can be done in 2 ways.

Option 1:
If I only have 1 public IP address, which is the case with home ADSL, the router will already have that IP address allocated to it by your ISP. The only thing I can do is tell the router to share that address with my internal hosts.

AOIP.ORG (config) # ip nat inside source list 1 Serial 0 overload (This defines my access-list 1 as the source addresses, and tell them to be translated into the same IP address that is configured on Serial 0. The overload command tells the router that it needs to keep track of all the source and destination ports so the IP address can be used multiple times, overloaded)

Option 2:
If I have a second public IP address that I would like to use for Internet browsing, I can configure PAT for that IP address.

AOIP.ORG (config) # ip nat inside source list 1 192.168.1.1 overload (Same as the above command, but I’ve specifically told the router which IP address to translate my internal hosts into)

This option is fantastic if you have multiple public addresses and you want to segment your Internet browsing based on departments or geographic locations. For example
Marketing – 10.1.0.0 /24
Sales – 10.2.0.0 /24
Technical – 10.3.0.0 /24

I can have each of the above departments using their own public IP address, which will make log files easier to read when tracking Internet use and for troubleshooting connection errors.

access-list 2 permit 10.1.0.0 0.0.0.255
access-list 3 permit 10.2.0.0 0.0.0.255
access-list 4 permit 10.3.0.0 0.0.0.255
ip nat inside source list 2 192.168.1.2 overload
ip nat inside source list 3 192.168.1.3 overload
ip nat inside source list 4 192.168.1.4 overload

Related posts:

  1. Configuring Dynamic NAT on Cisco Routers
  2. Configuring Static NAT on Cisco Routers
  3. Static NAT overloaded???
  4. NAT (Network Address Translation)
  5. IP Address Spoofing Mitigation with Access Control Lists (ACL)


9 Responses to “Configuring PAT on Cisco Routers (NAT Overload)”

  1. ramesh Says:

    But i am unable to execute the command

    ip nat inside source list 1 192.168.1.1 overload

  2. Jay Says:

    Hi Ramesh,

    What error do you receive?

    If you follow the steps in the above tutorial you should have no problems. Make sure you do things in the correct order and make sure you are in the correct modes (Global Config / Interface etc).

    Regards,
    Jay

  3. Kuldeep Says:

    Hi Jay,

    I searched this article everywhere but i did not find. But this is right place where i could search.
    My Problem is related to same as this thread OPTION 2, it is given below:

    ISP provided 6 Mbps internet access link with ethernet Handoff which is terminated over Cisco 1841.

    ISP also provided pool of 30 Public ip’s 125.x.x.x /27 , range from 125.x.x.x to 125.x.x.x

    In my current setup, all Inside to ouside traffic going out through 125.x.x.x public ip

    because this public-ip NAT overload with Router F0/1 interface.

    1) I want to divide 6 Mbps link physically into three parts 2Mbps, 2Mbps, 2Mbps for three VLANs.

    2) I want to also configure each vlan IN/OUT traffic with different Public ip. is it possible or not ?

    Vlan2 = 172.25.1.0/24 => Inside to outside / Outside to inside traffic through 125.x.x.x

    Vlan3 = 172.25.2.0/24 => Inside to outside / Outside to inside traffic through 125.x.x.x

    Vlan4 = 172.25 3.0/24 => Inside to outside / Outside to inside traffic through 125.x.x.x

    How can i configure above desired setup with CBWFQ (class based policy),
    plz send me sample configuration.

  4. Kuldeep Says:

    Hi Jay,

    In your Thread, you are using Standard ACL but Please explain my problem with
    Extended ACL with Example…..

  5. JEFF Says:

    I have no option to specify just an IP address. It is either an interface or a pool:

    router(config)#ip nat inside source list 1 ?
    interface Specify interface for global address
    pool Name pool of global addresses

  6. JEFF Says:

    CISCO2921/K9 running 15.1(4)M3.

  7. mike Says:

    Hi Jay

    Can i make PAT work like the last example in your post (maps the different internal subnets each to a unique PAT address) AND have it so that any other souce addresses are not not PATed at all – ie. they still route out to the internet but keep their source address?

    The way i read your config is that any traffic from internal IPs that are not referenced in the ACL’s will be dropped – is that how this works?

  8. Jay Says:

    Hi Mike,

    In the above example, the ACL is only used to identify the traffic that is to be processed for NAT/PAT.

    Only if the access list is attached to an interface will it be used for blocking or allowing traffic.

    So, if you didn’t include certain addresses in the ACL, they would not be Natted/Patted. Just remember that private IP addresses (RFC 1918) are not allowed to be routed to the Internet.

  9. Jay Says:

    Hi Jeff,

    Yes, I’ve noticed this more recently on other devices. I haven’t managed to pin point which devices support it and which don’t.

Leave a Reply