CISCO Multiple NAT


#1

About


This guide is for setting up multiple NAT interfaces on a Cisco with multiple externally facing interfaces.

The information found here uses an example of two rout-able physical interfaces, one dialler and one gigabit Ethernet, but this can be applied to any number of route-able interface set-ups, including virtualised interfaces.

Important notes:

Make sure to back up your configuration before making any changes

  • All IP addresses and user specific information has been changed for privacy and security.
  • This guide is also based around there being only being rout-able interfaces in the device.
  • For help with devices such as 1801 -> 1812 and 87*/88* devices, see VLAN interface devices at the bottom of this post.
  • Example is IPv4 only.
  • This guide assumes that all routes are set, and thus does not include them.

Background


When the node revenant was first being set up as an active node, it was being run off a shared Cisco 2821 that was already running a dedicated ADSL connection using an HWIC-1ADSL add-on card. This required the router to be set up to handle NAT on two interfaces.

After much poking around, it was made working, so this is a guide on what you will need to have in your configuration to make multiple NAT working.

Requirements


This guide assumes that you have the multiple routable interfaces (IE, 2xGE, plus a HWIC-1ADSL as per the example below), plus have the following options already set

ip nat enable
ip route enable

Interface configuration


External Interfaces


Gigabit Ethernet Interface

This is an example of the external interface set-up for the Gigabit Ethernet.

NOTE: This does ‘’‘NOT’’’ mean it won’t work on other devices, it will just rely on your IOS version supporting what you are wanting to do.

interface GigabitEthernet0/0
 description Facing WAN
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!

Dialler interface

This is an example of the external Dialler interface.

NOTE: Cisco uses American English, so don’t get caught out!

interface Dialer1
 description ADSL2+ Dialer Interface
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication chap pap callin
 ppp chap hostname XXXX
 ppp chap password 7 XXXX
 ppp pap sent-username XXXX password 7 XXXX
 no cdp enable
 hold-queue 200 in
 hold-queue 200 out
!

Internal Interfaces


Internal Gigabit Ethernet

This is an example of the internal interface set-up for the Gigabit Ethernet.

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!

NAT setup


This is where the tricky(ish) part is, where we define the multiple NATs, and their respective interfaces using Route-map. We also specify what addresses can use them.

Route-map


route-map Internet permit 10
 match ip address 1
 match interface Dialer1
!
route-map WACAN permit 10
 match ip address 1
 match interface GigabitEthernet0/0
!

In the above, we specify the name of the route-map, and what IP address list and interface it relates to. So, the break down of the WACAN entry is that the IP address allow list is in list number 1, and the interface it relates to is GigabitEthernet0/0.

NAT Entry


This is where we define the parts of the NAT for allowing traversal of data.

ip nat inside source route-map Internet interface Dialer1 overload
ip nat inside source route-map WACAN interface GigabitEthernet0/0 overload

The above shows that the source route map for WACAN will go to the interface GigabitEthernet0/0.

Access List


This specifies the allowed IP addresses. This would be where you put in your own internal IP address range (EG, 192.168.1.0/24)

access-list 1 permit 192.168.1.0 0.0.0.255

Above example is for defining a /24 range.

Examples of port mapping


Since it also changes how port mapping is done, here are some examples of how to map ports through your new multiple NAT setup.

ip nat inside source static tcp 192.168.1.250 53 10.0.0.1 53 extendable
ip nat inside source static udp 192.168.1.250 53 10.0.0.1 53 extendable
ip nat inside source static tcp 192.168.1.250 80 10.0.0.1 80 extendable
ip nat inside source static tcp 192.168.1.250 53 8.8.8.8 53 extendable
ip nat inside source static udp 192.168.1.250 53 8.8.8.8 53 extendable

The example above will allow in DNS (both TCP and UDP for handling of transfer and EDNS) on both your Internet and WACAN NAT interfaces, but will only allow HTTP (Port 80) on your WACAN interface.

Since you now have two NAT interfaces, you will need to specify the IP address for the respective interface you want to allow NAT through.

I have not had to set this up with a dynamic IP address, so I cannot advise on how that will be handled.

VLAN interface devices


Background


This part is for Cisco devices that have an internal switch in them, and thus have a specific interface for VLANs. An example of this would be a Cisco 1801, which has a rout-able Fast Ethernet port, an ADSL over POTS (Plain Old Telephone System) port and an 8 port FastEthernet switch all in the one housing.

On a device such as this, due to it only having two rout-able interfaces (As opposed to three in the example above (GigabitEthernet0/0, GigabitEthernet0/1 and Dialer1), there is a virtual interface called VLAN1. This interface is what would be configured ‘’‘instead’’’ of GigabitEthernet0/1.

VLAN Interface setup


An example of the above information changed to be used on an 1801

interface vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!