This guide is for setting up multiple NAT interfaces on a Cisco with multiple externally facing interfaces.
The information found here uses an example of two rout-able physical interfaces, one dialler and one gigabit Ethernet, but this can be applied to any number of route-able interface set-ups, including virtualised interfaces.
Make sure to back up your configuration before making any changes
- All IP addresses and user specific information has been changed for privacy and security.
- This guide is also based around there being only being rout-able interfaces in the device.
- For help with devices such as 1801 -> 1812 and 87*/88* devices, see VLAN interface devices at the bottom of this post.
- Example is IPv4 only.
- This guide assumes that all routes are set, and thus does not include them.
When the node revenant was first being set up as an active node, it was being run off a shared Cisco 2821 that was already running a dedicated ADSL connection using an HWIC-1ADSL add-on card. This required the router to be set up to handle NAT on two interfaces.
After much poking around, it was made working, so this is a guide on what you will need to have in your configuration to make multiple NAT working.
This guide assumes that you have the multiple routable interfaces (IE, 2xGE, plus a HWIC-1ADSL as per the example below), plus have the following options already set
ip nat enable ip route enable
Gigabit Ethernet Interface
This is an example of the external interface set-up for the Gigabit Ethernet.
NOTE: This does ‘’‘NOT’’’ mean it won’t work on other devices, it will just rely on your IOS version supporting what you are wanting to do.
interface GigabitEthernet0/0 description Facing WAN ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables ip nat outside ip virtual-reassembly in duplex auto speed auto no mop enabled !
This is an example of the external Dialler interface.
NOTE: Cisco uses American English, so don’t get caught out!
interface Dialer1 description ADSL2+ Dialer Interface ip address negotiated no ip redirects no ip proxy-arp ip mtu 1492 ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ntp disable ppp authentication chap pap callin ppp chap hostname XXXX ppp chap password 7 XXXX ppp pap sent-username XXXX password 7 XXXX no cdp enable hold-queue 200 in hold-queue 200 out !
Internal Gigabit Ethernet
This is an example of the internal interface set-up for the Gigabit Ethernet.
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 duplex auto speed auto !
This is where the tricky(ish) part is, where we define the multiple NATs, and their respective interfaces using Route-map. We also specify what addresses can use them.
route-map Internet permit 10 match ip address 1 match interface Dialer1 ! route-map WACAN permit 10 match ip address 1 match interface GigabitEthernet0/0 !
In the above, we specify the name of the route-map, and what IP address list and interface it relates to. So, the break down of the WACAN entry is that the IP address allow list is in list number 1, and the interface it relates to is GigabitEthernet0/0.
This is where we define the parts of the NAT for allowing traversal of data.
ip nat inside source route-map Internet interface Dialer1 overload ip nat inside source route-map WACAN interface GigabitEthernet0/0 overload
The above shows that the source route map for WACAN will go to the interface GigabitEthernet0/0.
This specifies the allowed IP addresses. This would be where you put in your own internal IP address range (EG, 192.168.1.0/24)
access-list 1 permit 192.168.1.0 0.0.0.255
Above example is for defining a /24 range.
Examples of port mapping
Since it also changes how port mapping is done, here are some examples of how to map ports through your new multiple NAT setup.
ip nat inside source static tcp 192.168.1.250 53 10.0.0.1 53 extendable ip nat inside source static udp 192.168.1.250 53 10.0.0.1 53 extendable ip nat inside source static tcp 192.168.1.250 80 10.0.0.1 80 extendable ip nat inside source static tcp 192.168.1.250 53 126.96.36.199 53 extendable ip nat inside source static udp 192.168.1.250 53 188.8.131.52 53 extendable
The example above will allow in DNS (both TCP and UDP for handling of transfer and EDNS) on both your Internet and WACAN NAT interfaces, but will only allow HTTP (Port 80) on your WACAN interface.
Since you now have two NAT interfaces, you will need to specify the IP address for the respective interface you want to allow NAT through.
I have not had to set this up with a dynamic IP address, so I cannot advise on how that will be handled.
VLAN interface devices
This part is for Cisco devices that have an internal switch in them, and thus have a specific interface for VLANs. An example of this would be a Cisco 1801, which has a rout-able Fast Ethernet port, an ADSL over POTS (Plain Old Telephone System) port and an 8 port FastEthernet switch all in the one housing.
On a device such as this, due to it only having two rout-able interfaces (As opposed to three in the example above (GigabitEthernet0/0, GigabitEthernet0/1 and Dialer1), there is a virtual interface called VLAN1. This interface is what would be configured ‘’‘instead’’’ of GigabitEthernet0/1.
VLAN Interface setup
An example of the above information changed to be used on an 1801
interface vlan1 ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 duplex auto speed auto !